Ask HN: Why buy domains and 301 redirect them to me?
59 comments
·January 24, 2025TrueDuality
As others have mentioned this is likely one of a couple of scenarios, roughly ordered by my guess on likelihood:
- Attempting to use your legitimate content and services to improve the SEO rank of other domains (even unrelated ones). This can usually be checked by looking for a sitemap.xml, there will be pages not redirected to your site that contain pages of links.
- Closely following the above, the pages may not be links to other sites but might be hosting phishing pages for other services unrelated to yours. The redirect here acts as a bluff for casual inspection of the domain. You won't see page entries in a sitemap.xml file for these ones.
- Attempting to "age" a domain. Not many talk about this option, but new domains are a red flag to a lot of automated security processes. When purchasing a domain and giving it a history associated with a legitimate service they make the domain look less suspicious for future malicious use.
- Preparation for a targeted campaign. This is pretty unlikely, you need to be really worth a dedicated long term campaign effort specifically against you or your company. If you're doing controversial/novel research, are managing millions of dollars, performing a service a state actor would object to, or have high profile clientele then maybe you fall into this category. These are patient campaigns and want to make the domain "feel normal and official". They won't do anything public with the domain such as SEO tweaking or link spam, they'll use these domains only for specific targeted one-off low-noise attacks. They're relying on staff to see that the domain has been connected to your service for years and is likely just a domain someone in marketing purchased and forgot about. This is exceptionally rare.
IncreasePosts
Regarding point two, OP should connect to a VPN in Japan or somewhere he very isn't, use incognito mode, and see if the same content is served. I've seen hacked sites that are set up to serve normal content to where the attacker thinks the owner of the site lives, but serve phishing content or malware or whatever to everywhere else.
A 301 fits that bill because then the owners browser even when traveling will serve the good content
TrueDuality
Yeah this is a good call-out. If the site is being used for drive-by or targeted malware there are other checks that may be happening alongside the redirect such as user agent, country of origin (like you mentioned), plugins installed, OS, or even time of day.
If they detect something that matches what they want, they may throw some intermediate 301's to pages that attempt to infect the user with something still ultimately redirecting to the "normal" page.
SlightlyLeftPad
Just a note 301s are super sticky and browsers cache them even across incognito modes. Your best bet is to use a new browser after reconnecting to avoid false results.
meigwilym
I think the first one is pretty likely.
OP, you can search for "site:getexample.com" which will list you any pages that have been indexed for that domain. They might have just redirected the homepage. Worth a shot.
dccoolgai
It could be a combo of 1 and 3: a competitor (or someone who thinks they might be in the future) ages those domains, then points it to their own product later.
TrueDuality
This is another great call-out and semi-common. I can definitely get blinded by my security focus but shady business tactics drive a lot of these similar domain purchases for exactly the reason you described.
ardillamorris
Their play is to send emails with those domains but in the emails claiming to be you and when people reading the email go to the domain, they see your page (they got redirected).
phoe-krk
They'll weaponize them at some point. How exactly is to be seen, but if people associate your product with domains you do not control (e.g. via SEO searches and hyperlinks left in public places), then everyone is on the hook the moment these domains stop redirecting to your service.
bhouston
I haven't seen this before but back in the early 2010s I had some India-based group that iframed our SaaS website under a new domain. I caught it early and implemented this fix: https://stackoverflow.com/questions/2896623/how-to-prevent-m...
I think this was a common attack vector around then, but is no longer common.
AbstractH24
Seeing Google’s Picasa mentioned in an answer on that stackoverflow was a real throwback
Beijinger
Stupid question:
Can you not detect and prevent this based on the HTTP referrer? Maybe reroute to goatse or something....
Rauchg
It’s possible `/` redirects but other hidden routes phish. If someone gets e.g.: a fake password reset email, it might help the attacker bypass sanity checks users make.
ActionHank
Also helps create phishing report "false" flags.
If I target a specific region with a phishing link and redirect if the requestor is not in that region I can probably maintain my phishing domains for longer.
pcbmaker20
I think you can check the HTTP_REFERER header and block the redirect using your back-end code, like PHP or Node or Python, not sure what tech stack you are using.
sgc
The right play might be to have a custom landing page or header / popup on your site indicating that they were referred by a fraudulent domain, and to please bookmark your proper domain / report if this was via an email link. The traffic might be good, just coming in through a bad actor.
gwbas1c
No, just redirect back to HTTP_REFERER. Why?
The user's browser will display a redirect loop error; and most importantly, they won't see your domain.
It keeps your name out of it and makes the email domain look even more fishy.
kbolino
Redirecting back to the referer will not create a redirect loop. The referer is the URL of the site that linked to the redirect, not the redirect itself. The redirect does not alter the referer in any way. In many cases, there will be no referer at all.
I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.
sgc
If somebody is using your website to phish, it almost certainly means they are targeting people who legitimately want your services. It is an executive decision, but I personally would let people know, and take the free advertising.
colechristensen
You can do the same with a load balancer or reverse proxy like nginx, and I’d generally prefer do to so at that layer.
kbolino
The referer is the site that sent the user to the redirect, not the redirect itself. You cannot detect 301s from the destination only.
napsterbr
Whatever their play, detect and drop the redirects. Good job on noticing it early on!
kbolino
You cannot detect a 301 redirect when you're only in control of the destination.
HughParry
Presumably just throwing a 403 if they have this referrer is ok and won't have a weird SEO impact or something?
jsheard
Couldn't the attacker evade that by sending Referrer-Policy: no-referrer with their redirect?
HughParry
Good shout. Can always block based on origin header though (when under the assumption that it's a legit browser) since it's a forbidden header name.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Or...
thiago_fm
No, and the earlier you do the better.
Later it might have
djsamseng
Check if your site has any manual actions against it. https://support.google.com/webmasters/answer/9044175?sjid=11....
They might be trying to create toxic back links to their domains and if those domains 301 to your domain, I believe this can negatively impact the SEO of your domain (from what I read). If so you can try to disavow them https://support.google.com/webmasters/answer/2648487?hl=en
teddyh
Check out Google’s Disavow Links Tool.
lpellis
Do you have an affiliate plan, or likely to have one? Maybe they plan to redirect with their affiliate ID at some point?
HughParry
Don't have an affiliate program, and I don't think we've got anything to suggest we will have one in the future (frankly our billing process is pretty bare bones and affiliate stuff isn't something we're looking at right now).
We're a small bot security/captcha company and pretty regularly get various attacks thrown at us - figuring out if somebody is up to something more along those lines was my main concern.
jfoster
I don't know if it still happens, but Google used to have an issue that I would see in Verbatim mode whereby non-Wikipedia domains would rank as particular Wikipedia pages by redirecting to Wikipedia. I can't seem to replicate it now, so it might be resolved or vary from country to country.
I posted about it at the time, but no one seemed to be able to replicate it:
https://x.com/jfozonx/status/1570710776540958723
Always wondered how much traffic those domains were accumulating. Even though it was an edge case, it must've been quite a lot in aggregate.
yesthis
Yes, phishing. It might happen in the future, it could be happening right now, emails from getexample.com, a specific path on getexample.com that doesn't redirect to the real thing, etc.
File a DMCA with the registrar and the hosting provider.
Say I'm running a SaaS product, example.com.
Somebody has bought several domains like getexample.com, buyexample.io, joinexample.net, and is 301 redirecting them to example.com.
What's their play here? Is this setup for a phishing attack in the future? Are they just going to try and sell the domains to me in the future? Not encountered behaviour like this before (or at least, I don't know if this is the beginning phase of a common scam)