I've still got a problem with how this was done - no email notification that it was fixed, and I didn't see anything in the Apps management console either; you find out by following some Google blog or other, or keep trying it. Google ought to improve communications with paying customers.

And as a result of Google's approach of non-communication and the forced creation of transition accounts, I now have a pointless Google Account which I must merge back into operations - more work for me and my staff, and no apparent help or guidance from Google for my having to fix a problem they created. It's just not good customer service. I suppose I'd like a way to merge Google Accounts - so I can get back the access that I had seven months ago.]

This has to be the strangest thing that I’ve come across on Google Plus and Google Plus 1. Google has created a paying service to manage user identity, and then excludes those long period paying customers from taking part in Google Plus One and Google Plus. Yup, if you have Google Apps, you can’t use social networking, and you can’t mark the resources you find useful. Everyone else who *doesn’t* pay Google for services, can use Google Plus and Plus One. And Google’s response to Google Apps users? Silence. Total silence. Thanks, Google guys. Thanks a bunch.

[Update: 2011-08-12 - Google Apps Help Forum has a Google Staffer response, but unfortunately he promises to keep users updated on a thread that already has 8 pages of comments. Find the updates if you have time... What's wrong with a pinned posting, maintained by the Apps Help Forum Advisors and locked against user content - a reasonable way to publish the Google position in a forum, with such a strong set of questions?]

[Update: 2011-07-21 - How Can I Get My Staff Connected? - You'll have to send an invite to a non-Google Apps Google Account, from a non-Google Apps Google Plus enabled account, and run everything involving Google Plus in a separate account. If you send an invite to a Google Apps accunt, it is completely useless, because Google appears to check that the Google Account that you are using, matches the Google Account of the invitee. Invites to a Google Apps user are completely useless. Not that Google tells you that, either as sender or receiver, until you actually click on the link and get the error message about Profiles, below.

Note that Google is apparently both intending to allow brands to have space in Google Plus, and is also supposedly adding access Google Apps users, at some unannounced point - so you may face another problem of merging identities or re-establishing an identity when Google does get around to allowing you access. Nothing like making it easy, eh?]

What the farquahr was passing through the mind of the Google Product Managers that chose to do this? Perhaps:

“I know, we’ve had paying users on this service since about 2005, we’re sure of their identity, because they are paying us to make sure we know who they are, so, I dunno, let’s just forget them because, well, they’re obviously idiots. They’ll take any amount of abuse. They’ve been used to working out how our poorly documented systems can be used, so being unable to reach another service we offer can’t possibly bother them. And if they complain? Meh. Paying customers on AdWords go for years without answers to basic problems, except ‘ask another user’. Fuggedaboudid.”

[Update: 2011-07-20 - Dave Girouard, a VP at Google says (but not in the Google Apps Help forums run by Google), that adding Profiles is a priority; even using the guys' name in searches, I can't find this post in the last month of articles on Google's various Blogspot.com blogs - probably because Google are such lame users of SEO. Running a separate blog article with a probably non-useful title and perhaps missing important cue words to allow search to operate properly, rather then replying in the Help Forum to questions from Google Apps Administrators and users, on a forum set up by the service organisation, is pretty peculiar. It's like me getting a question from a client, writing a blog article and neglecting to let them know it is relevant - irritating for everyone, and less than helpful. Blogs are for public announcements, not client communications. Learn. The. Medium. And learn how to write so that useful stuff can be found on search, or fix your search engine to work with the opaque way that you blog. One of them is ineffective - either search doesn't connect relevant material, or the writing needs fixing.]

Do Google Customer Service Staff Keep A Chart Of “Clients Crapped On This Month” and Compete To See Who Wins?

Doesn’t excluding Google Apps users from two services means that a whole bunch of federal and state government employees, several significantly sized corporations and a whole bunch of iddy-biddy liddle companies have just been excluded? Oh, and didn’t I see some national governments in Google Apps “list of informationally endangered organisations” client list?

I used to think that the hundred thousand or so small businesses denied any access to AdWords Customer Service was an abomination. But whoever thought up the idea of silently and without warning denying access to the great new experiment in social communication, to all Google Apps customers, has to win this years’ award for “Most Google Paying Customers Excluded From Reasonably Expected Service Levels For No Stated Reason”. We’re talking ten thousand users *at a time* for some Google Apps clients. By my estimate, it totally dwarfs the scale of ignoring small business AdWords advertisers by about an order of magnitude. And to omit the same user group on *two* services, in one month – absolute genius. Not sure if they get double points for that, or an exponential powerup.

