Friday, June 26, 2009 at 9:06 AM
You're a good webmaster or web developer, and you've done everything you can to keep your site from being hacked and keep your forums and comment sections free of spam. You're now the proud owner of a buzzing web2.0 social community, filling the web with user-generated content, and probably getting lots of visitors from Google and other search engines.
Many of your site's visitors will create user profiles, and some will spend hours posting in forums, joining groups, and getting the sparkles exactly right on the rainbow-and-unicorn image for their BFF's birthday. This is all great.
Others, however, will create accounts and fill their profiles with gibberish, blatherskite and palaver. Even worse, they'll add a sneaky link, a bit of redirecting JavaScript code, or a big fake embedded video that takes your users off to the seediest corners of the web.
Welcome to the world of spam profiles. The social web is growing incredibly quickly and spammers look at every kind of user content on the web as an opportunity for traffic. I've spoken with a number of experienced webmasters who were surprised to find out this was even a problem, so I thought I would talk a little bit about spam profiles and what you might do to find and clean them out of your site.
You probably don't want your visitors' first impression of your site to include inappropriate images or bogus business offers. You definitely don't want your users hounded by fake invites to the point where they stop visiting altogether. If your site becomes filled with spammy content and links to bad parts of the web, search engines may lose trust in your otherwise fine site.
Spammers are also using spam profiles as yet another avenue to generate webspam on otherwise good domains. They scour the web for opportunities to get their links, redirects, and malware to users. They use your site because it's no cost to them and they hope to piggyback off your good reputation.
The latter case is becoming more and more common. Some fake profiles are obvious, using popular pharmaceuticals as the profile name, for example; but we've noticed an increase in savvier spammers that try to use real names and realistic data to sneak in their bad links. To make sure their newly-minted gibberish profile shows up in searches they will also generate links on hacked sites, comment spam, and yes, other spam profiles. This results in a lot of bad content on your domain, unwanted incoming links from spam sites, and annoyed users.
For all of you out there who do work for huge social networking juggernauts, your site is a target as well. Spammers want access to your large userbase, hoping that users on social sites will be more trusting of incoming friend requests, leading to larger success rates.
Have any other tips to share? Please feel free to comment below. If you have any questions, you can always ask in our Webmaster Help Forum.
Many of your site's visitors will create user profiles, and some will spend hours posting in forums, joining groups, and getting the sparkles exactly right on the rainbow-and-unicorn image for their BFF's birthday. This is all great.
Others, however, will create accounts and fill their profiles with gibberish, blatherskite and palaver. Even worse, they'll add a sneaky link, a bit of redirecting JavaScript code, or a big fake embedded video that takes your users off to the seediest corners of the web.
Welcome to the world of spam profiles. The social web is growing incredibly quickly and spammers look at every kind of user content on the web as an opportunity for traffic. I've spoken with a number of experienced webmasters who were surprised to find out this was even a problem, so I thought I would talk a little bit about spam profiles and what you might do to find and clean them out of your site.
Why is this important?
Imagine the following scenario:
"Hello there, welcome to our new web2.0 social networking site. Boy, have I got a new friend for you. His name is Mr. BuyMaleEnhancementRingtonesNow, and he'd love for you to check out his profile. He's a NaN-year-old from Pharmadelphia, PA and you can check out his exciting home page at http://example.com/obviousflimflam.
Not interested? Then let me introduce you to my dear friend PrettyGirlsWebCam1234, she says she's an old college friend of yours and has exciting photos and videos you might want to see."
You probably don't want your visitors' first impression of your site to include inappropriate images or bogus business offers. You definitely don't want your users hounded by fake invites to the point where they stop visiting altogether. If your site becomes filled with spammy content and links to bad parts of the web, search engines may lose trust in your otherwise fine site.
Why would anyone create spam profiles?
Spammers create fake profiles for a number of nefarious purposes. Sometimes they're just a way to reach users internally on a social networking site. This is somewhat similar to the way email spam works - the point is to send your users messages or friend invites and trick them into following a link, making a purchase, or downloading malware by sending a fake or low-quality proposition.Spammers are also using spam profiles as yet another avenue to generate webspam on otherwise good domains. They scour the web for opportunities to get their links, redirects, and malware to users. They use your site because it's no cost to them and they hope to piggyback off your good reputation.
The latter case is becoming more and more common. Some fake profiles are obvious, using popular pharmaceuticals as the profile name, for example; but we've noticed an increase in savvier spammers that try to use real names and realistic data to sneak in their bad links. To make sure their newly-minted gibberish profile shows up in searches they will also generate links on hacked sites, comment spam, and yes, other spam profiles. This results in a lot of bad content on your domain, unwanted incoming links from spam sites, and annoyed users.
