How to successfully spam blogs (and how to fight back)

What you’re about to learn isn’t anything new. It’s not particularly earth shattering either, but a lot of people don’t know it.


You may have noticed legitimate looking comments on your blog from people with suspect names. Usually the name will be a brand name, service or literally anything that sells. The commenter’s website is obviously related to that business. Why do they bother using special keywords when Google is supposed to not follow those links? Do they know something you don’t? Yup. They know that keywords, even on nofollowed links, matter. I’d provide reference links to SEO blogs explaining this but then they’d know I’m reading and they might shut up.

So, how do you go about spamming blogs? (And how do you defend against those spammers?) Here are two examples:

How to spam a niche blog

George, who runs 858graphics obviously makes signs in San Diego. I’m sorry that his store was egged last year, but he’s obviously trying to manipulate Google. Unfortunately, he succeeded. He is #2 in Google for “San Diego Signs”. Strangely enough there are no links to his website.

How to spam a niche blog

This second guy isn’t quite so successful, and to think he’s spamming my poor Shih Tzu, Oscar. The spammer’s domain is near the bottom of the first page of a Google search for Shih Tzu Checks. That’s still pretty good considering he doesn’t have any links to that page either.

How did these guys find my blog? The first guy searched for WordPress blog posts with comments. The second looked for a page saying, “leave a reply”, an open invitation to spam if ever there was one!

Out of curiosity I followed the Google search a recent spammer used. On the blogs surrounding my blog in that search I found traces of him everywhere. He left legit looking comments but the link was always full of keywords for his business.

Stuffing keywords in nofollowed links certainly helps rank for keywords.

So, you want to know how to fight back? It’s very simple if you’re using WordPress:

  1. Install my Comment Referrers plugin. That will add a line at the end of the moderation emails with the referrer of the visitor. Some referrers should ring alarm bells!
  2. Install Delink Comment Author. This plugin removes the link the comment author left as their URL. I modified my install so it removes the email too as I moderate comments from new users.
  3. I was planning on coding this next plugin, but I found Lucia’s Link Love first and that saved me the trouble. I modified mine so it doesn’t hyper link the name of a comment author who has left less than a certain number of comments. See this comment as an example. That “Landscape Artist” never came back to my blog again so his “name” isn’t linked to his site.

So, chances are a few more people are going to try this technique now that I’ve blogged about it. I bet many more blog owners will be more vigilant of it now though. It’s your blog. If you don’t want to be pawn to a spammer then fight back!

Edit: Here is my version of Lucia’s Linky Love. Just rename this file to .php and drop into your plugins folder. If you’re not logged in or have a comment cookie in your browser you should see some comment author’s names won’t be linked.



79 Replies to “How to successfully spam blogs (and how to fight back)”

  1. Interesting read. Just one point:

    […]”That’s still pretty good considering he doesn’t have any links to that page either.”[…]

    you missing to add www in the domain name. then you’ll see some links.

  2. The other option in the war on spam is to do as I do… ruthlessly moderate anything that looks suspect.

    I just deleted at least 10 “valid looking” comments because they either used a keyword for a name, or had a regular name that linked to an obviously commercial blog. Some people don’t want to do this because they want “more comments”, but allowing that crap does not help you build a community. No one wants to engage in a discussion with a spammer, so don’t get sucked into allowing them to live.

    Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.


  3. Thanks for the suggestions and plugin links. These days, I am mostly getting spam of this form:

    A spam blog steals part of a post, makes a post of its own ‘about’ it, and then links back to my blog.

    I remove the trackbacks whenever I find them, but I do miss some and it is an annoying waste of time. Any ideas for how such spammers could be combatted?

  4. I honestly can’t remember the last time I got a legitimate trackback. Pingbacks, sure. But trackbacks seem to be exclusively spam nowadays. I might as well just disable them entirely. That would eliminate most of my spam, but it would be a temporary solution only, I know.

  5. Great article! I love eating fried spam! viagra viagra.

    Just kidding, I’m not spamming your site. Great article, and thanks for the link to the plugins. The delinker is going to be huge.

  6. I’ve learned quite a bit from this post and the comments. I’ll definitely have to implement some of the plugins.

    and thanks for posting your modified Lucia’s plugin!

