I detest spam. I don’t like it in my email. I don’t like it on websites and reading the spam dropped into blog comments leaves me feeling tainted. I’m also involved in online reputation management for a few clients, and spam that involves the clients’ name can be very hard to work with. This issue also has a resonance with one of the current SEO excitements, PageRank Sculpting.
Imagine my delight when I found a persistent set of comments, apparently from an identified organisation, with a consistent IP address. A chance to nail the sleazy scum that spam. Or not!. Because, of course, it always *could* be an attempt to blacken a company’s name by a competitor, paying someone else to spam on their behalf.
That’s not as crazy as it sounds. Email spam has, for more than 15 years that I know of, relied on stealing contacts from address books and purporting to come from someone that you may already know and trust. Tainting an otherwise reputable agency might be a similar task.
Then I found the signature *again*, on another blog. I decided to have a deeper look. Remember, it may be that the organisation is perfectly above board. There may be someone else trying to make them look bad… By looking both like a spammer, and an incompetent spammer.
First piece of evidence is a screen shot from an Akismet automatically detected list of spam, supposed to be added to an article about expanded broad match:
Note the IP address? Where’s that from then? According to RIPE (a network information service for Europe):
inetnum: 93.107.80.0 - 93.107.95.255
netname: VODAFONE-IRELAND-MOBILE-ISP
descr: Vodafone ISP - Pool 4
The company named in the email address and as the recipient of a link, is in Ireland (that’s the “.ie” suffix) and the person that added this spam is also in Ireland, but using a mobile network data card (a dongle) in all likelihood. That’s not an entirely foolish thing to use, for a spammer. Mobile data networks tend to have dynamic IP addresses, so it does provide some anonymity. If this activity were widespread and illegal, then mobile phone operators can track down which SIM was used to access the network and from where. That, of course, is still circumstantial - the SIM could have been cloned, and the location simply means that a specific antenna was in use - not that a specific person was using it.
There are other traces that less competent spammers will leave behind, though.
What’s next? More spam!
The first and fourth comments are both for the same article. Note that the newest comments, to different articles, are identical and from “the same user”. And that the shared IP address for these four comments, is all on the same Vodafone network. Could it be a proxy for a business? Possibly. In which case these users may have different cookies; if the web server has Apache mod_usertrack or the equivalent, then these users may be identified as the same or as different in web server log files.
So what else… Oh dear. A spam attached to the “About Us” page. Static pages on blogs are great places to trap spammers. Why would anyone spam a comment policy page on a blog? Because they search for “blog” and “comment” as well as the subject area. So a comment policy saying that spam is not acceptable, is an often sought target for spammers. Amusing, I think.
And what do the web server logs show at this point?
access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:24 -0700] “GET /about-us/ HTTP/1.1″ 200 33250 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Thunderbird/1.5.0.7″
access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:24 -0700] “GET /2009/03/expanded-broad-match-come-on-google/ HTTP/1.1″ 200 51154 “-” “Mozilla/5.0 (compatible; BuzzRankingBot/1.0; +http://www.buzzrankingbot.com/)”
access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:27 -0700] “POST /wordpress/wp-comments-post.php HTTP/1.1″ 302 - “{URL}/about-us/” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Thunderbird/1.5.0.7″
access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:28 -0700] “POST /wordpress/wp-comments-post.php HTTP/1.1″ 200 - “{URL}” “Mozilla/5.0 (compatible; BuzzRankingBot/1.0; +http://www.buzzrankingbot.com/)”
Read that carefully. The same IP address gets two URLs. Then, a few seconds later, the same IP address *POSTS* to the identified URL that was previously GOT. And the POST is by something claiming to be a Bot. It clearly isn’t a bot. The spammer is claiming to be a Bot, probably because they are using a selection of User Agent Strings intended to disguise the real source. But they neglected to remove strings that really shouldn’t be identified as POSTing. Bots that POST comments? Hmm. Wouldn’t that be a spambot?
And, one more datum. In poking around to find out about the company, I stumbled into the following listing:
That’s still not conclusive. If the spammer is in fact not at the company, then it would have been possible to have found at least one name there, with trivial searching. “Ollie”. There is no reason to believe that the two are one and the same… Someone could post using my name and even link back to here or other referral source. Since the search engines aren’t usually able to see web server logfiles and check the user tracking, it is hard for them to identify whether a claimed identity really is the identity.
Guilty or Not Guilty?
Well, no way of positively telling whether the company is spamming. They claim to do SEO and to be be Google AdWords Accredited Professionals. Whoever has conducted these activities has done their online reputation no favours. Not even the basic protections described in our previous article about web spam (”Anatomy of a web spam attack“). If this was an attempt to discredit them, it is itself a pretty incompetent showing - but maybe that was the point of the effort, to show what a talentless loser would behave like when attempting to spam blogs? If they did it to themselves, it’s a pretty dodgy way to do business and they need to upgrade to at least the technological level of the suspected Ukranian spammers we previously looked at.
There are some contraindications for the company. Until this week, the company site claimed to be Google Accredited Professionals. That’s still in the cache on Google. But the graphic was just a graphic - it didn’t link, as it should, to the business listing at Google. Maybe that was just a technological oversight:
Our GAP logo attaches to a page that describes our business - in general, most valid accreditations *have* to be active links that go back to a server under the administrative control of the accrediting organisation - so if you click on the logo below, you should get to a Google administered secure HTTP server - a proof of identity will look like either:
GAP images are an 80×80 JPEG, and are supposed to link to the Google page for accreditation. Otherwise, they aren’t part of the GAP, they are just random images… But images with a claimed meaning. Using a GAP accreditation incorrectly, is worrying for what it says about the business and the way it is trying to be perceived. But it could be an honest technological error or a failure to understand how the logo should be used.
Fighting Spam, Improving Reputation
Hard to see how to easily progress this further without the active participation of the victim of abuse. Their reputation has been lightly damaged by this activity, so whoever did this, did them no favours, but hasn’t detectably caused any ranking penalties. Further tracking down the source without active cooperation is moderately difficult and bluntly, I’ve got too much real work to do to take this much deeper.
Fortunately most heavy ranking blogs will have spam protection software and many of the features of these messages would trip spam detection. That’ll limit more negative perception for these guys. They might want to go round the blogs they can find and ask the administrators to remove some of the more repetitive postings, so they look less like foolish spammers and more like victims.
You’ll notice that I’ve been careful to avoid mentioning the business name or better identify the individuals at the company - the names are all embedded in graphics. So *THIS* article shouldn’t further contribute to their online reputation management issue. I intend to actively prune and edit comments that mention the name.
Identity remains a core problem for search engines. Attributing maliciously placed content to innocent sources is far too easy. The NOFOLLOW link certainly defuses some spam, as was its’ original intention. Despite the controversy over rank sculpting, NOFOLLOW for comments remains a useful feature. Otherwise, assiduous attention to vanity searches remains important, and tracking down and removing embarrassing content is still an important activity for reputation management.
ireland seo agencies wrote,
This is a great reading. Thanks for sharing this information.We have few readers who would like to read this stuff. We will pass it on to our readers for more feedback. We are dealing with seo firms
and would like to get feedback from you too.This is a nice postings indeed. Thanking You. [a href="http:// www .irelandseoagencies .com/" rel="nofollow"]ireland seo agencies[/a]
[[Edited to expose the links dropped by this SEO spammer; very amusing comment, and almost in English. The IP address - 124.123.218.215 - suggests that the commenter is from India, not Ireland.]]
Link | January 25th, 2010 at 9:48 am