What you’re about to learn isn’t anything new. It’s not particularly earth shattering either, but a lot of people don’t know it.
NOFOLLOW DOES NOT WORK (properly)
You may have noticed legitimate looking comments on your blog from people with suspect names. Usually the name will be a brand name, service or literally anything that sells. The commenter’s website is obviously related to that business. Why do they bother using special keywords when Google is supposed to not follow those links? Do they know something you don’t? Yup. They know that keywords, even on nofollowed links, matter. I’d provide reference links to SEO blogs explaining this but then they’d know I’m reading and they might shut up.
So, how do you go about spamming blogs? (And how do you defend against those spammers?) Here are two examples:
George, who runs 858graphics obviously makes signs in San Diego. I’m sorry that his store was egged last year, but he’s obviously trying to manipulate Google. Unfortunately, he succeeded. He is #2 in Google for “San Diego Signs”. Strangely enough there are no links to his website.
This second guy isn’t quite so successful, and to think he’s spamming my poor Shih Tzu, Oscar. The spammer’s domain is near the bottom of the first page of a Google search for Shih Tzu Checks. That’s still pretty good considering he doesn’t have any links to that page either.
How did these guys find my blog? The first guy searched for WordPress blog posts with comments. The second looked for a page saying, “leave a reply”, an open invitation to spam if ever there was one!
Out of curiosity I followed the Google search a recent spammer used. On the blogs surrounding my blog in that search I found traces of him everywhere. He left legit looking comments but the link was always full of keywords for his business.
Stuffing keywords in nofollowed links certainly helps rank for keywords.
So, you want to know how to fight back? It’s very simple if you’re using WordPress:
- Install my Comment Referrers plugin. That will add a line at the end of the moderation emails with the referrer of the visitor. Some referrers should ring alarm bells!
- Install Delink Comment Author. This plugin removes the link the comment author left as their URL. I modified my install so it removes the email too as I moderate comments from new users.
- I was planning on coding this next plugin, but I found Lucia’s Link Love first and that saved me the trouble. I modified mine so it doesn’t hyper link the name of a comment author who has left less than a certain number of comments. See this comment as an example. That “Landscape Artist” never came back to my blog again so his “name” isn’t linked to his site.
So, chances are a few more people are going to try this technique now that I’ve blogged about it. I bet many more blog owners will be more vigilant of it now though. It’s your blog. If you don’t want to be pawn to a spammer then fight back!
Edit: Here is my version of Lucia’s Linky Love. Just rename this file to .php and drop into your plugins folder. If you’re not logged in or have a comment cookie in your browser you should see some comment author’s names won’t be linked.
Interesting read. Just one point:
[…]”That’s still pretty good considering he doesn’t have any links to that page either.”[…]
you missing to add www in the domain name. then you’ll see some links.
Good point! I sometimes forget that people still use ‘www.’ 🙂
There’s quite a lot of links. Google shows you only a small portion of backlinks for sites, check in yahoo!:
https://siteexplorer.search.yahoo.com/advsearch?p=http%3A%2F%2Fwww.858graphics.com%2F&bwm=i&bwms=p
Joost – excellent. More of his “San Diego Signs” showing up in comments. All the more reason that I hope people read this.
Donncha: if you use my SEO Link Analysis extension for Firefox, it shows you right there in Yahoo! which links are nofollow and what the anchor text on those links is 🙂
just a tips, instead of nofollow try used redirect instead , ie ( <a href="myblog.com/ext/f43fwe54,b64">thebog.com</a>) and in your “robots.txt” add
user-agent:*
disallow:/ext
if you had google webmaster get removal request for /ext dir.
example How to successfully spam blogs (and how to fight back)
I’ve used Lucia’s linky love plugin also. Any chance you’ll make your de-link modification available, or show how to do it?
The other option in the war on spam is to do as I do… ruthlessly moderate anything that looks suspect.
I just deleted at least 10 “valid looking” comments because they either used a keyword for a name, or had a regular name that linked to an obviously commercial blog. Some people don’t want to do this because they want “more comments”, but allowing that crap does not help you build a community. No one wants to engage in a discussion with a spammer, so don’t get sucked into allowing them to live.
Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.
John
We talked about this very thing back at SEJ not too long ago and I completely agree with you Donncha.
Thanks for the suggestions and plugin links. These days, I am mostly getting spam of this form:
A spam blog steals part of a post, makes a post of its own ‘about’ it, and then links back to my blog.
I remove the trackbacks whenever I find them, but I do miss some and it is an annoying waste of time. Any ideas for how such spammers could be combatted?
Well, i´m using a captchasolution and a thingy called “spidertrap” (automatic ip-blocking for all to nosy bots) to protect my blog from spambots.
I honestly can’t remember the last time I got a legitimate trackback. Pingbacks, sure. But trackbacks seem to be exclusively spam nowadays. I might as well just disable them entirely. That would eliminate most of my spam, but it would be a temporary solution only, I know.
Great article! I love eating fried spam! viagra viagra.
Just kidding, I’m not spamming your site. Great article, and thanks for the link to the plugins. The delinker is going to be huge.
I usually just delete them or delink them. That way they get nothing from me.
Don’t forget about akismet. It’s an essential tool to have on any blogger’s spamfighting toolbelt.
Tim – I’ve just updated the post with a link to my version of Lucia’s plugin. Do a diff against the original to see my small modification.
Thank you, sir!
I’ve learned quite a bit from this post and the comments. I’ll definitely have to implement some of the plugins.
and thanks for posting your modified Lucia’s plugin!
this website has more links than yours… to earch for backlinks via google is for absolut non seo s a good method never ever for profis.
and so your spampreotection is the protection like a non seo..
to kill all links -if friend or enemy- we will kill us all of the index from google.
who is the winner: the spammer..
😉
I turn comment moderation on and allow previously approved commenters to be automatically approved. I don’t usually get a lot of comments, though, so this may be tricky on a more popular blog.
Thanks for the great writeup. Those spam roaches are persistent. Wouldn’t it be nice if Google stepped up and started to fix the problem that PageRank has caused?
I wrote up some thoughts, and the start of a possible solution (NOFOLLOW just ain’t it, because it breaks the web in order to negate spam)
http://www.darcynorman.net/2008/02/19/on-google-and-the-recursive-cycle-of-spam/
The 2 spam replies aren’t being done by bots; they were made by actual people. A bot wouldn’t have left a referring URL, especially not one that makes its tactics obvious. So this “spam” was actually created by a real person who took the time to read your page and post a relevant comment. I don’t see the problem here. So what if they link to their own site? Thats the whole point of letting people put in a URL. I don’t see why you would allow personal sites to leave a URL, but not commercial sites. And how would you draw the line? A lot of personal blogs are supported by ad revenue. And so what if he doesn’t put in his real name, but instead uses a name related to his buisness? I frequently post anonymously (like now), use a pseudonym, or the name of my blog. The internet doesn’t require that you always use your real name.
Obviously all blogs have their own policies for determining what is acceptable and what isn’t, but I think you are shutting out a lot of people who are making a contribution to your site.
Anon – I know they were not bots, but look at the referring Google searches. The point is they were looking for blog posts in their niche that they could spam, and they very rarely return to comment again.
I get about 4-5 of these commenters a day. I usually use them in a weekly “Roundup” post, the amazing thing is that these people then comment on that post! :S
I too have been seeing a flood comment spam that I’ve traced back to not using nofollow. I posted an article a couple days ago with some of my findings and conclusions that might also be useful in this discussion:
http://smithsrus.com/nofollow-and-the-spam-war-arms-race/
I kid you not, I was literally going to write this entry (well, not in your exact words, but with the same premise). I’ve noticed a huge increase in human submitted spam ever since people have been installing more and more spam fighting tools.
Since I’ve had your comment referrer plugin installed, I’ve been able to see where a majority of the comments are coming from at a glance and if I see some sort of search query attached — that doesn’t seem legit — I’ll usually nuke the comment or deliberately yank the URL and approve the comment.