  7. this website has more links than yours… to earch for backlinks via google is for absolut non seo s a good method never ever for profis.

    and so your spampreotection is the protection like a non seo..

    to kill all links -if friend or enemy- we will kill us all of the index from google.

    who is the winner: the spammer..


  8. The 2 spam replies aren’t being done by bots; they were made by actual people. A bot wouldn’t have left a referring URL, especially not one that makes its tactics obvious. So this “spam” was actually created by a real person who took the time to read your page and post a relevant comment. I don’t see the problem here. So what if they link to their own site? Thats the whole point of letting people put in a URL. I don’t see why you would allow personal sites to leave a URL, but not commercial sites. And how would you draw the line? A lot of personal blogs are supported by ad revenue. And so what if he doesn’t put in his real name, but instead uses a name related to his buisness? I frequently post anonymously (like now), use a pseudonym, or the name of my blog. The internet doesn’t require that you always use your real name.

    Obviously all blogs have their own policies for determining what is acceptable and what isn’t, but I think you are shutting out a lot of people who are making a contribution to your site.

  9. Anon – I know they were not bots, but look at the referring Google searches. The point is they were looking for blog posts in their niche that they could spam, and they very rarely return to comment again.

  10. I get about 4-5 of these commenters a day. I usually use them in a weekly “Roundup” post, the amazing thing is that these people then comment on that post! :S

  11. I kid you not, I was literally going to write this entry (well, not in your exact words, but with the same premise). I’ve noticed a huge increase in human submitted spam ever since people have been installing more and more spam fighting tools.

    Since I’ve had your comment referrer plugin installed, I’ve been able to see where a majority of the comments are coming from at a glance and if I see some sort of search query attached — that doesn’t seem legit — I’ll usually nuke the comment or deliberately yank the URL and approve the comment.

    Another thing I’ve noticed is a trend with these human spammers, besides searching for “leave a reply”, is using the key term followed by comments or leave comments. The other day, I received a comment on a blog entry about bloggers getting ready for the holiday shopping season because the search query had “shopping + leave a reply” in it.

    Unfortunately, services like “buy blog comments”, who I won’t link to in your comments, aren’t helping this in any way as I’m sure these human spammers wouldn’t be doing it unless they were being paid for it. (And from the looks of their comments, not very much.)

    ~ Teli

  12. I’d have to agree with anon here. The post sounds a bit paranoid 😛 I use my own, homemade bot-catcher script (almost 100% effective) to deal with automated spam, but I let human users have their (nofollow’ed) links.

  13. I had a nice experience with spam trackbacks from the past. These comments/trackbacks were with normal text filled-in and linked to my articles and I allowed these trackbacks in the admin page. After months I saw that these sites (trackbacks) are filled with ads for blue pills and s e x sites (on my site/article). I have learned now, control your trackbacks… 😉

  14. I’ve also noticed this new comment spam lately coming from actual people, not bots (usually with Romanian or Australian IPs). I’ve tracked through the referring links and found that most were coming via a single keyword like “payday” or “poker” and “remember my personal information” or other default text that you’d find associated with a comment form.

    I’ve gone through and changed those bits of text on my template to non-standard things. So get rid of things like “Notify me of followup comments via e-mail”, “Mail (will not be published)” and “Input text in box below” or whatever … It’s taken a week or so for mine to drop off searches, but it’s definitely lessened my spam.

  15. Marcus, I’ve noticed sometimes people will let their blogs lapse, then let their domain names expire. Sometimes it ends up at a parking page, and sometimes a spammer snaps it up because it already has incoming links. That could be what you ran into. Or it could have just been really sneaky spammers.

    I saw one a few weeks ago that led me to coin the term, link laundering (like money laundering). The commenter’s blog looked perfectly normal, except every single link in it was to the same spam site.

  16. “Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.”

    While it’s an interesting comment that John P. makes, it starts from an invalid assumption – that people have some sort of right to comment on your blog. No one does. If you have a blog, and especially if you pay for it, it’s yours. You don’t have to allow any commenting if you don’t feel like it. And you can moderate, delete, hey, you can edit people’s comments, and they have no recourse, and nothing to say about it (other than posting about you elsewhere should they so desire). While I know it’s customary to allow blog comments, the belief that somehow people have an inalienable right to post them is nonsense.

