Example Cookie-Stuffing Overwriting Existing Cookies: ValueMags
The Effect of 180solutions on Affiliate Commissions and Merchants - Ben Edelman

As discussed in Affiliate Code Replacement via Popup "Double" Windows within The Effect of 180solutions on Affiliate Commissions and Merchants, 180 has implemented a system that can set affiliate tracking codes by showing a user a duplicate copy of a merchant's site. These popups set affiliate codes that, in the ordinary course of events, cause 180 to be paid commissions otherwise payable to other affiliates, and cause 180 to be paid commissions even if no commissions would otherwise be paid. For a listing of affected merchants (as of tests of June 2004), see merchants targeted with double windows. See also merchants I previously found to be targeted with silent cookie-stuffing.

This page shows specific network transmissions that implement 180's double-popup cookie-stuffing, targeting a request for valuemags.com made at approximately 4pm (Eastern) on July 24, 2004. See also a video (WMV format, view in full-screen mode, warning: >1MB) confirming what took place, including showing my Cookies folder before and after receiving the 180solutions popup. The thumbnail at right shows the final on-screen display -- the valuemags.com site, covered in part by the double popup that reached valuemags.com through an affiliate link.

Index of Annotated Packet Logs (details)

Other Targeted Merchants: Double and Silent Popups

In this example, I sought to document how 180 (and its advertisers) can overwrite cookies set by other affiliates. My testing proceeded in the following way:

  1. I cleared my cookies, such that any cookies set on my PC were set in the course of the testing shown in my video.
  2. I browsed to dealhunting.com, an ordinary affiliate site that links to valuemags.com via an affiliate link. I clicked through that affiliate link, yielding the two HTTP communications shown in HTTP Transaction 1 (with original affiliate link shown in red highlighting), setting the "2vRI" and "2viJ" cookies shown in blue highlighting.
  3. I briefly browsed the valuemags.com site. (Network logs omitted for brevity.) In HTTP Transaction 2, Zango (installed on my PC) asked 180solutions' web servers for an ad to be shown -- sending the valuemags.com trigger (as shown in yellow highlighting), and receiving a URL to dealsavings.com in response (purple highlighting).
  4. In HTTP Transaction 3, Zango loaded the specified dealsavings.com page in a new window. Via a META REFRESH tag (orange highlighting), the page redirected the new window to a Performics affiliate link which in turn sets a "2vd9" Performics cookie (HTTP Transaction 4) (cookie in blue highlighting).
  5. Observing my cookies (cookie listing), I see that at the end of the events described above, my Performics cookie (blue highlighting) included a reference to the "2vd9" affiliate cookie set by the redirect link from the dealsavings page. However, I see no surviving reference to the "2vRI" or "2viJ" affiliate cookies set from the original dealhunting.com page.

Consistent with the rest of my site, the network logs below omit my DUID (my unique 180solutions user ID number).

In my testing of July 24, 2004, valuemags.com is but one of many merchants that remain targeted by 180solutions double popups. Some targeted merchants use affiliate networks; others run in-house affiliate programs. Some double popups (including this one) reach affiliate links through redirect servers, while others entail 180solutions sending users directly to an affiliate link via no other intermediaries.

 

Return to top
HTTP Transaction 1: Clicking Through DealHunting Performics Link to ValueMags
initial affiliate link
GET /link/click?lid=41000000000295459&mid=9999 HTTP/1.1
Accept: */*
Referer: http://www.dealhunting.com/coupon-codes.php?store=554&go.x=14&go.y=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: clickserve.cc-dt.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 24 Jul 2004 19:52:04 GMT
Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) mod_perl/1.27
setting affiliate cookie
Set-Cookie: cc_click21000000000016107=2vRIeA9gKdPYHPUTKfsKv0SARJ8nWgeHXO5ipc
Kwg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoHX4qLxOGi0THwNmnfBuFZjHWcyV6TErg1Ax7qlxsGrB
3VIm2PM5AXUyrxjbhZ8vDseL9O1iU8bZS2VICbwg5hp8KVpmKwg1LJOvi4sLd08HPNK9U8QJzmhI
Tud78H; domain=.cc-dt.com; path=/link; expires=Wed, 22-Sep-2004 19:52:04 GMT
Expires: Sat, 24 Jul 2004 19:52:04 GMT
uri: http://www.valuemags.com/performix/performix.asp?affiliate=k3925&link=j295459&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2F
P3P: policyref="http://www.performics.com/w3c/p3p/cc-dt/p3p.xml", CP="NOI DSP COR ADMa DEVa PSAa OUR BUS COM"
location: http://www.valuemags.com/performix/performix.asp?affiliate=k3925&link=j295459&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2F
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