Why This Might Not Be a Good Idea For Google

For most businesses on the planet, paying customers come first, not last. If they did so at Google, then when Google have a new and exciting service, Google should make sure that the people who pay the Google payroll and keep the lights on in the Google datacenters, get an early crack. Rather than the current policy, which is apparently to keep paying customers both excluded and totally in the dark. AFAICS, that’s really not very clever customer service – is it? Am I really that out of step with how organisations should be treating clients?

You know that number one thing in the Google corporate mission statement? You know, the one about “Focus On The User“? It comes ahead of the one that people usually talk about, that you can do business without being evil? Point of fact for the Google staffers… the people who pay Google to do things for them, are Users, too. Just because they pay Google, doesn’t mean that they should deserve less respect.

I’m really annoyed by Google. For now, we use Google Apps. Or at least, we will probably do so for about 30 more days *WHILE I WORK OUT HOW TO LEAVE GOOGLE APPS*. I’d prefer to not-have access to a service that I’m not-paying for, than be denied a free service because I am paying an organisation for their services.

Cloudy Implications

Why would being disallowed to use Google Plus and Google Plus One make me reconsider our usage of Google Apps? There’s some really cute things you can do with apps, from scraping sites to sharing stats. But… Google is supposed to be unifying the Identities of Google Accounts and Google Apps. This is the first crucial test of whether new services will be available. And the answer is “FAIL”.

({sarcasm on} Good product naming system, BTW – makes it totally clear in the users’ minds what they are doing and how separate those services are. I can’t see anybody ever being confused about them. {/sarcasm})

Which would I rather have? And what would my users in the business rather have? The ability to mark useful resources and engage in controlled social networking, or the opportunity to use the not-as-good-as-Word-or-Pages word processor, or the not-as-good-as-Powerpoint-or-Keynote presentation tool, or… Well, they already hate using Google Docs, unless I force the use on genuinely shared data. So most would vote to kill it – they use the mail system, and otherwise overwhelmingly prefer to use a local app with a richer UI and features. Unless it is genuinely data for interactive sharing.

Sharing Data and Encryption

There are other ways to share data, after all. The failure of DropBox a few weeks ago (they accidentally allowed anyone to access any content in any DropBox for a four hour period) has made me wonder about the wisdom of having unencrypted data in the Cloud. I’m beginning to develop the idea that, just as I do with DropBox, I only put already encrypted data on it, or I use for insensitive data, stuff that I wouldn’t be unhappy to have leaked. But Google keeps everything in the clear… And that’s increasingly uncomfortable for me. We have client data. If we continue to march towards sharing data, I want an secure communication to an encrypted resource, not something merely protected by a single level of authentication and a secure communication protocol. I want the service to be unaware of the keys to unlock the data, so even if someone at the service provider forgets to lock the resource, I’ve still got a good level of protection on the data.

Google Apps doesn’t have that level of security now. I haven’t seen it discussed as a future option. And if Google has such disdain for Google Apps users that it won’t communicate about its’ most important new communications and search mechanisms… Well, I don’t think they care about my concerns for improved data security. So I think my business needs to move as soon as practicable, from a provider that isn’t even talking about services that I think are increasingly needed. That’s how connected Google Plus and Google Apps are. The behaviour of one is a likely predictor of behaviour for the other – and I just lost all confidence that Google understands what a customer is, and what their needs are.

“Google customer service” is apparently an oxymoron – or at least, looks that way from the lack of any statements that I can find, using Google’s own search engine to search their own web site site and blogs using the keywords “google plus google apps”, as of July 11th, 2011. As George Bush memorably said “Fool me once, shame on you. A fooled man can’t get fooled again. Erm.” I’m just fed up with Google. Really feel betrayed. Again. And Again. And Again. And that makes me feel like an idiot for trusting Google, again. I don’t enjoy feeling like an idiot – so I’ll be extending less and less trust to Google. But I will use them for their free services – those are absolutely fantastic value.