  17. If it weren’t for George’s referrer, you would have allowed his comment, right? It was relevant, and he had clearly read the post before responding. Who cares is he’s looking for link juice?

    Personally, I get annoyed only by off-topic or obscene SEO comments. As long as it’s a real human, even if they never come back, that’s okay with me.

  18. I got a similar spam to the one mentioned today. It looked like it was manually entered. The guy googled for tool battery blog, found mine and spammed it. either that or a very clever bot.

    A while back I noticed that spambots don’t really request CSS files, why would they? so now one of my CSS files is actually a PHP that leaves behind a cookie and it won’t let anyone comment unless they have the cookie. Its obscurity through security but it works, most of the time except for manual spammers

    There’s people in India who will sit there and spam blogs all day for a few cents an hour

  19. Thanks for this. I just installed it – I don’t get much spam, but I’ve definitely gotten some borderline posts in the past, hopefully this’ll help clear that up!

  20. This is good for people like us, although it may not be so good for new bloggers, or even newbie bloggers :). Nevertheless, since spamming is an ever increasing problem, such a system surely is something everybody should go for…I might give it a try, but my blog isn’t really popular and I don’t get many comments at all. Askimet is good enough for me for now, let’s see maybe in the future I may consider your approach.

  21. Dankoozy – your comment gave me an idea for doing a plugin that does that. It’s running now and working rather well.
    If the cookie exists the comment gets handed to Akismet, otherwise it gets marked as spam and I remove the akismet filter to save on processing and the small network usage.

  22. I just add into my .htaccess if the HTTP_REFERER !=MY_HOST (not actual code) will come a 404. means NO BOTS.

    And…RENAME the COMMENT.PHP to something else also fools them easy….

    Nibbing the problem in the bud is better than the need to DeLink etc.

    best regards


  23. While messing around with your files can be a good deterrent, updating your CMS could mess it up. I’d rather use a bunch of anti-spam modules e.g. Askimet, BadBehaviour, NoCaptcha, etc. or instead put up a very simple captcha or sum to work out.

    Not every search engine uses nofollow, and it is somewhat hated by a bunch of people, for example Wikipedia has nofollow now. Yet if your site was good enough to have a Wikipedia reference, you would hate that reference being worth nothing!

  24. Why would anyone ever approve a comment from a keyword name? It’s obviously spam. If it is a real name with a “spammy-ish” site, I’ll simply manually remove the URL when I approve the comment.

    I recently tweaked a bot-trap and some php to have comments on my blog submitted to the IP address of the visitor to the site. If they submit a comment to a different IP address, they are blocked.

    Example: My IP address is When I want to post a comment on my blog, the (form) will submit the comment to 234.2342.2342.234.php. Since the formname and my IP match, the comment is handed over to Akismet and WordPress. But then if someone later tries to submit a comment to that IP address, (like say a spider that crawled my site gathering comment form submission URLs) they will be instantly blocked when they submit. It’s been working pretty well.

    Also, anyone that tries to submit to the default WordPress post comment URL is blocked automatically.

  25. OK the name is a bit of a joke- it’s the first time I have used such a name, as i only just learned of it from you, and it will help to make my point.

    As long as someone who is using their business name or profession (which also happens to be a keyword) as a name is posting intelligent comments to your blog, who cares?

    I mean, I got really sick of sifting through the comments that were just a string of keywords or the ones that just say “Nice!” but I learned that it’s easy to shut those off. If a guy has a half-way intelligent comment to make on my blog, I don’t care so much that his name links to website he makes money off of. Don’t comments invite more traffic to my blog?

  26. i’m affraid to use plugins, because one wrong move and poof, another three hours trying to figure out wtf. can u or anyone walk me through with plain english, how i can install?

    any help would be grateful.

  27. Totally agree with “kid chapter…”. I’m not concerned if someone uses a few keywords as their name….it’s the content that’s important. If it is obvious they read the blog, and contributed a useful comment, then absolutely it will be allowed.