0

initial affiliate link
GET /link/click?lid=41000000000295459 HTTP/1.1
Accept: */*
Referer: http://www.dealhunting.com/coupon-codes.php?store=554&go.x=14&go.y=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: clickserve.cc-dt.com
Connection: Keep-Alive
Cookie: cc_click21000000000016107=2vRIeA9gKdPYHPUTKfsKv0SARJ8nWgeHXO5ipcK
wg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoHX4qLxOGi0THwNmnfBuFZjHWcyV6TErg1Ax7qlxsG
rB3VIm2PM5AXUyrxjbhZ8vDseL9O1iU8bZS2VICbwg5hp8KVpmKwg1LJOvi4sLd08HPNK9U8Q
JzmhITud78H

HTTP/1.1 302 Found
Date: Sat, 24 Jul 2004 19:52:10 GMT
Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) mod_perl/1.27
setting affiliate cookie
Set-Cookie: cc_click21000000000016107=2viJetp65nX7vDMqtXzyirsEb0mhxZuQWa5
ipcKwg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoHX4qLxOGi0THwNmnfBuFZjHWcyV6TErg1Ax7q
lxsGrB3VIm2PM5AXUyrxjbhZ8vDseL9O1iU8bZS2VICbwg5hp8KVpCKWMoAX7qVz8APc3LIsE
iM5AX; domain=.cc-dt.com; path=/link; expires=Wed, 22-Sep-2004 19:52:10 GMT
Expires: Sat, 24 Jul 2004 19:52:10 GMT
uri: http://www.valuemags.com/performix/performix.asp?affiliate=k3925&link=j295459&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2F
P3P: policyref="http://www.performics.com/w3c/p3p/cc-dt/p3p.xml", CP="NOI DSP COR ADMa DEVa PSAa OUR BUS COM"
location: http://www.valuemags.com/performix/performix.asp?affiliate=k3925&link=j295459&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2F
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

0


Return to top
HTTP Transaction 2: Zango Request to 180solutions
keyword trigger
GET /showme.aspx?keyword=valuemags.com&did=762&ver=5.11&duid=531byhiprtvdgvadrfmfcgtxxyrjmg &partner_id=195252523&product_id=762&browser_ok=y&rnd=24&basename=zango
user id
&tzbias=5&MT=8C5F0B5F1538C31DC2F456CC736BC33B268398A0
&DMT=8C5F0B5F1538C31DC2F456CC736BC33B268398A0&GMA=1&GVI=1&GPI=1
&HMP=709213BFEF2F893692742C6E758547E7BF14D399&ACC=1&bid=0
&SID=KBKBAHUH&OS=5.1.2600.2&SLID=1033&ULID=1033&TLOC=1033
&ACP=1252&OCP=437&DB=iexplore.exe&IEV=6.0.2800.1&TPM=200785920
&APM=37339136&TVM=2147352576&AVM=1987338240&FDS=1753583616
&LAD=1601:1:1:0:0:0&WE=5 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: tv.180solutions.com
Connection: Keep-Alive
Cookie: register=lrd=7/23/2004 6:54:14 PM; partner=lcd=7/23/2004 6:56:21 PM&pi=195252523&pt=315hybrpitvdavgtdrfmoxtgyrxmjg&ci=762&cn=4&cy=us&rg=2505&ct=38972&dma=506&pc=02239&ac=617&bd=12:00:00 AM&sx=&cd=6/26/2004 3:44:10 PM&md=7/13/2004 9:31:38 PM&dlu=12:00:00 AM&glu=7/23/2004 6:54:14 PM&csi=0&li=0&ei=0&chi=0&hii=0&ck=e8952755-1979-45bc-9eae-e54dba9375d1&upbl=False&cv=5.11; guid=e8952755-1979-45bc-9eae-e54dba9375d1; caps=as=0&lad=6/26/2004 1:46:09 PM&askw=2&ladkw=7/24/2004 12:38:21 PM; speedcheck=ls=7/23/2004 6:56:20 PM