Summary

Understanding how Google treats paying customers yields some illumination on free services. My interpretation of silence is negative – I can’t construe Google’s silence in their own forums in any positive way. I fear for the security of my company’s data in Google’s Cloud – because it is held in clear and offers no opportunity to hold encrypted shared data.

Google should be reconsidering what it does with paying clients. They shouldn’t be the last to use a service, but amongst the first; and they should be communicated with. That’d create an incentive to pay to use the services. Not a disincentive.

I now detest Google about half the amount that I detest Microsoft. I’d still prefer to use an Android phone over yet another Windows implementation, Google Search Results barely over Bing, AdWords over adCenter. And I’ll probably be looking to see if I can find an autoencrypted file sharing service that uses AWS/S3 or something similar as a service, so I can remotely mount an “encrypted disk” and use it whether connected or not (rather like Apple’s iDisk but better shared, and encrypted).

Notes

Fuggedaboudid = “Forget About It”, said quickly and with nasality.

Now, that could cause a problem managing these accounts. I could use Google’s support for POP and IMAP and read the Gmail accounts for each of these into a central administration account. That’d mean quite a lot more work to set up each account – tripleing or even quadrupling the administration involved. But I’m a geek, and old UNIXy kind of geek. I know some stuff about nearly anything to do with operating systems… and mail systems were something I did some work on, over the years…

Within the mail system, that is inside the Gmail that is part of Google Apps, a plus sign after a name is a qualifier, not a different address. So if you send me email as “jeremyc+(make up something)@merjis.com” it still reaches me at jeremyc@merjis.com. IIRC, this usage is an old, often omitted or badly handled part of RFC822, the ancient mail system specification, from around the 1970′s. However, the Google Accounts (and consequently Google Plus) part of Google hasn’t worked out that the Gmail part of Google has made this work, and treats Google Account identities with a plus sign in the middle, as completely different entities, though, AFAICS, none of them can ever receive an email, at least when part of a Google Apps domain.

Google Apps still hasn’t merged its’ idea of identity with much of Google, so although my main identity is managed by Google, I have still had to re-use or create identities to play with Google’s stuff, outside the Google Apps domain. I don’t normally need to know which identity is which by given the different Google Identities differing user names, because the email addresses are checked by filters in Gmail and automatically allocated to client tags – so I can see at a glance which AdWords Account (or whatever) is receiving the email.

That was convenient for creating a lot of AdWords accounts, and have me automatically receive the emails, rather than having to set up IMAP support in a lot of Gmail accounts. But it was, to a substantial extent, relying on Google to be confused about identity. If they weren’t confused by email addresses, I’d have had to create other email addresses and do the IMAP thing to drag all the email to a central place for monitoring. More work for me, but I’m vigorously lazy – I’ll put a lot of work into understanding something, so I can achieve what I want, for less effort each time I do it.

I finally worked out what happened when I was invited to join Google Plus. The email went to jeremyc@merjis.com – a Google Apps account. On clicking to join, I got a new tab in the browser, and I was immediately logged in, with my name (not my email address) showing. However, I had been switched to the account jeremyc+money@google.com[*], which is the main Google Account that I use to interact with AdWords.

So, jeremyc+money@merjis.com is a Google Account, not a Google Apps Account. When I got the Google Plus invite, it automatically used the identity that was logged in as a Google Account. However, people are now sharing via Google Plus with jeremyc@merjis.com, and that’s not a Google Account with a Google Plus identity. So even though I receive all the Google Plus messages addressed to jeremyc@merjis.com in the account under Google’s management as jeremyc@merjis.com, I can’t read it, because Google Plus knows that the registered entity jeremyc+money@merjis.com is not jeremyc@merjis.com – and jeremyc@merjis.com can’t join Google Plus, even though jeremyc+money@merjis.com is a member of Google Plus, and jeremyc+money@merjis.com shares all its’ email completely and fully with jeremyc@merjis.com.

So… If you message me using Google Plus, I can’t respond, because you haven’t shared with me, although there is every appearance that you have, and I receive a message about you having shared with me. And that’s because although I’m me, there are a lot of different me’s maintaining complete identity separation including different passwords for access, except for total sharing of email. Confusing, eh?