Another thing I’ve noticed is a trend with these human spammers, besides searching for “leave a reply”, is using the key term followed by comments or leave comments. The other day, I received a comment on a blog entry about bloggers getting ready for the holiday shopping season because the search query had “shopping + leave a reply” in it.
Unfortunately, services like “buy blog comments”, who I won’t link to in your comments, aren’t helping this in any way as I’m sure these human spammers wouldn’t be doing it unless they were being paid for it. (And from the looks of their comments, not very much.)
~ Teli
I’d have to agree with anon here. The post sounds a bit paranoid 😛 I use my own, homemade bot-catcher script (almost 100% effective) to deal with automated spam, but I let human users have their (nofollow’ed) links.
I had a nice experience with spam trackbacks from the past. These comments/trackbacks were with normal text filled-in and linked to my articles and I allowed these trackbacks in the admin page. After months I saw that these sites (trackbacks) are filled with ads for blue pills and s e x sites (on my site/article). I have learned now, control your trackbacks… 😉
I’ve also noticed this new comment spam lately coming from actual people, not bots (usually with Romanian or Australian IPs). I’ve tracked through the referring links and found that most were coming via a single keyword like “payday” or “poker” and “remember my personal information” or other default text that you’d find associated with a comment form.
I’ve gone through and changed those bits of text on my template to non-standard things. So get rid of things like “Notify me of followup comments via e-mail”, “Mail (will not be published)” and “Input text in box below” or whatever … It’s taken a week or so for mine to drop off searches, but it’s definitely lessened my spam.
Marcus, I’ve noticed sometimes people will let their blogs lapse, then let their domain names expire. Sometimes it ends up at a parking page, and sometimes a spammer snaps it up because it already has incoming links. That could be what you ran into. Or it could have just been really sneaky spammers.
I saw one a few weeks ago that led me to coin the term, link laundering (like money laundering). The commenter’s blog looked perfectly normal, except every single link in it was to the same spam site.
“Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.”
While it’s an interesting comment that John P. makes, it starts from an invalid assumption – that people have some sort of right to comment on your blog. No one does. If you have a blog, and especially if you pay for it, it’s yours. You don’t have to allow any commenting if you don’t feel like it. And you can moderate, delete, hey, you can edit people’s comments, and they have no recourse, and nothing to say about it (other than posting about you elsewhere should they so desire). While I know it’s customary to allow blog comments, the belief that somehow people have an inalienable right to post them is nonsense.
If it weren’t for George’s referrer, you would have allowed his comment, right? It was relevant, and he had clearly read the post before responding. Who cares is he’s looking for link juice?
Personally, I get annoyed only by off-topic or obscene SEO comments. As long as it’s a real human, even if they never come back, that’s okay with me.
I got a similar spam to the one mentioned today. It looked like it was manually entered. The guy googled for tool battery blog, found mine and spammed it. either that or a very clever bot.
A while back I noticed that spambots don’t really request CSS files, why would they? so now one of my CSS files is actually a PHP that leaves behind a cookie and it won’t let anyone comment unless they have the cookie. Its obscurity through security but it works, most of the time except for manual spammers
There’s people in India who will sit there and spam blogs all day for a few cents an hour
Thanks for this. I just installed it – I don’t get much spam, but I’ve definitely gotten some borderline posts in the past, hopefully this’ll help clear that up!
I have added the Comment Referrers plugin. thanks for your post and enlightenment
Actually if you want to check backlinks for the San Diego guy the link is here.
There still aren’t many, but there are some.
And a whole lot more that mention the URL.
This is good for people like us, although it may not be so good for new bloggers, or even newbie bloggers :). Nevertheless, since spamming is an ever increasing problem, such a system surely is something everybody should go for…I might give it a try, but my blog isn’t really popular and I don’t get many comments at all. Askimet is good enough for me for now, let’s see maybe in the future I may consider your approach.
I’m usually used “stop words” such as:”buy”, “cheap” and other,and that’s work!
Dankoozy – your comment gave me an idea for doing a plugin that does that. It’s running now and working rather well.
If the cookie exists the comment gets handed to Akismet, otherwise it gets marked as spam and I remove the akismet filter to save on processing and the small network usage.