    So if you don;t mind I will leave a plug for my website-, we offer web conferencing services. Hmmm…interested if you will review this as a spam comment?

  28. Posting something like this is just downright selfish. I didnt know how to spam blogs until now, thanks.

    Now, you get a few downloads of your plugins, yay.. but unless you have the attention of evry blogger in the world, you s&rewed the rest of them… does it get any more selfish than that?

  29. Thetruth – sorry you feel that way but this is nothing new to spammers, but many bloggers don’t know about it and let through these spammy comments. Since I posted this I received at least a half-dozen of these comments, one spammer even came from this blog post according to my referrer plugin!

    David – Yes. That second part of your comment is spammy, but I let it through after sanitizing it.

  30. Is it spam if it’s a man made comment though? I don’t really mind someone having their link in a post as long as you get some actual human interaction out of them.

    Lately what I did was remove the links out of a spammer’s bot comments so that my site would rank for his keywords (Not that I was interested in them, but to spite him) Of course the bot interpreted it as an open blog so I received a bunch from the same source immediately after so I had to blacklist it. Still left the url stripped ones though 🙂

  31. Great stuff man! I am usually vigilant about spammy looking comments and tolerate a little when someone uses keywords for the name as long as their comment adds value to the conversation instead of just saying nice post. I do like your Comment Referrer plugin and will install it tonight.

  32. I don’t agree. If the comment is automated, then it should be deleted, but if the comment was posted by hand, and the guy bothered to read the article and leave a contextual comment, I have no problem with it. The only exception to this, is if the linked site is not worth linking to it.

  33. So since this blog is running those fancy plugins my current attempt to spam you won’t work? Oh well, on to my next victim.

    I’m kidding. But my opinion is that people who have read a blog, thought about it, then left a meaningful well thought out reply should be able to get a little love from Google or whomever. I mean, it all depends on the situation too. If I were moderating all my comments then I’d let everyone get google love except those who were obviously spammers. I happen to not moderate my comments. All comments get through except those Aksimet catches. I thought about doing something similar to what’s described in this post but decided against it because I get more honest comments than spam. Also, blogging is all about give and take. its a community thing and I feel bad not giving my readers a little bit of a reward. But for those who do what is suggested in this site I would totally understand and wouldn’t hold it against them. both sides have valid points. God, sorry for being so longwinded

  34. I have to tell you, I find it funny if nothing else to edit a comment entirely to remove a link to a spam site, and change the name if it is keywords, then approve the comment. I just think in my head about how mad the spammer is that he didn’t succeed in posting his spam. I only do that if he leaves a comment worth posting (put some thought into his spam comment). I did recently require free accounts to post comments though due to a massive spam issue on a post about not spamming. It’s just easier to manage.

  35. Thank You for the answer to my question

    I searched on Google: wordpress blogpost spam
    and found you as nr. 4

    I was really wondering what was going on. Could there really be so many idiots out there?, around 3000 in less than 2 months, thinking they could get visitors through my site.

    So Google have been, and still is, rewarding those people to fill up the internet with crap. Amazing.
    Do you know about some software that easily could pick up those email addresses in a textfile. Or could you make some – maybe both for the past and future mails.

    We could then, maybe with the click of a bottom, send all those smart people a long email like:

    Thank you very much for your comment to my blog.

    I think you might be interested in:

    links (affiliate) 10 or 20 lines with something like
    guru1 guru2 Seo1 Seo2 Trafficexchange 1 to 5
    Service this and that.

    I think you may find some of the links above more useful and relevant in your effort to improve your ranking in the search engines.

    I have deleted your comment on my blog since it is highly irrelevant.

    I wish you god luck skyrocketing your business.

    Yours faithfully

    PS if you do not understand this message, I would suggest you get some help from your friends or maybe your doctor.
    Maybe we could earn some commissions for the effort of deleting all those crap comments.
    I wonder if Google would be open for a -5 button.

    1. Bjarne – there’s no point doing that unfortunately. The email addresses they use are probably fake. Using Akismet and/or Cookies for Comments stops almost all spam reaching your site. The spammers “fire and forget” and most of the time don’t even bother checking if the comment appears!

Leave a Reply