Footnote – it isn’t really “jeremyc+money@merjis.com”. The *whole* reason for using another identity is because we’ve managed individual client spends of US$500k/month – so I don’t want hackers to know which Google Account is the MCC owner. If they hack the account, it causes a lot of misery and pain. So it is deliberately set up to be private, hard to guess, and with an ugly password. I’ve done that, because I don’t believe that Google does enough to protect AdWords accounts with large budgets (read “large budget” as as “larger than the average Joe could cover with some kind of credit card insurance”). My bank, on a much lower budget, makes me use an authentication device as much as twice per transaction on sub-$100 transactions, whereas Google seems to operate a very simple username plus password system for millon dollar budget accounts, which makes it relatively easier to hack than a bank…

"Flam" - Flattery Spam example, praising the comment policy as if it was an article.

Next up, has the nature of spamming changed? I believe that it has. On this blog, and clients’ blogs and generally across the internet, I’m seeing a lot more “flam” – flattering spam. “You’re article really helped me with this difficult topic, thanks, I’ll be linking to you and subscribing to your feed” – stuff like that. Contributes nothing but a feeling of pleasure… and sometimes even sneaks past Akismet, if the author has managed to lull the suspicions of bloggers.

Of course, the acid test is whether my attempts to deflect spammers to the Comment Policy page have been effective.

Results

This WordPress blog's Comment Policy attracts most spam, now.

After seeing the trend towards “flam”, I’ve gone back throgh comments here (and on client sites) and made sure that every comment is substantive. That is, it contributes to the material in the posting and would be helpful to other readers.

That in turn, raises the question of what to do about those rare cases when someone says something useful, but then leaves a keyword loaded username. IMO, the best thing to do is to re-write the name as something more sane. After all, the comments here are no-followed, and it is, bluntly, rude to post under a keyword rather than your own name – not to mention being outside the guidelines for marketing laid down by the Advertising Standard Authority and described in the Code of Advertising Practice.

Recommendations

If you run a blog, there are three levels of protection to consider, basically depending on the volume of spam you get – which in turn is a reflection of your sites’ popularity with search engines (more on that, in another article I have in progress).

We have a general recommendation which is that marketeers have to reduce the barriers to engagement. Philosophically, I’m opposed to the idea of making it more difficult for a user to add a comment to a blog, to defend from a spammer. It’s just wrong. The burden should be pushed to the spammer, not the user. So, wherever possible on any form, we avoid CAPTCHA (which is, itself, subject to easy attack from Mechanical Turk style systems – use automation to find the CAPTCHA and just push the images to paid-by-activity humans who’ve signed up for the service).

If your blog is not popular (up to tens of visitors per day), then basic tools like Akismet are absolutely fine – though too infrequently used on small blogs, IMO. You’ll probably get no more than a one or two “flams” per day – and the rule is “if the comment could have been applied to any article you’ve ever written, it is probably spam”.

If your blog is moderately popular – hundreds of visitors per day – then Akismet or other crowd-sourced or Bayesian detectors are probably not quite enough; consider using a honeypot to distract spammers to a page or posting where you know that the overwhelming majority of comments will be spam. This, too, should keep the count of suspect spammy comments that need attention down to a handful per day.

If your blog is seriously popular – well, you can probably afford to have a few annoyed users who can’t get through the defences. Very popular blogs might want to consider both a crowd-sourced and/or Bayesian and CAPTCHA solution of some sort. That’s not as extreme as some US magazines who have ludicrously tough comment defence, added in pursuit of finding candidate new subscribers, rather than spam reduction, I suspect, and an illustration of the maxim about reducing the barriers… I cant be bothered to sign up, when they make it so difficult.

That “reducing the barriers” stuff is really important. Take a look at Bob Cialdini’s Influence – an old book, now, but still germane as it deals with fundamentals of human behaviour. Until you’ve given something of value to someone, they are unlikely to give you much of value. So asking for a full name and address and other contact information, just to drop a comment, is fabulously in excess of what most people will be comfortable to do. In the wake of the Sony hacking, users should also be becoming more aware that leaving details on publicly addressable sites is dangerous. And thats compounded by poor security practices from large organisations who confuse users’ ability to detect safer and less safe places to submit details (see my earlier article on Google’s absurd inability to help users identify which are trustworthy Google URLs and which URLS can be abused by scammers).

Is Google Engage part of Google, or a scam?

That’s a Google service, which Google is saying isn’t offered by Google. So is it a Google service, or someone attempting to deceive and defraud? Hard to tell, when Google warns you that the service you thought you were getting from Google, isn’t from Google.