Which sites are being abused?
You may be thinking to yourself, "But my site isn't a huge social networking juggernaut; surely I don't need to worry." Unfortunately, we see spam profiles on everything from the largest social networking sites to the smallest forums and bulletin boards. Many popular bulletin boards and content management systems (CMS) such as vBulletin, phpBB, Moodle, Joomla, etc. generate member pages for every user that creates an account. In general CMSs are great because they make it easy for you to deploy content and interactive features to your site, but auto-generated pages can be abused if you're not aware.For all of you out there who do work for huge social networking juggernauts, your site is a target as well. Spammers want access to your large userbase, hoping that users on social sites will be more trusting of incoming friend requests, leading to larger success rates.
What can you do?
This isn't an easy problem to solve - the bad guys are attacking a wide range of sites and seem to be able to adapt their scripts to get around countermeasures. Google is constantly under attack by spammers trying to create fake accounts and generate spam profiles on our sites, and despite all of our efforts some have managed to slip through. Here are some things you can do to make their lives more difficult and keep your site clean and useful:- Make sure you have standard security features in place, including CAPTCHAs, to make it harder for spammers to create accounts en masse. Watch out for unlikely behavior - thousands of new user accounts created from the same IP address, new users sending out thousands of friend requests, etc. There is no simple solution to this problem, but often some simple checks will catch most of the worst spam.
- Use a blacklist to prevent repetitive spamming attempts. We often see large numbers of fake profiles on one innocent site all linking to the same domain, so once you find one, you should make it simple to remove all of them.
- Watch out for cross-site scripting (XSS) vulnerabilities and other security holes that allow spammers to inject questionable code onto their profile pages. We've seen techniques such as JavaScript used to redirect users to other sites, iframes that attempt to give users malware, and custom CSS code used to cover over your page with spammy content.
- Consider nofollowing the links on untrusted user profile pages. This makes your site less attractive to anyone trying to pass PageRank from your site to their spammy site. Spammers seem to go after the low-hanging fruit, so even just nofollowing new profiles with few signals of trustworthiness will go a long way toward mitigating the problem. On the flip side, you could also consider manually or automatically lifting the nofollow attribute on links created by community members that are likely more trustworthy, such as those who have contributed substantive content over time.
- Consider noindexing profile pages for new, not yet trustworthy users. You may even want to make initial profile pages completely private, especially if the bulk of the content on your site is in blogs, forums, or other types of pages.
- Add a "report spam" feature to user profiles and friend invitations. Let your users help you solve the problem - they care about your community and are annoyed by spam too.
- Monitor your site for spammy pages. One of the best tools for this is Google Alerts - set up a site: query along with commercial or adult keywords that you wouldn't expect to see on your site. This is also a great tool to help detect hacked pages. You can also check 'Keywords' data in Webmaster Tools for strange, volatile vocabulary.
- Watch for spikes in traffic from suspicious queries. It's always great to see the line on your pageviews chart head upward, but pay attention to commercial or adult queries that don't fit your site's content. In cases like this where a spammer has abused your site, that traffic will provide little if any benefit while introducing users to your site as "the place that redirected me to that virus."
Have any other tips to share? Please feel free to comment below. If you have any questions, you can always ask in our Webmaster Help Forum.
19 comments:
I just suffered from a spam recently, these faceless spammer are really annoying.
Compare to other internet elephant, I have to say Google is the real big boy. He provided many fantastic tools for the webmater to stay safe -- google webmater tools, google Analytics and google alerts gave us so much information FOR FREE. Besides, gmail is my favorite email, the most spam-safe one.
This post was long overdue. I've been fighting link drop spam for years and I absolutely hate it. This is one area where Google's interests actually do coincide with many Webmasters' interests.
Hilarious. Very well written.
NOindexing new user profiles, just like Lucia Link Love, is a great option. IMO
Yup... this a problem that I am constantly fighting. The Google webmasters keyword tool helps me track down and erase profiles that SPAMmers make.
I have no doubt they are using my Google Pagerank to help boost their page reputation.
"Google is constantly under attack by spammers trying to create fake accounts and generate spam profiles on our sites":
C'mon, why not build a trust network with a nominal $1 charge through Google Checkout, that you would check against the holder's credit card when creating the Google Account. Free forums can't do this, but Google... Do you want a quality user base or not?
If you're using WordPress, there's a plugin called No Disposable Emails that prevent people from registering using disposable email addresses. It's not perfect but does a pretty good job at protecting your registered user base from contamination by fake accounts.
