What's the difference between an Affiliate and Co-hosted Site?

A common question we’ve received from our users is “What’s the difference between the Affiliate and Co-Hosted Site data types found during a scan?”

When SpiderFoot is running a scan against your target, it encounters new entities along the way such as IP addresses, host names, domain names and so on. When new entities are discovered, SpiderFoot has to decide how strongly related they are to your scan target(s) so that the result is meaningful and triggers the right kind of behavior towards those entities.

This is where Co-hosts and Affiliates come into the picture. They are a way to treat host names, domain names and IP addresses found during a scan as being related in some way to your target.

Why the distinction? Because SpiderFoot will do much more with an Internet Nameor IP Address since they are considered “first class citizens” in the context of your scan; they are a part of your target scope. However for co-hosted sites or affiliates, SpiderFoot will do very little since they have been identified as not being strongly related to your target scope.

To summarize the differences:

  • Affiliates don’t share the same IP address as your target(s) but are related in some way, such as providing mail services for your target, or are linked from your target’s website and happen to link back to your target.
  • Co-hosted sites resolve to the same IP address as your target host name or domain name.
  • A host name could be both a Co-hosted site and an Affiliate - Internet Name.
  • Not all co-hosted sites are necessarily affiliates, and vice versa.

Let’s illustrate this with an example.

Say we are scanning tesla.com as our target, and a passive DNS module identifies that tesla.mn.tesla.services happens to resolves to the same IP that tesla.com does. SpiderFoot now has to decide whether to report tesla.mn.tesla.services as an Internet Name, Affiliate - Internet Name or Co-hosted Site.

Based on the name alone, it cannot be an Internet Name in this scan because it does not live within the scan target’s domain (tesla.com). Bear in mind that anyone on the Internet can create a DNS record on their own domain pointing to an IP address owned by someone else, so sharing an IP address with the target is not a strong enough connection to treat it as an Internet Name.

So SpiderFoot will report it as a Co-hosted Site, because the site (tesla.mn.tesla.services) is “co-hosted” with tesla.com due to sharing the same IP address. Note that “co-hosted” doesn’t mean they necessarily live on the same physical server - they may be behind the same load balancer, Cloudflare IP, or even be a mis-configuration. This is also why modules reporting co-hosted sites will stop doing so if more than 100 (configurable) have been found pointing to the same IP address.

Finally it’s worth noting that tesla.mn.tesla.services could also be reported as an Affiliate - Internet Name if there are some indicators of it being further related to the target in some way. For example, the Cross Reference module will attempt to fetch content from any Co-hosted Site found during a scan if iteration of co-hosts is enabled and if the target domain is mentioned on the site’s content and therefore report it as an Affiliate - Internet Name.

1 Like