Identifying Google Services

Google’s major services use their own sub-systems within Google – AdWords, Analytics and so on. They do so in a completely incoherent way. For example, AdWords is on adwords.google.com, and docs are on docs.google.com, but Analytics is offered on google.com/analytics, while search results are usually on google.TLD/search or google.TLD/url (where “TLD” means “Top Level Domain”, like “.co.jp” for Japan or “.de” for Germany).

There’s no rhyme or reason for whether there’s a subdomain or a directory, that someone outside Google can understand – certainly not non-technical web users. Explaining to a non-technical user why one URL can be trusted and another could be spoofed is a nightmare of conditional statements and is usually futile – it’s too complex for most users to grasp, IMO, and I’m not even sure that I’ve recognised *all* the cases.

Minor products and services use Google’s own services, offered for third parties to use. But that usually results in Google warning that Google isn’t associated with services that Google is offering… which is clearly insane, just as in the screenshot above… and Google Engage is not alone in these “Google is not offering a service that Google told you they were providing” messages. I’ve seen this same kind of message for other service offerings from Google, sometimes involving authenticated calls from Google staffers – real, genuine Google services, with a frightening warning that the service isn’t offered and operated by Google.

Other Identity Confusions

However, the situation is worse than that. This example is just one part of Google’s insensitivity to establishing their identity and helping users prevent identity theft. Over the years I’ve been sent offers apparently from Google, that involve visiting sites on non-Google domains – they often have “google” in the domain name. That’s not enough to identify the site as being operated by Google.

Anyone can go set up arbitrary domains with “google” in the name. For example “google-services.com” is owned by someone operating in Russia. “google-direct.com” is operated by someone anonymised – but certainly not Google. These domains would be convincing to a large number of non-technical users and would be confusing to technically adept users if sufficient other features were present – a Google Account to login to the services, for example.

There are some ways to try to infer whether a domain really is owned and operated by Google – using “whois” records, IP addresses and (when Google set them up) SSL certificates – these resources can all help to identify whether a service is being operated from a Google owned and managed network computing facility. But those checks are both difficult to do (only the most technically adept can do it and understand the results) and not sufficient to prove that the service is being offered by Google, rather than some thieving scum.

If Google were properly sensitive to issues of identity, I suggest that services offered by Google would be in the google.com domain; and services provided by Google to third parties would be in an identifiably different domain. That certainly isn’t enough to separate scammers from real services – users have great difficulty understanding that a URL that says “google.com-deceptive-site.xxx” is not Google. But it’d be a start.

As it is, Google is further blurring the line between official Google services and those offered by a spoofer. Looking at this sign in screen above, I’m not actually certain that this “Google Engage” service is offered by Google. And that weakens my ability to detect spoofed services.

Is this a genuine problem?

I believe that it is; I don’t have any stats for the number of users deceived, but I’ve got circumstantial evidence that this is and has been a problem for years. Firstly, I’ve seen (and blogged here) examples of faked AdWords login pages, intended to deceive AdWords account users, and hijack the account. And secondly, I’ve seen examples of scammers using Google’s own domains to create the perception that a service is available from Google.

A classic technique used by deceptive digital agencies is to emphasise that they have a relationship with Google. These scammers use Google services to provide a mocked up search result, showing the results they are trying to achieve. And they tell would-be clients that these results are because they have a special relationship with Google. Would be clients are convinced that the agency has a close relationship by faked results like that – but the scammers are merely using services such as sites.google.com (I’m deliberately withholding the exact technique being used – there is an even harder to identify mechanism than Google Sites that the smarter scammers use).

If you combine the ability to masquerade as a legitimate Google page, on a Google domain, with Google disavowing it’s own services; then throw in Google creating sites with domains that include google in the name (just like any scammer) – it creates a poisonous situation in which non-technical end users can not be sure whether they are really signing up for a Google service or something designed to deceive and defraud. Or, more likely, they simply assume that anything with “google” in the domain or apparently in the domain, is trustable. IME, most non-technical internet users are surprised when you tell them that anyone can sign up for “genuine-official-google.com” and offer a web server on it.

I’m not happy that Google understands and is seriously contributing to improving online safety. Their own practices are weaker than they could be, and appear to create opportunities for the fraudulent to deceive. I have signed up for this service, but I used a non-critical, non-business, dissociated Google Account, just in case it was really an attempt to get to my clients’ AdWords Accounts.

