Redirects – Use With Care!

Did you know spammers can hijack your traffic through sneaky redirects? Yes, they can.

Google has warned webmasters that spammers can take advantage of their websites by abusing open redirects. Open redirects occur when websites use links to redirect their website visitors to another page. If redirects are left open to any arbitrary destination, they can be abused by spammers to trick web surfers and search engines into following links that redirect to a spam website instead of your own. Your site will get a bad reputation as people who think they are visiting your website are redirected to highly questionable web pages that might contain adult content, viruses, malware or phishing attempts.

According to Google, spammers have managed to use the redirect spam on a wide range of websites, including the websites of large well-known companies and the websites of small local government agencies. Scripts that redirect users to a file on the server can be abused by spammers. Site search result pages with automatic redirect options (an URL variable that sends your website visitors to other pages), affiliate tracking links which allow people to direct website visitors to other pages, proxy pages that send people through to other websites and interstitial pages. That usually are used to let users know that the information found on the link is not under their control can all be hijacked by spammers and abused.

You can make sure that your redirects aren’t exploited, but it’s hard and time consuming. After all, an open redirect is not a bug or a security flaw. You should always check the referrer; your redirect scripts should only work if they area accessed from another web page of your website. The redirect script should not work if the user accesses the script directly or from a search engine. You should also make sure that the script can only redirect to web pages and files that are on your own websites. You can use a whitelist of allowed destination domains.

You should also utilize the robots.txt file of your website to exclude search engines from the redirect scripts on your website, and add signature or a checksum to your redirect links so that only you can use the script. Open redirect abuse is always big issue for Google, but if you secure your scripts, spammers will move on – you won’t be worth the effort.