HTTP/1.1 200 OK
Date: Sat, 24 Jul 2004 19:52:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: caps=as=0&lad=6/26/2004 1:46:09 PM&askw=3&ladkw=7/24/2004 12:38:21 PM; domain=.180solutions.com; expires=Sun, 24-Jul-2005 19:52:49 GMT; path=/
Set-Cookie: speedcheck=ls=7/23/2004 6:56:20 PM; domain=.180solutions.com; expires=Sun, 24-Jul-2005 19:52:49 GMT; path=/
Cache-Control: private, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 1724

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
</HEAD>
<body>
ad to be shown
ad_url: <input id=ad_url name=ad_url value=http://dealsavings.com/mags.htm><br>
ad_takefocus: <input id=ad_takefocus name=ad_takefocus value=n><br>
ad_activationdelay: <input id=ad_activationdelay name=ad_activationdelay value=0><br>
ad_resizable: <input id=ad_resizable name=ad_resizable value=y><br>
ad_scrollbars: <input id=ad_scrollbars name=ad_scrollbars value=y><br>
ad_menubar: <input id=ad_menubar name=ad_menubar value=y><br>
ad_statusbar: <input id=ad_statusbar name=ad_statusbar value=y><br>
ad_toolbar: <input id=ad_toolbar name=ad_toolbar value=y><br>
ad_addressbar: <input id=ad_addressbar name=ad_addressbar value=y><br>
ad_fullscreen: <input id=ad_fullscreen name=ad_fullscreen value=n><br>
ad_statustext: <input id=ad_statustext name=ad_statustext value=><br>
ad_theatermode: <input id=ad_theatermode name=ad_theatermode value=n><br>
ad_id: <input id=ad_id name=ad_id value=89357><BR>
keyword_id: <input id=keyword_id name=keyword_id value=71634><BR>
ad_windowtitle: <input id=ad_windowtitle name=ad_windowtitle value="Brought to you by the Zango Search Assistant"><br>
<INPUT ID=kw_exclude TYPE=text style="VISIBILITY: hidden;" VALUE=".ancestry.com+security+weightwatchers.com+check+filter"><br>
<INPUT ID=ad_shown TYPE=text VALUE="y" style="VISIBILITY: hidden;"><br>

<SPAN class="957085619-06032003"><FONT face="Arial" color="#ff0000" size="5">Thank you
for your patience.&nbsp; You will be redirected to your destination site in a
few seconds.</FONT></SPAN>
</body>
</HTML>


Return to top
HTTP Transaction 3: Zango Loads Advertiser's Site
GET /mags.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: dealsavings.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Content-Length: 2006
Content-Type: text/html
Last-Modified: Wed, 14 Apr 2004 17:16:11 GMT
Accept-Ranges: bytes
ETag: "a4bcf32e4422c41:571b2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
Date: Sat, 24 Jul 2004 19:48:41 GMT

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
redirect to affiliate link
<meta http-equiv="refresh" content="0;url=http://clickserve.cc-dt.com/link/click?lid=41000000001919207">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>mags</title>
<meta name="Microsoft Border" content="none, default">
</head>