Evil? Maybe. Maladroit? Definitely.

It’s not that I don’t or won’t use FireFox, it’s that FireFox is far too valuable for me, as a debugger/developer/investigation tool. I don’t want lots of uncontrolled requests from it, for Gmail/Buzz updates. It would interfere with my use of Charles and other testing/analysis tools. I end up *having* to use Safari, Chrome, Camino, Flock to get my other things done.

As a result of not having Gears in those other browsers, I’ve got used to running Apple’s Mail, which has the added benefit that the blogs that I like to read are interpolated in my combined (business, personal, private and administrative) email streams. Running Mail means that I don’t have to use the browsers’ memory to hold my email, cuts down the WebKit processor usage and usually means that I don’t need to open lots of sessions for different mail services.

Buzz

I find that after the privacy issues involving Buzz have started to wither, I’m becoming a fan of Buzz. Why?

• I’m finding new users who’ve got interesting things to say.
• If I don’t have to switch applications, or tabs, it’s a decrease in my perception of “switching tasks” – it’s my comms window and I’m switching modes, not switching tasks.
• The length of postings and comments is more comfortable than Twitter; 140 characters focuses the mind, but not a lot of people can manage to say anything substantial in 140 characters…
• Linking articles is *easy*.
• Comment streams are easier to follow than on Twitter (without having a desktop app that requires refocus)

After I’ve used it a bit more, I’ll probably think of some other reasons… There’s plenty of improvements that I can see a need for (I’m still not entirely convinced that the privacy issues are resolved), but the raw, out of the box experience is sufficiently positive, that I expect to be using it more than Twitter and FaceBook. Much of that coming from not having to switch mental contexts with application or tab switching – the old issue in user interface task analysis, of whether the next task feels like a context switch.

A mild downside for personal use is that I can’t see how to get analytics on link usage – unless I revert to some hideous URL shortener technology twiddle. And, of course, if one was running a corporate Buzz (guys, I’m in Marketing, of course that’s the next thing I think about), then there’s the whole issue about how many Gmail accounts I can have open in a browser at a time. Part of my need in running so many browsers is that I can separate task-groups. If I’m in Camino, then I do this set of tasks. If I’m FireFox, I’m doing this group, etc. And that means that I can have a separate Gmail session for each (this is partially a vestige of my days involved with InfoSec, and partially a consequence of me wanting to isolate activities so that as we grow the company, I can delegate those IDs to someone else to manage). Adding a whole new set of identity-tabs to have concurrent Gmail identities open for running Buzz, will be problematic.

Anyway, with a good Buzz experience, so quickly, I decided to give the whole Gmail on Mac experience another chance. I opened a Safari tab on Gmail, and went to check the settings. Offline browsing is still not available for Safari, but it recommends FireFox and Chrome. I’ve got Chrome running most of the time, anyway, so new tab and Gmail… and still no Gears. There’s a help link (“Offline Mail is not supported by your browser. Learn more”) which, when clicked, takes me to a page that tells me nothing visibly useful about Chrome, the Mac, and Gears. Why am I referred to this page, with a single vaguely applicable statement (“You may be able to enable Offline Gmail on Safari” – but no mention of Chrome and Gears on a Mac)? I have no idea.

I use my Firefox instance for investigating web sites – lots of GreaseMonkey, debugger/developer/SEO plugins, use of Charles to investigate whether Analytics is working, etc. I really *don’t* want to use Gmail/Buzz in that environment. I guess that most other users are able to use FireFox, but personally, despite the positive experience of Buzz, because I can’t sensibly use Buzz (I need to stay in Apple Mail to get consistent online/offline usage of email), I’ll be on Buzz rarely.

