January 31, 2009

Open redirect URLs: Is your site being abused?

No one wants malware or spammy URLs inserted onto their domain, which is why we all try to follow good security practices. But what if there were a way for spammers to take advantage of your site, without ever setting a virtual foot in your server?

There is, by abusing open redirect URLs.

Webmasters face a number of situations where it's helpful to redirect users to another page. Unfortunately, redirects left open to any arbitrary destination can be abused. This is a particularly onerous form of abuse because it takes advantage of your site's functionality rather than exploiting a simple bug or security flaw. Spammers hope to use your domain as a temporary "landing page" to trick email users, searchers and search engines into following links which appear to be pointing to your site, but actually redirect to their spammy site.

We at Google are working hard to keep the abused URLs out of our index, but it's important for you to make sure your site is not being used in this way. Chances are you don't want users finding URLs on your domain that push them to a screen full of unwanted porn, nasty viruses and malware, or phishing attempts. Spammers will generate links to make the redirects appear in search results, and these links tend to come from bad neighborhoods you don't want to be associated with.

This sort of abuse has become relatively common lately so we wanted to get the word out to you and your fellow webmasters. First we'll give some examples of redirects that are actively being abused, then we'll talk about how to find out if your site is being abused and what to do about it.

Redirects being abused by spammers

We have noticed spammers going after a wide range of websites, from large well-known companies to small local government agencies. The list below is a sample of the kinds of redirect we have seen used. These are all perfectly legitimate techniques, but if they're used on your site you should watch out for abuse.

  • Scripts that redirect users to a file on the server—such as a PDF document—can sometimes be vulnerable. If you use a content management system (CMS) that allows you to upload files, you might want to make sure the links go straight to the file, rather than going through a redirect. This includes any redirects you might have in the downloads section of your site. Watch out for links like this:
example.com/go.php?url=
example.com/ie/ie40/download/?

  • Internal site search result pages sometimes have automatic redirect options that could be vulnerable. Look for patterns like this, where users are automatically sent to any page after the "url=" parameter:
example.com/search?q=user+search+keywords&url=

  • Systems to track clicks for affiliate programs, ad programs, or site statistics might be open as well. Some example URLs include:
example.com/coupon.jsp?code=ABCDEF&url=
example.com/cs.html?url=

  • Proxy sites, though not always technically redirects, are designed to send users through to other sites and therefore can be vulnerable to this abuse. This includes those used by schools and libraries. For example:
proxy.example.com/?url=

  • In some cases, login pages will redirect users back to the page they were trying to access. Look out for URL parameters like this:
example.com/login?url=

  • Scripts that put up an interstitial page when users leave a site can be abused. Lots of educational, government, and large corporate web sites do this to let users know that information found on outgoing links isn't under their control. Look for URLs following patterns like this:
example.com/redirect/
example.com/out?
example.com/cgi-bin/redirect.cgi?

Is my site being abused?

Even if none of the patterns above look familiar, your site may have open redirects to keep an eye on. There are a number of ways to see if you are vulnerable, even if you are not a developer yourself.

  • Check if abused URLs are showing up in Google. Try a site: search on your site to see if anything unfamiliar shows up in Google's results for your site. You can add words to the query that are unlikely to appear in your content, such as commercial terms or adult language. If the query [site:example.com viagra] isn't supposed to return any pages on your site and it does, that could be a problem. You can even automate these searches with Google Alerts.

  • You can also watch out for strange queries showing up in the Top search queries section of Webmaster Tools. If you have a site dedicated to the genealogy of the landed gentry, a large number of queries for porn, pills, or casinos might be a red flag. On the other hand, if you have a drug info site, you might not expect to see celebrities in your top queries. Keep an eye on the Message Center in Webmaster Tools for any messages from Google.

  • Check your server logs or web analytics package for unfamiliar URL parameters (like "=http:" or "=//") or spikes in traffic to redirect URLs on your site. You can also check the pages with external links in Webmaster Tools.

  • Watch out for user complaints about content or malware that you know for sure can not be found on your site. Your users may have seen your domain in the URL before being redirected and assumed they were still on your site.


What you can do

Unfortunately there is no one easy way to make sure that your redirects aren't exploited. An open redirect isn't a bug or a security flaw in and of itself—for some uses they have to be left fairly open. But there are a few things you can do to prevent your redirects from being abused or at least to make them less attractive targets. Some of these aren't trivial; you may need to write some custom code or talk to your vendor about releasing a patch.

