[sgc]

The right play might be to have a custom landing page or header / popup on your site indicating that they were referred by a fraudulent domain, and to please bookmark your proper domain / report if this was via an email link. The traffic might be good, just coming in through a bad actor.

[gwbas1c]

No, just redirect back to HTTP_REFERER. Why?

The user's browser will display a redirect loop error; and most importantly, they won't see your domain.

It keeps your name out of it and makes the email domain look even more fishy.

[sgc]

If somebody is using your website to phish, it almost certainly means they are targeting people who legitimately want your services. It is an executive decision, but I personally would let people know, and take the free advertising.

[kbolino]

Redirecting back to the referer will not create a redirect loop. The referer is the URL of the site that linked to the redirect, not the redirect itself. The redirect does not alter the referer in any way. In many cases, there will be no referer at all.

I don't know why everyone seems to think that HTTP redirects are visible in Referer (or Origin or any other header), but that's just not the case: HTTP redirects are completely transparent to the destination server.

[Cpoll]

> I don't know why everyone seems to think that HTTP redirects are visible in Referer

They would be if it's a same-origin redirect, no? And I was under the impression that 3xx also set it cross origin (barring a referrer-policy header), though I'm less confident now. (I can't test it ATM).

Edit: I am clearly confused. The browser preserves the original referer when performing a 3xx, as you said.