In the interim, I’ll be looking forward to the day that Google get Gears working fully on the Mac on Chrome and Safari. Or perhaps I’ll try to find some time to work out how to get two instances of FireFox running, with different configurations… Or perhaps Apple might find a way to interpolate Buzz into my Mail-stream, along with my preferred blogs. *That* would be my first choice:

• Integrated message stream (tasks, mail, blogs, Buzz, maybe Twitter and FaceBook) for multiple accounts
• Offline and online usage, with messages queued for when I reconnect
• Lighter on the CPU than multiple browser sessions
• Ability to monitor and post corporate as well as personal and administrative items

So, small brickbat to Google for initial privacy issues, big bouquet for adding a cool new tool with some great characteristics, moderately sized brickbat for making offline usage on the Mac into a FireFox-only experience… and I think I’ve found another reason to consider an iPad. I can let my desktop focus on my site investigations, coding, admin, documentation. The iPad can sit next to it, and focus on the comms, notes and logbook. Have Safari on the iPad open for Buzz, and I’m not distracted by what’s happening on the main activity screen of my Mac, except when my attention leaves the screen, anyway. And the iPad will take care of resynch when the signal comes back.

Imagine my delight when I found a persistent set of comments, apparently from an identified organisation, with a consistent IP address. A chance to nail the sleazy scum that spam. Or not!. Because, of course, it always *could* be an attempt to blacken a company’s name by a competitor, paying someone else to spam on their behalf.

That’s not as crazy as it sounds. Email spam has, for more than 15 years that I know of, relied on stealing contacts from address books and purporting to come from someone that you may already know and trust. Tainting an otherwise reputable agency might be a similar task.

Then I found the signature *again*, on another blog. I decided to have a deeper look. Remember, it may be that the organisation is perfectly above board. There may be someone else trying to make them look bad… By looking both like a spammer, and an incompetent spammer.

First piece of evidence is a screen shot from an Akismet automatically detected list of spam, supposed to be added to an article about expanded broad match:

Note the IP address? Where’s that from then? According to RIPE (a network information service for Europe):


inetnum: 93.107.80.0 - 93.107.95.255
netname: VODAFONE-IRELAND-MOBILE-ISP
descr: Vodafone ISP - Pool 4


The company named in the email address and as the recipient of a link, is in Ireland (that’s the “.ie” suffix) and the person that added this spam is also in Ireland, but using a mobile network data card (a dongle) in all likelihood. That’s not an entirely foolish thing to use, for a spammer. Mobile data networks tend to have dynamic IP addresses, so it does provide some anonymity. If this activity were widespread and illegal, then mobile phone operators can track down which SIM was used to access the network and from where. That, of course, is still circumstantial – the SIM could have been cloned, and the location simply means that a specific antenna was in use – not that a specific person was using it.

There are other traces that less competent spammers will leave behind, though.

What’s next? More spam!

The first and fourth comments are both for the same article. Note that the newest comments, to different articles, are identical and from “the same user”. And that the shared IP address for these four comments, is all on the same Vodafone network. Could it be a proxy for a business? Possibly. In which case these users may have different cookies; if the web server has Apache mod_usertrack or the equivalent, then these users may be identified as the same or as different in web server log files.

So what else… Oh dear. A spam attached to the “About Us” page. Static pages on blogs are great places to trap spammers. Why would anyone spam a comment policy page on a blog? Because they search for “blog” and “comment” as well as the subject area. So a comment policy saying that spam is not acceptable, is an often sought target for spammers. Amusing, I think.

And what do the web server logs show at this point?

access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:24 -0700] "GET /about-us/ HTTP/1.1" 200 33250 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Thunderbird/1.5.0.7"

access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:24 -0700] "GET /2009/03/expanded-broad-match-come-on-google/ HTTP/1.1" 200 51154 "-" "Mozilla/5.0 (compatible; BuzzRankingBot/1.0; +http://www.buzzrankingbot.com/)"

access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:27 -0700] "POST /wordpress/wp-comments-post.php HTTP/1.1" 302 - "{URL}/about-us/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Thunderbird/1.5.0.7"

access_log.1.gz:93.107.95.106 - - [15/Jun/2009:10:17:28 -0700] "POST /wordpress/wp-comments-post.php HTTP/1.1" 200 - "{URL}" "Mozilla/5.0 (compatible; BuzzRankingBot/1.0; +http://www.buzzrankingbot.com/)"

Read that carefully. The same IP address gets two URLs. Then, a few seconds later, the same IP address *POSTS* to the identified URL that was previously GOT. And the POST is by something claiming to be a Bot. It clearly isn’t a bot. The spammer is claiming to be a Bot, probably because they are using a selection of User Agent Strings intended to disguise the real source. But they neglected to remove strings that really shouldn’t be identified as POSTing. Bots that POST comments? Hmm. Wouldn’t that be a spambot?

