How to successfully spam blogs (and how to fight back)

What you’re about to learn isn’t anything new. It’s not particularly earth shattering either, but a lot of people don’t know it.

NOFOLLOW DOES NOT WORK (properly)

You may have noticed legitimate looking comments on your blog from people with suspect names. Usually the name will be a brand name, service or literally anything that sells. The commenter’s website is obviously related to that business. Why do they bother using special keywords when Google is supposed to not follow those links? Do they know something you don’t? Yup. They know that keywords, even on nofollowed links, matter. I’d provide reference links to SEO blogs explaining this but then they’d know I’m reading and they might shut up.

So, how do you go about spamming blogs? (And how do you defend against those spammers?) Here are two examples:

How to spam a niche blog

George, who runs 858graphics obviously makes signs in San Diego. I’m sorry that his store was egged last year, but he’s obviously trying to manipulate Google. Unfortunately, he succeeded. He is #2 in Google for “San Diego Signs”. Strangely enough there are no links to his website.

How to spam a niche blog

This second guy isn’t quite so successful, and to think he’s spamming my poor Shih Tzu, Oscar. The spammer’s domain is near the bottom of the first page of a Google search for Shih Tzu Checks. That’s still pretty good considering he doesn’t have any links to that page either.

How did these guys find my blog? The first guy searched for WordPress blog posts with comments. The second looked for a page saying, “leave a reply”, an open invitation to spam if ever there was one!

Out of curiosity I followed the Google search a recent spammer used. On the blogs surrounding my blog in that search I found traces of him everywhere. He left legit looking comments but the link was always full of keywords for his business.

Stuffing keywords in nofollowed links certainly helps rank for keywords.

So, you want to know how to fight back? It’s very simple if you’re using WordPress:

  1. Install my Comment Referrers plugin. That will add a line at the end of the moderation emails with the referrer of the visitor. Some referrers should ring alarm bells!
  2. Install Delink Comment Author. This plugin removes the link the comment author left as their URL. I modified my install so it removes the email too as I moderate comments from new users.
  3. I was planning on coding this next plugin, but I found Lucia’s Link Love first and that saved me the trouble. I modified mine so it doesn’t hyper link the name of a comment author who has left less than a certain number of comments. See this comment as an example. That “Landscape Artist” never came back to my blog again so his “name” isn’t linked to his site.

So, chances are a few more people are going to try this technique now that I’ve blogged about it. I bet many more blog owners will be more vigilant of it now though. It’s your blog. If you don’t want to be pawn to a spammer then fight back!

Edit: Here is my version of Lucia’s Linky Love. Just rename this file to .php and drop into your plugins folder. If you’re not logged in or have a comment cookie in your browser you should see some comment author’s names won’t be linked.

Comments

comments

79 Replies to “How to successfully spam blogs (and how to fight back)”

  1. Interesting read. Just one point:

    […]”That’s still pretty good considering he doesn’t have any links to that page either.”[…]

    you missing to add www in the domain name. then you’ll see some links.

  2. The other option in the war on spam is to do as I do… ruthlessly moderate anything that looks suspect.

    I just deleted at least 10 “valid looking” comments because they either used a keyword for a name, or had a regular name that linked to an obviously commercial blog. Some people don’t want to do this because they want “more comments”, but allowing that crap does not help you build a community. No one wants to engage in a discussion with a spammer, so don’t get sucked into allowing them to live.

    Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.

    John

  3. Thanks for the suggestions and plugin links. These days, I am mostly getting spam of this form:

    A spam blog steals part of a post, makes a post of its own ‘about’ it, and then links back to my blog.

    I remove the trackbacks whenever I find them, but I do miss some and it is an annoying waste of time. Any ideas for how such spammers could be combatted?

  4. Well, i´m using a captchasolution and a thingy called “spidertrap” (automatic ip-blocking for all to nosy bots) to protect my blog from spambots.

  5. I honestly can’t remember the last time I got a legitimate trackback. Pingbacks, sure. But trackbacks seem to be exclusively spam nowadays. I might as well just disable them entirely. That would eliminate most of my spam, but it would be a temporary solution only, I know.

  6. Great article! I love eating fried spam! viagra viagra.

    Just kidding, I’m not spamming your site. Great article, and thanks for the link to the plugins. The delinker is going to be huge.

  7. I’ve learned quite a bit from this post and the comments. I’ll definitely have to implement some of the plugins.

    and thanks for posting your modified Lucia’s plugin!

  8. this website has more links than yours… to earch for backlinks via google is for absolut non seo s a good method never ever for profis.

    and so your spampreotection is the protection like a non seo..

    to kill all links -if friend or enemy- we will kill us all of the index from google.

    who is the winner: the spammer..

    😉

  9. The 2 spam replies aren’t being done by bots; they were made by actual people. A bot wouldn’t have left a referring URL, especially not one that makes its tactics obvious. So this “spam” was actually created by a real person who took the time to read your page and post a relevant comment. I don’t see the problem here. So what if they link to their own site? Thats the whole point of letting people put in a URL. I don’t see why you would allow personal sites to leave a URL, but not commercial sites. And how would you draw the line? A lot of personal blogs are supported by ad revenue. And so what if he doesn’t put in his real name, but instead uses a name related to his buisness? I frequently post anonymously (like now), use a pseudonym, or the name of my blog. The internet doesn’t require that you always use your real name.

