Ask HN: Why buy domains and 301 redirect them to me?
Say I'm running a SaaS product, example.com.
Somebody has bought several domains like getexample.com, buyexample.io, joinexample.net, and is 301 redirecting them to example.com.
What's their play here? Is this setup for a phishing attack in the future? Are they just going to try and sell the domains to me in the future? Not encountered behaviour like this before (or at least, I don't know if this is the beginning phase of a common scam)
134 comments
[ 6.3 ms ] story [ 219 ms ] threadThis is less true than it used to be, but people still do it.
The fraudulent domains are only sending traffic to OP.
My guess is that they want to either phish visitors, or they want to ask OP for affiliate revenue, like a digital version of the guys who wash your windshield or your shoes without asking first, and then ask for money.
Or planning to threaten to divert organic traffic through the impersonation domains away from the canonical domain, if you don't pay them.
And they're not obvious mouse slips like redirecting googl.com -> google.com - they're more of the form <verb>mydomain.com.
I was mostly interested in what the actual play from them here is tbh
Then they send an invoice…
Later it might have
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...
If you click a link on red-herring.com which points to bad-domain.com, which then redirects to good-domain.com, the referer will be red-herring.com (if not disabled entirely).
HTTP redirects have no effect on the referer.
Of all the answers presented so far, this one feels the most plausible to me.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
We're a small bot security/captcha company and pretty regularly get various attacks thrown at us - figuring out if somebody is up to something more along those lines was my main concern.
I'm guessing it will look normal but it could provide some insights if something weird is there.
---
Headers
---
HTTP/2 301
date: Fri, 24 Jan 2025 13:59:51 GMT
content-type: text/html
content-length: 167
location: <the website in question>
cache-control: max-age=3600
expires: Fri, 24 Jan 2025 14:59:51 GMT
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JZu4FOa%2ByynaFOXWYlxaePF9KdRQ0qGUJkfm1F1aK2m3VEx6idlvWlb5go%2B08hgSog1zm1zuMobXcVK2BkR4mQD0SEGU%2Bzp2oC6mXPgQs%2FUzvOH7LbqAG96jtf9KNqemV8Q%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 90708be24810e8fe-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=59748&min_rtt=41108&rtt_var=43898&sent=7&recv=8&lost=0&retrans=1&sent_bytes=3535&recv_bytes=789&delivery_rate=33797&cwnd=225&unsent_bytes=0&cid=e5052200af7e27a5&ts=145&x=0"
There isn’t a way to see what a referring site did to do the redirect (301 or 302 or even a js redirect) in your logs. All you’ll see is (potentially) the Referer http header.
I think this was a common attack vector around then, but is no longer common.
Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....
The last thing you would ever want to do is associate your domain name with gross, offensive content like this. The web is crawled all the time for snapshot data.
Additionally, you're more likely to cause your own (potential) users to stumble on this than anything else.
IMO, the best policy is almost always transparency. If you were to redirect users (and referrer-based redirects are a fragile thing), send them to a phishing/spam awareness page and explain that they most likely arrived from such a source.
I posted about it at the time, but no one seemed to be able to replicate it:
https://x.com/jfozonx/status/1570710776540958723
Always wondered how much traffic those domains were accumulating. Even though it was an edge case, it must've been quite a lot in aggregate.
File a DMCA with the registrar and the hosting provider.
The user's browser will display a redirect loop error; and most importantly, they won't see your domain.
It keeps your name out of it and makes the email domain look even more fishy.
I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.
They would be if it's a same-origin redirect, no? And I was under the impression that 3xx also set it cross origin (barring a referrer-policy header), though I'm less confident now. (I can't test it ATM).
Edit: I am clearly confused. The browser preserves the original referer when performing a 3xx, as you said.
- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.
- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.
- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.
- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.
OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.
A 301 fits that bill because then the owners browser even when traveling will serve the good content
If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.
(Fingerprint usage: have https://myfingerprint.example.com 301 to https://myfingerprint.example.com/unique_id_3b136c1cb, then embed https://myfingerprint.example.com in an iframe and see which request is made.)
I still never use 301s for that reason. Things may have changed, but I dare not try!
I use 301 for http:->https: redirects because (a) I doubt we're going back, (b) it prevents some cleartext leaks (like the Host header), and (c) it is slightly cheaper.
> we never figured out how to get the browser to re-learn the responses for those pages without drastic measures.
If you control the target URL it is easy, just redirect back. Seriously: The browser won't loop, it'll just fetch the content again and now not seeing a 301 will forget that nonsense ever happened. This is why 301 is usually a fine default for same-site redirects, or if the redirect target is encoded in the URL (such as in tracking URLs).
The big no-no is don't 301 to a URL you can't control unless you have the appropriate Cache-Control headers on the redirect.
Just uh... don't do this if you have a CDN infront of your site. We had an incident where Cloudfront cached the 301's in both directions
In my experience, this solves the sticky 301 issue and you should have no issues with cached 301s anymore.
Works perfect for these kind of investigations or if you made a mistake during site development.
One quick point of feedback: The "Learn more about our features and pricing" button appears to be broken, at least on Chrome Android.
The click gets intercepted by the registration form somehow, like by some type of overly-broad selector targeting "form button" or similar.
Instead of being taken to the pricing page, it takes me to the next step of the form, which I don't want to fill out before seeing the pricing.
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)
There's a related site compromise where a hacked webserver behaves normally except, when the referrer is google.com, it adds a JavaScript redirect to the end of any page.
You go to example.com, everything looks normal. You click a link to example.com, you end up on a page selling herbal dick pills. Site owner yells at Google thinking it's their fault. Googlebot never gets served the redirect.
You should be able to do the same thing with 301 redirects.
Then they build links to their domains. Once it has more backlinks than the real domain, the redirect is removed.
- Reaching out in good-faith with an offer to sell the domain to you. I've had that happen in the past and before receiving the email the person directed the domain to my official website to show good will. I purchased the domain and now own it.
Not saying this is the case here, but just wanted to throw a legitimate scenario into the mix. They should have reached out by now if this was the case.
1) set up plausibly-named fake domains that redirect to example.com
2) ensure that the fake domains rank higher than the original domain for "example" searches.
3) after a while, people have gotten used to accessing the service through the fake domains or might even think those are the official domains.
4) pull up the net by replacing the redirect with phishing pages. Suddenly, everyone googling for the service will end up on a phishing site, without any obvious way to fix the situation.
Phishers could also run this scheme for lots of sites in parallel, without needing to have some specific interest in any of them.
Edit: Seems like the semantics of the 301 redirect should prevent this from working though.
They'll then send out an email campaign with a From: address in the counterfeit domain (which will have valid SPF/DKIM/whatever), a subject like "Example.com: You've been invited to join a project!", quickly-come-see-this-secret-stuff body copy, and a call-to-action button linked to that URL.
The page hosted on the URL will have your branding and everything, and collect a bunch of personal information and/or access credentials for the scammers.
Taking down this stuff is tedious, but you can try -- least you can do for now is display a prominent 'this is not an authorized example.com domain' warning for inbound visits from these redirects, create a public Knowledge Base-like article warning about this abuse as well (making very clear this has nothing to do with you), and block the domains involved on your inbound mail server.
Silver lining: apparently your SaaS is successful enough to be used as a lure for scammers. Congrats?
They may also represent you to real life businesses for invoice scams or credit.
Rare but possible scenarios worth considering.
It's been a while, and IANAL - but I've seen both domain resellers and registrars cave pretty quickly when contacted with "that name very obviously infringes on our trademark".
They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en