Securing Against Postback Fraud

Postback URLs are handled from the server-side, so potentially malicious partners can’t fire conversion pixels to artificially inflate their earnings. However, they may try other tactics to manipulate their earnings. If you’re using server postback tracking, use the following features to reduce the potential of fraudulent activity.

Offer Whitelist

The Offer Whitelist feature limits the set of IP addresses that a postback can be fired from. When this feature is enabled, any conversions fired from IP addresses not on the offer whitelist are rejected.

Advertiser Security Tokens

Advertiser Security Tokens set up another layer of authentication for conversions. This feature works in a similar manner as an API key, where passing the value in a postback request authenticates the conversion, and failing to pass that value results in a rejected conversion. This setting is set up at the advertiser level and is applied to all the advertiser’s postback offers. Partners cannot obtain this value on their end, and do not have visibility into the setting.

Encrypt Conversion Tracking URLs

This setting hashes the postback URL to mask offer IDs into a shortened value. Conversion requests must then use the encrypted postback URL on conversion, and any conversion requests using the unencrypted version are rejected.

To enable this feature for an offer, first go to the offer’s page and click Edit in the Tracking panel. Set Encrypted Conversion Tracking to “Enabled” and Save your changes. Your shortened postback URL should then be ready for use and look something like this:

Note: This setting cannot be used with global postback URLs because they are not encrypted URLs.