    Obviously all blogs have their own policies for determining what is acceptable and what isn’t, but I think you are shutting out a lot of people who are making a contribution to your site.

  10. Anon – I know they were not bots, but look at the referring Google searches. The point is they were looking for blog posts in their niche that they could spam, and they very rarely return to comment again.

  11. I get about 4-5 of these commenters a day. I usually use them in a weekly “Roundup” post, the amazing thing is that these people then comment on that post! :S

  12. I kid you not, I was literally going to write this entry (well, not in your exact words, but with the same premise). I’ve noticed a huge increase in human submitted spam ever since people have been installing more and more spam fighting tools.

    Since I’ve had your comment referrer plugin installed, I’ve been able to see where a majority of the comments are coming from at a glance and if I see some sort of search query attached — that doesn’t seem legit — I’ll usually nuke the comment or deliberately yank the URL and approve the comment.

    Another thing I’ve noticed is a trend with these human spammers, besides searching for “leave a reply”, is using the key term followed by comments or leave comments. The other day, I received a comment on a blog entry about bloggers getting ready for the holiday shopping season because the search query had “shopping + leave a reply” in it.

    Unfortunately, services like “buy blog comments”, who I won’t link to in your comments, aren’t helping this in any way as I’m sure these human spammers wouldn’t be doing it unless they were being paid for it. (And from the looks of their comments, not very much.)

    ~ Teli

  13. I’d have to agree with anon here. The post sounds a bit paranoid 😛 I use my own, homemade bot-catcher script (almost 100% effective) to deal with automated spam, but I let human users have their (nofollow’ed) links.

  14. I had a nice experience with spam trackbacks from the past. These comments/trackbacks were with normal text filled-in and linked to my articles and I allowed these trackbacks in the admin page. After months I saw that these sites (trackbacks) are filled with ads for blue pills and s e x sites (on my site/article). I have learned now, control your trackbacks… 😉

  15. I’ve also noticed this new comment spam lately coming from actual people, not bots (usually with Romanian or Australian IPs). I’ve tracked through the referring links and found that most were coming via a single keyword like “payday” or “poker” and “remember my personal information” or other default text that you’d find associated with a comment form.

    I’ve gone through and changed those bits of text on my template to non-standard things. So get rid of things like “Notify me of followup comments via e-mail”, “Mail (will not be published)” and “Input text in box below” or whatever … It’s taken a week or so for mine to drop off searches, but it’s definitely lessened my spam.

  16. Marcus, I’ve noticed sometimes people will let their blogs lapse, then let their domain names expire. Sometimes it ends up at a parking page, and sometimes a spammer snaps it up because it already has incoming links. That could be what you ran into. Or it could have just been really sneaky spammers.

    I saw one a few weeks ago that led me to coin the term, link laundering (like money laundering). The commenter’s blog looked perfectly normal, except every single link in it was to the same spam site.

  17. “Every blogger should also have a Terms of Use page that outlines what you do and do not find acceptable. Then you can enforce at will.”

    While it’s an interesting comment that John P. makes, it starts from an invalid assumption – that people have some sort of right to comment on your blog. No one does. If you have a blog, and especially if you pay for it, it’s yours. You don’t have to allow any commenting if you don’t feel like it. And you can moderate, delete, hey, you can edit people’s comments, and they have no recourse, and nothing to say about it (other than posting about you elsewhere should they so desire). While I know it’s customary to allow blog comments, the belief that somehow people have an inalienable right to post them is nonsense.

  18. If it weren’t for George’s referrer, you would have allowed his comment, right? It was relevant, and he had clearly read the post before responding. Who cares is he’s looking for link juice?

    Personally, I get annoyed only by off-topic or obscene SEO comments. As long as it’s a real human, even if they never come back, that’s okay with me.

  19. I got a similar spam to the one mentioned today. It looked like it was manually entered. The guy googled for tool battery blog, found mine and spammed it. either that or a very clever bot.

    A while back I noticed that spambots don’t really request CSS files, why would they? so now one of my CSS files is actually a PHP that leaves behind a cookie and it won’t let anyone comment unless they have the cookie. Its obscurity through security but it works, most of the time except for manual spammers

    There’s people in India who will sit there and spam blogs all day for a few cents an hour

  20. Thanks for this. I just installed it – I don’t get much spam, but I’ve definitely gotten some borderline posts in the past, hopefully this’ll help clear that up!

  21. This is good for people like us, although it may not be so good for new bloggers, or even newbie bloggers :). Nevertheless, since spamming is an ever increasing problem, such a system surely is something everybody should go for…I might give it a try, but my blog isn’t really popular and I don’t get many comments at all. Askimet is good enough for me for now, let’s see maybe in the future I may consider your approach.

  22. Dankoozy – your comment gave me an idea for doing a plugin that does that. It’s running now and working rather well.
    If the cookie exists the comment gets handed to Akismet, otherwise it gets marked as spam and I remove the akismet filter to save on processing and the small network usage.

Leave a Reply to azrin Cancel reply