Cloaking and Faking the Referrer

Faking the Referrer

To straight-out fake the referrer we’ll need to take advantage of PHP and cURL. The function below is a simple example of how to request a page from a website, while sending fake information.

/* Grabs the querystring, referer, and initialized some variables */
$pg = (isset($_SERVER['QUERY_STRING']))?$_SERVER['QUERY_STRING']:'';
$rf = (isset($_SERVER['HTTP_REFERER']))?$_SERVER['HTTP_REFERER']:'';
/* Setup your sites here, blackhat, whitehat and advertiser */
$bh = "";
$wh = "";
$ad = "";
/* if the referrer is the blackhat domain start a meta redirect
and assign a temporary cookie for 5 seconds */
if(substr($rf, 0, strlen($bh)) == $bh) { 
	/* appends querystring to wh destination */
	$meta = $wh.'?'.$pg; 
	setcookie("r", "1", time()+5); 
/* The first meta refresh has completed, and 
we're checking for the 'r' cookie, if set
set a meta refresh back to the domain and set
a new 'rr' cookie while killing the old 'r' one. */
elseif(isset($_COOKIE['r'])) {
	$meta = $wh."?".$pg; 
	setcookie("r", "", time()-5); 
	setcookie("rr", "1", time()+5);
/* If we're back to the base of the domain, and the 'rr' cookie is set
then we need to prepare for the final redirect to the advertiser
using javascript */
	if (isset($_SERVER['HTTP_USER_AGENT']) && (strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== false))
		$js = "document.forms[0].submit();";
		$ie = true; 
	} else {
		$js = 'window.location = "'.$ad.'?'.$pg.'";';
	setcookie("rr", "", time()-5);
/* It is much faster to send meta data via the HTTP headers
its also a good way to hide the meta data from the HTML 
source itself */
header("Content-Type: text/html; charset=UTF-8");
if($meta != "") header("refresh: 0;url=".$meta);
if(($meta == "") && ($js == "")) $lp = true;
echo '<?xml version="1.0" encoding="UTF-8"?>'; 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "">
<html xmlns="" xml:lang="en-US">
	<head profile="">
		<title>Whitehat Domain</title>
		<script type="text/javascript" defer="defer">
			<?php echo $js; ?>
		<?php if($lp === true)
			//Redirect to your lander, or load it here.
			echo "<b>There would be a landing page here if the destination owner attempted to visit the referral url.</b>";
		<?php if($ie === true) { ?>
			<form action="<?=$ad.'?'.$pg?>" method="get"></form>
		<? } ?>

Now the obvious downside to the above method is that while you can fake the referrer you cannot however fake the server’s IP address. So a couple thousand hits from various referrers and user-agents, but the same IP would seem rather suspicious. However most people would not bat an eye if they saw “GoogleBot” scraping all their content.

And course if you have multiple servers, IPs and so forth you might decide to do something sinister like overload your competitor with worthless keywords via a fake google search referrer.

So there you have it, a method to cloak your referrers, and a method to fake them. Both of course have drawbacks. But I’m sure you can figure out something useful.


  1. Victory says:

    is it possible to just stick to POST/form-submit on all browsers?

  2. kbeezie says:

    It’s possible, but you would have to update the javascript to take into account the DOM selection differences between browsers.