302 Redirect Hijack

Posted by Miles Evans

I have seen a lot of chatter lately over protecting web properties against Google's duplicate content filters, but even less mentioned and more interesting are some tips everyone should deploy for protecting against a 302 redirect hijacking. What's a 302 redirect hijack? Surely you have seen SERPs where a snippet looked very much like the website you were after, in fact exactly like it, yet redirected you somewhere else. Once a hijacker manages to get his script listed as the official page for another websites URL, there is not a lot you can do about it. In fact if the hijacker has some skills and is cloaking against spiders it can be really difficult to get corrected.

A 302 redirect is a full on exploit and it is unclear, at least to me, how Google will address the problem in the future although they said it was being worked on in Q1 2006. A 302 redirect hijack can be summarized like so (from clsc.net):

This exploit allows any webmaster to have his own "virtual pages" rank for terms that pages belonging to another webmaster used to rank for. Successfully employed, this technique will allow the offending webmaster ("the hijacker") to displace the pages of the "target" in the Search Engine Results Pages ("SERPS"), and hence (a) cause search engine traffic to the target website to vanish, and/or (b) further redirect traffic to any other page of choice.

Basically a 302 redirect is a well documented black hat method for hijacking the SERPs. The hijacked pages appear to the searcher as copies of the target pages, but end up redirecting them to the hijackers page. The victims traffic dries up, he shoots all of his co-workers, and makes the evening news.

Search engines vulnerable to this exploit include: Google, MSN Search, and likely many more. The Yahoo! search engine seems to be the only one which is not affected but I am not sure if this is by design ;)

Alright so the bad news is anyone is essentially vulnerable. The good news is reducing the risk can be effective and quite easy - did that sound like condom ad speak to anyone else? However having said that it is important to keep in mind that there is no way to guarantee your pages will not be hijacked. I have come across hijacked pages that have been in place for years unnoticed - even after emailing the victim. As of this writing there is no 100% fool proof method that I know of. These tips will simply make a hijacking more difficult.

301 Redirect your www or non-www domain

Everyone should be doing this or put quite simple you are tripping up content filters, meaning your website is being penalized for duplicate content. You need to be redirecting your traffic to one domain. Some prefer the domain sans the www and some don't, it's up to you. If you use the Apache web server, the way to do this is to insert the following in your root ".htaccess" file:

RewriteCond %{HTTP_HOST} !^example\.com
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

Or, for www-to-non-www redirection ala Slashdot use this syntax:

RewriteCond %{HTTP_HOST} !^example\.com
RewriteRule (.*) http://example.com/$1 [R=301,L]

A more desirable way to do this would be in the actual httpd.conf file but you need root to do this. The advantage would be slightly less server load I suppose.

Use absolute Internal linking

This is the most effective way to defend againt a 302 redirect hijacking. By linking to your pages within your site by its fully qualified domain you are making it much harder for the hijacker. Do the same for images and anything else you can.

Random Changing Content

Add some snippet of text to your page that is changed daily like maybe a quote of the day, a time stamp, rss headlines, or a this page was last updated on type of widget.

Request Removal

Although not an easy approach I only mention this as I have seen reports of some guys being succesful with it. Google will accept a request for removal if your page returns a 404 error. Obviously this means pulling the content. Here is a great explanation again from clsc.net:

Simply, you have to make sure that the target page returns a 404, which means that the target page must be unavailable (with sufficient technical skills you can do this so that it only returns a 404 if there is no referrer). Then you have to request removal of the redirect script URL, i.e. not the URL of the target page. Use extreme caution: If you request that the target page should be removed while it returns a 404 error, then it will be removed from Google's index. You don't want to remove your own page, only the redirect script.

For some more background on general redirecting please see the Organic SEO Wiki. I originally stumbled across domain name redirection for SEO at stuntdubl’s blog so here is a pull for him as well.

Posted Mar 28, 2006 at 09:56 AM | Permalink | Trackback URL | Del.icio.us | DIGG!