  • Change the redirect code to check the referer, since in most cases everyone coming to your redirect script legitimately should come from your site, not a search engine or elsewhere. You may need to be permissive, since some users' browsers may not report a referer, but if you know a user is coming from an external site you can stop or warn them.

  • If your script should only ever send users to an internal page or file (for example, on a page with file downloads), you should specifically disallow off-site redirects.

  • Consider using a whitelist of safe destinations. In this case your code would keep a record of all outgoing links, and then check to make sure the redirect is a legitimate destination before forwarding the user on.

  • Consider signing your redirects. If your website does have a genuine need to provide URL redirects, you can properly hash the destination URL and then include that cryptographic signature as another parameter when doing the redirect. That allows your own site to do URL redirection without opening your URL redirector to the general public.

  • If your site is really not using it, just disable or remove the redirect. We have noticed a large number of sites where the only use of the redirect is by spammers—it's probably just a feature left turned on by default.

  • Use robots.txt to exclude search engines from the redirect scripts on your site. This won't solve the problem completely, as attackers could still use your domain in email spam. Your site will be less attractive to attackers, though, and users won't get tricked via web search results. If your redirect scripts reside in a subfolder with other scripts that don't need to appear in search results, excluding the entire subfolder may even make it harder for spammers to find redirect scripts in the first place.



Open redirect abuse is a big issue right now but we think that the more webmasters know about it, the harder it will be for the bad guys to take advantage of unwary sites. Please feel free to leave any helpful tips in the comments below or discuss in our Webmaster Help Forum.

Written by Jason Morrison, Search Quality Team

January 25, 2009

Article Distribution Service - Effective SEO

Perhaps you learned about article marketing from some Internet marketing guru. Article marketing is not a new concept, and it has been around for many years. Today, many successful article marketers are still performing article marketing. Why is that so?

You see, these experts have learned, very early in the game, that article marketing is a very effective SEO method. It is easy to understand, and definitely easy to implement. Write relevant articles, and promote your website in the author resource box. How hard can that be?

But there is a little problem. Article marketing, although easy to perform, does require some effort, hard work, and dedication. Far too many marketers give up after just writing one or two articles. The writing requires effort, and so does the distribution. To distribute just one article can take up a few hours. Who has the time to continuously do that?

Fortunately, you can always outsource your article distribution activities to professional service providers. For article writing, you can always hire freelance writers or ghost writers to write your content for you.

When you write and distribute relevant content, your search engine rankings will rise. It's only a matter of time. Imagine having two websites that look exactly the same - same type of content, same design, same template. Which site do you think the search engines will rank? The search engines will rank the site with the greatest number of inbound links. That's why article marketing works! If you do this with dedication, your site is going to be so far ahead of the competition that it discourages others from competing with you.

Darren Chow is a full time article marketer. His latest project is a Article Distribution Service where bloggers can promote their own blogs by submitting articles.

January 14, 2009

What is SEO and How Can it Effect Your Website?

The term search engine optimisation relates to the process of increasing the volume and quality of traffic to a website through 'organic listings' in the search engines. Generally the more relevant and popular a website appears to be, the higher the search engines rank it. By being higher up in the search engines results you increase you chances of being seen by potential customers.

Search engine optimisation has become a major part of any website. As the internet has continued to grow at an amazing rate since it's birth more than 20 years ago. The number of websites and therefore competitors on the Internet are in their billions. This makes finding exactly what you want very tricky. The shear volume of results that search engines produce can cause a needle in the haystack effect. To make sure that people can find your website you will need to appear at the top of the results for the key term that the user searched for. To do that you need to use search engine optimisation.

It is no longer sufficient to have a great looking website. Now it has to be optimised for the search engines, otherwise it will be buried in the heap by millions of other sites and that's bad news for your business.

Although for some sites, especially those created before the search engine revolution, a small amount of tinkering just won't quite cut it. Your site needs to give a great first impression to potential customers as otherwise they may just carrying on searching! If your current site isn't up to scratch then starting again may well be the best answer. That way we can make sure your site is built from the ground up with search engines in mind. This can greatly reduce your marketing spend in the long run as you will no longer need to run pay-per-click campaigns or send out paper based marketing.

James is an experienced IT professional with more than 10 years in the field. He has a passion for promoting websites in the search engines using a range of organic SEO - Search Engine Optimisation tactics.