And, one more datum. In poking around to find out about the company, I stumbled into the following listing:

That’s still not conclusive. If the spammer is in fact not at the company, then it would have been possible to have found at least one name there, with trivial searching. “Ollie”. There is no reason to believe that the two are one and the same… Someone could post using my name and even link back to here or other referral source. Since the search engines aren’t usually able to see web server logfiles and check the user tracking, it is hard for them to identify whether a claimed identity really is the identity.

Guilty or Not Guilty?

Well, no way of positively telling whether the company is spamming. They claim to do SEO and to be be Google AdWords Accredited Professionals. Whoever has conducted these activities has done their online reputation no favours. Not even the basic protections described in our previous article about web spam (“Anatomy of a web spam attack“). If this was an attempt to discredit them, it is itself a pretty incompetent showing – but maybe that was the point of the effort, to show what a talentless loser would behave like when attempting to spam blogs? If they did it to themselves, it’s a pretty dodgy way to do business and they need to upgrade to at least the technological level of the suspected Ukranian spammers we previously looked at.

There are some contraindications for the company. Until this week, the company site claimed to be Google Accredited Professionals. That’s still in the cache on Google. But the graphic was just a graphic – it didn’t link, as it should, to the business listing at Google. Maybe that was just a technological oversight:

Our GAP logo attaches to a page that describes our business – in general, most valid accreditations *have* to be active links that go back to a server under the administrative control of the accrediting organisation – so if you click on the logo below, you should get to a Google administered secure HTTP server – a proof of identity will look like either:

GAP images are an 80×80 JPEG, and are supposed to link to the Google page for accreditation. Otherwise, they aren’t part of the GAP, they are just random images… But images with a claimed meaning. Using a GAP accreditation incorrectly, is worrying for what it says about the business and the way it is trying to be perceived. But it could be an honest technological error or a failure to understand how the logo should be used.

Fighting Spam, Improving Reputation

Hard to see how to easily progress this further without the active participation of the victim of abuse. Their reputation has been lightly damaged by this activity, so whoever did this, did them no favours, but hasn’t detectably caused any ranking penalties. Further tracking down the source without active cooperation is moderately difficult and bluntly, I’ve got too much real work to do to take this much deeper.

Fortunately most heavy ranking blogs will have spam protection software and many of the features of these messages would trip spam detection. That’ll limit more negative perception for these guys. They might want to go round the blogs they can find and ask the administrators to remove some of the more repetitive postings, so they look less like foolish spammers and more like victims.

You’ll notice that I’ve been careful to avoid mentioning the business name or better identify the individuals at the company – the names are all embedded in graphics. So *THIS* article shouldn’t further contribute to their online reputation management issue. I intend to actively prune and edit comments that mention the name.

Identity remains a core problem for search engines. Attributing maliciously placed content to innocent sources is far too easy. The NOFOLLOW link certainly defuses some spam, as was its’ original intention. Despite the controversy over rank sculpting, NOFOLLOW for comments remains a useful feature. Otherwise, assiduous attention to vanity searches remains important, and tracking down and removing embarrassing content is still an important activity for reputation management.

As Google Profiles rolls out, it will allow Google to map not just who you are and your business relationships, but your relationships to links and other known people. I believe that this is partially a response to the understanding that searching for people’s names is a large and identifiable fraction of search, but also a sideways step to better understand what constitutes a good web site – and hence a way of ranking based on trust relationships.

By looking at my long-established Google Account, Google Profiles can reveal my business relationship (Merjis, the website and this blog), and my claimed relationship to a LinkedIn profile and the AdWordsHelpExperts site, and my identity as established by posting in the AdWords Help Forum and the links embedded there. I suspect that this is a further step in finding yet another way to avoid the end game for organic search results based on the citation model that is currently a huge fraction of Google’s weighting for sites and pages in search engine results… as I described two years ago in “Search Engines, Game Theory and Intrinsically Corruptible Systems”

From outside the US, the whole process is enormously frustrating. Pages describing how to achieve various tasks dead-end with references to links that don’t exist, for example. I expect that as Google learns how to move from businesses and profiles they do trust, to the international networks, that we’ll start to see the classic US-centric approach to a new product introduction be globally deployed. I’m not holding my breath though. I suspect that infrastructure implied by the knol validation process will take significant time to roll out worldwide.