If you use vBulletin for your forums, there's a hack called Stop the Registration Bots that helps slow down the fake registrations making it easier to maintain. If a user fills out the registration form too fast (hence a bot) then they won't be able to register. Some still get through, but it helped slow mine down tremendously. I also leave new users on moderation for their first ten posts to ensure they aren't spammers on some of the forums I manage that are harder hit with the bots. I also use the Promotions feature on VB that moves a user from one usergroup to another once they have so many posts, etc.
Here's the link for stopping the registration bots if anyone needs it http://www.vbulletin.org/forum/showthread.php?t=183917
Hi All,
Some porn sites trying to sculpt our web pages' page rank. If you write site:www.example.com -inurl(ref)to google, you may see that your site is linking to lots of porn sites. I wrote disallow Disallow: /*ref=* to robots.txt but it did not work out. How can we avoid our sites from such kind of malicious web sites???
Thanks for the tips. I spent some dough putting a captcha on my site and it seems to be helping a great deal.
One thing I notice sites do is instead of a captcha, they use a math equation such as what is 2 + 8? Is that helpful?
Problem with CAPTCHAs, although they do help, is that they discourage visitors to get envolved.
There is a service that is a huge improvement to CAPTCHAs, called mollom.com
It works like CAPTCHAs but invisible in the background and either acceots or declines submissions or registrations following certain and always updated rules. Only if mollom is uncertain, it displays a CAPTCH.
Tried it on various pages and it really works well.
What I have done is looked through some digital pictures of mine, for parts I can 'crop' and put behind the captcha, as a background.
I also instituted a Security or Anti-Spam question. Which can be anything a spammer or an autobot will not know. Like Ellithy did.
I also check the web's access logs for any repeat offenders and in my case, I add them to the firewall's drop list.
thanks
A good deal of the CAPTCHA circumvention (via keypunching) and other spam enabling activity occurs in India, where spammers contract on a per-line basis to outsourcing service providers. These same providers commonly experience a variety of compliance problems in doing business in the U.S., but are immune from negative sanctions by the nature of compliance systems in the U.S.
The current enforcement system puts the burdens on state governments to go after outsourcing service providers that operate illegally or without registering with appropriate state authorities.
The current enforcement system works well to stem the type of fraudulent practices that were prevalent during the era of the Pony Express. Its ability to respond to transnational online fraud? Not so good.
In a survey that I conducted of state enforcement offices, I found that even in the states with the toughest provisions, government personnel were largely uninformed about their responsibilities and authority.
I’ve proposed that the National Governor’s Association and National Association of State Attorneys General help states to update and coordinate their compliance and enforcement activities, but there is scant interest in doing so. This is unfortunate because the end result often involves substantial financial losses for American consumers. The elderly are frequently targeted for online fraud.
Improving compliance tools would help legitimate businesses and cut the costs of compliance. It would increase protections for U.S. consumers and increase public confidence in legitimate online business offerings.
In the face of resistance from the states and indifference on the federal level, one option for reducing online crime in the U.S. would be for a foreign government to bring suit against the U.S. for trade barriers. It costs about half a million dollars to market some types of products and services in the U.S. (particularly products and services with a financial component) in compliance costs on the state level. The CAPTCHA-busting folks don’t bother to pay. Many law-abiding companies cannot afford to pay and see the current compliance system as a barrier to trade.
A suit would be appropriate because the barriers are created on the state level.
You should add &hl=en to your bff-link:
http://www.google.com/search?q=define:bff&hl=en
In other langs than English you wouldn't get "best friend forever" as result.
In addition to CAPTCHAs, blocking disposable email addresses, limiting new member's actions and so on, you can use one or more APIs from your sign-up page, which search online databases of known spammers. One such is here:
http://www.stopforumspam.com/
I also always Google the username and email address before activating the account. If I find that they have registered on a number of different forums recently, it's a good sign that they may be a bot or spammer.
Lastly, my forum is on phpBB, and I use the Anti-Spam ACP mod for things like flood control, ban lists and so on.
for example for a medical forum I might put a question like : What type of cells secrete HCL in stomach?
every doctor know that chief cells secrets the HCL
this will stop spammers on vBulletin and any other question answer system, ALSO new users like them...
http://arabcheck.com/vb
very true....
on indiaimagegallery.com... out of my first 10 messages - 2 were test messages by us only and 7 were SPAMS???
only one message was a genuine one though even it meant to redirect traffic to itself. but that is okay i believe if your comment is relevant.
Hi everyone,
Since over a year has passed since we published this post, we're closing the comments to help us focus on the work ahead. If you still have a question or comment you'd like to discuss, free to visit and/or post your topic in our Webmaster Central Help Forum.
Thanks and take care,
The Webmaster Central Team
Post a Comment