<body>

<p>
</p>
<p>&nbsp;</p>

[page continues at length, with many blank lines, <p> and </p> tags, and &nbsp; tags, creating many blank lines]

<!--webbot bot="HTMLMarkup" startspan --><a href="http://clickserve.cc-dt.com/link/click?lid=41000000001919207"><img src="http://clickserve.cc-dt.com/link/banner?lid=41000000001919207" border=0 alt="LogoButton_120x60"></a>
<!--webbot bot="HTMLMarkup" endspan -->
<br>
<!--webbot bot="HTMLMarkup" startspan --><a href="http://clickserve.cc-dt.com/link/click?lid=41000000001919207"><img src="http://clickserve.cc-dt.com/link/banner?lid=41000000001919207" border=0 alt="LogoButton_120x60"></a>
<!--webbot bot="HTMLMarkup" endspan -->
<br>
<!--webbot bot="HTMLMarkup" startspan --><a href="http://clickserve.cc-dt.com/link/click?lid=41000000001919207"><img src="http://clickserve.cc-dt.com/link/banner?lid=41000000001919207" border=0 alt="LogoButton_120x60"></a>
<!--webbot bot="HTMLMarkup" endspan -->
</body>

</html>


Return to top
HTTP Transaction 4: Advertiser's Site Redirects to Performics Affiliate Link
opening affiliate window
GET /link/click?lid=41000000001919207 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: clickserve.cc-dt.com
Connection: Keep-Alive
Cookie: cc_click21000000000016107=2viJetp65nX7vDMqtXzyirsEb0mhxZuQWa5
ipcKwg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoHX4qLxOGi0THwNmnfBuFZjHWcyV6TErg1
Ax7qlxsGrB3VIm2PM5AXUyrxjbhZ8vDseL9O1iU8bZS2VICbwg5hp8KVpCKWMoAX7qVz8
APc3LIsEiM5AX

HTTP/1.1 302 Found
Date: Sat, 24 Jul 2004 19:52:17 GMT
Server: Apache/1.3.27 Ben-SSL/1.48 (Unix) mod_perl/1.27
setting new affiliate cookie
Set-Cookie: cc_click21000000000016107=
2vd9zHr6jnXg2DgBvFBokXT5VpoQfzKFfT5ipcKwg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoH
X4qLxOGi0THwNmnfBuFMjhW7yD6BEkg3Ax7qlxsGrB3VIm2PM5AXUyX9jbhZ8vDseL9O1iU8
bZS2VICbwg5hp8KVpCKWMoAX7qVz8APc3LIsEiM5AX; domain=.cc-dt.com; path=/link; expires=Wed, 22-Sep-2004 19:52:17 GMT
Expires: Sat, 24 Jul 2004 19:52:17 GMT
uri: http://www.valuemags.com/performix/performix.asp?affiliate=k9814&link=j1919207&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2Fhome%2Findex%2Easp
P3P: policyref="http://www.performics.com/w3c/p3p/cc-dt/p3p.xml", CP="NOI DSP COR ADMa DEVa PSAa OUR BUS COM"
location: http://www.valuemags.com/performix/performix.asp?affiliate=k9814&link=j1919207&url=http%3A%2F%2Fwww%2Evaluemags%2Ecom%2Fhome%2Findex%2Easp
Keep-Alive: timeout=2, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1


Return to top
Resulting Performics Cookies
reference to cookie set by the advertiser that used
180solutions to open a link to the ValueMags affiliate window
cc_click21000000000016107
2vd9zHr6jnXg2DgBvFBokXT5VpoQfzKFfT5ipcKwg8LWO1iZstdY8RPT3VIC2FUjQWzHiJoH
X4qLxOGi0THwNmnfBuFMjhW7yD6BEkg3Ax7qlxsGrB3VIm2PM5AXUyX9jbhZ8vDseL9O1iU8
bZS2VICbwg5hp8KVpCKWMoAX7qVz8APc3LIsEiM5AX
cc-dt.com/link
1024
2848566912
29663453
3115069632
29651383
*