301 redirects to
, a search engine would interpret that the content at
was moved to
, effectively giving credit to the latter site.
If you use such a redirection script in your site, there are three possible solutions to prevent 301 attacks:
Use a 302 redirect instead of 301
Use a database-driven solution, so that
redirects only known links
Any of these solutions will suffice. The last is usually unnecessary for most sites, but it’s mentioned here
because, theoretically, leaving a script like that can be used by a social engineer to assert that your site
advocates any other site to a non-sophisticated layman — phishing.
Using a 302 Redirect
As discussed in Chapter 4, 302 redirects do not transfer any link equity, and therefore have little value from
a spammer’s perspective. However, they may potentially have a use to “phishers,” as mentioned later.
$new_url = $_GET[“url“];
header(‘HTTP/1.1 302 Found’);
Using robots.txt to Exclude redirect.php
This technique can be used in addition to using a 302 redirect. It, however, does not prevent “phishing,”
either. Read Chapter 5, if you haven’t already, for more details on the
Using a Database-Driven Solution
You could store the URL (either embedded in the script itself, or in a database), instead of embedding it
visibly in the URL:
// define URL lookup table
$lookup_table = array(
This practice can also be applied to humans, and, in that case, is called “phishing.”
The attacker tries to suggest, to human visitors and to search engines, that your
) is in some way is associated with
. Popular, old web sites should be particularly careful, because
the potential benefits that can be achieved through phishing are significant.
An example involving a previous Google “phishing” vulnerability is cited here:
Chapter 8: Black Hat SEO
c08.qxd:c08 10:59 195