Ok. Here comes a rant. I HATE WHEN PEOPLE TRY TO USE FORM INJECTION / SPAM!!!Feels a lot better...
What kicked me ranting was that I'm sick and tired of seeing an ever growing flow "Feedback Spam" on my websites. I know, there are several scripts for ASP/.NET/PHP/JSP/Perl to tackle this issue, and yes I use them very effectively to flag spammy messages before their arrival to my desktop.
Let's take an example from a spam message (this arrived about 15 minutes ago and ended directly to trash as Spam):
Sender: dehumidifier
Contact detail: [email protected]
Message: Dehumidifier supplier directory - Dehumidifier suppliers from China and around the world, Dehumidifier, Dehumidifier Manufacturers, Dehumidifier Factories,<a href=https://www.kawai.com.cn/eng-home.htm>Dehumidifier</a> Manufacturing, Dehumidifier Manufacturer, Factory, Company, Dehumidifier Exporters, Companies, Dehumidifiers Producers, Wholesalers, Distributors, Dehumidifiers, China Dehumidifiers. CHUANJING Electric Co. Ltd, the largest source of products made in China and Chinese OEM manufacturers. contact: [email protected]
If Hangzhou Kawai Company is reputable, I hope they give their SEO / webmaster / marketing people some boot. I don't know what these people seriously expect to gain with these (very likely bot sent ) messages, but I think it's time to give them some bad publicity.
Just added... Well, if Google is to believe, the same text is on 112 pages. To Mr. Cutts: how about a little penalty like removing from G index ? And not to put it all on Google's shoulders, Yahoo has a whooping 240 references and MSN 1015 references. And to proof that this kind of form/comment /guestbook spamming doesn't work, the site is nowhere in top100 for dehumidifier. All it does is irritate people who otherwise very well could be potential customers / partners.
Speaking on what Rand mentioned of XSS / HTML injection methods, I happen to be a self-proclaimed expert. In fact, my giant April Fools this year was https://www.xssfools.comwhich allowed you to seemingly post fake news stories to real news sites including the New York Times. (the site has been turned off to prevent legal action against my part).
I have found in my own personal research that only a small percentage of commonly used webwares are vulnerable to actual html injection. Usually these are guestbooks which are not database driven, thus there is no need to clean the entries.
XSS injection, on the otherhand, is very pervasive. Nearly 70% of sitesearches I tested about a year ago (excluding Google site search) were vulnerable. However, this method is a lot more effective for email spam and XSS spoofing than it is for indexing. While there was a brief period of time where you could find a vulnerability on a major site, Sony comes to mind, and rank instantaneously for words like "poker", those days are over. Remember when people told you to avoid question marks in your urls because Google didn't like them. Imagine trying to get urlencoded html querystrings indexed. It is near impossible these days.
As for this type of spam, I would try a simpler approach like attaching anything and everything to akismet or linksleeve to catch these types of attacks.
Speaking of which, we've had some guy register with seomoz who kept writing comments like "Yes thank you" and "good read thanks" all over some of the threads. His user profile had a link to redcodevb.com. I follow most of the threads for these kinds of things but sometimes I miss them. He's been banned from logging in, but if anyone sees him again (or anyone else that's spamming) make sure and let me know.
11cfdd4c https://6226ee9a.com c2845ef5 [url]https://efae362d.com[/url] [url=https://d3ec4d39.com]531674c3[/url]
Is this a case of humor or irony?
Theres an IYP site that I work with out in Asia that gets a lot of feedback form spam, mostly from China. I guess it's just the in thing over there.
Just clicked the google it's up to 1,060 pages now
Make sure you trace back and make 100% sure it's the company that is doing this. A nice way to get rid of a customer is by sometimes spreading some SPAM and bad rep around about them. An email has no SEO benefits but it does reflect badly to the user that gets that email.
-PK
And this is the tame kind of injection spam. The one where they use the site search function to write Hex Code that injects the URL into the results page, then link to it is the nasty one - you'll never even know it's there.
"Just Added:"
What a terrible idea. It would be a fantastic way to Googlebowl by just spamming the web with a competitor's information.
I thing Google's long-term policy (to be believed or not), of not punishing webmasters based on content not on their site is the best policy.
Even disregarding duplicate content is dangerous. Think about press releases and legitimate AP news stories that go out. These are valuable, meaningful backlinks settled in absolutely duplicate content.
Methinks that the solution is actually in the webmaster's hands. Build a better guestbook.
Methinks that the solution is actually in the webmaster's hands. Build a better guestbook.
To quote my post..."there are several scripts for ASP/.NET/PHP/JSP/Perl to tackle this issue, and yes I use them very effectively to flag spammy messages before their arrival to my desktop." ...
So we have a solution that combats very well with this by flagging them as "potential spam" or completely preventing the worst cases (ie.non-latin characters, specific header in message, empty ua-strings, known-bad IP-blocks etc).
However, what comes in to desktop needs be checked, even if it's flagged as potential spam. Why? Because valid contact requests are worth a big pile of bucks$ and there is no absolute guarantee that flagging is absolutely, 100% accurate (there are valid cases where people type href).... And yes, I know there are other methods like "Type the verification code" etc. Do you really think business managers etc. do that ?
So this is a question far beyond guestbooks or blogs which have zero/little monetary value; I see this kind of trash coming in from general feedback forms, contact us pages, inquiry pages etc which generate real revenue...
I'm getting 5-10 per day of these on my blog. I have to approve any commentor the first time, so I can keep most of this garbage off my site, but damn it drives me freakin nuts.
I was running wordpress on my personal blog for awhile but I was getting so many spam comments awaiting approval I ended up writing a quick n' dirty image verification system ("name that farm animal" - )https://0at.org/blog.php?id=28#add_comment...
It won't keep out the human spammers, but it's been 100% effective against the bots.
Penalizing for guestbook spam would just make it all that much easier to Googlebowl -- if that happens, the fallout would be incredible, as guestbook spamming is remarkably easy for even the most novice script kiddie. I've had guestbook spam links show up pointed to some of my WH stuff before (probably a g-bowl attempt), but thankfully I think the links were simply ignored/devalued.
That's one of the reasons you have to register at SEOmoz to comment. It lets us know who's hand-spamming us :)
It's annoying like hell but don't expect the Hangzhou company to give a shit or boot their marketing people.
The stage of SEO is still rather 97 here in China, most companies will hardly dish out anything for a website, let alone for seo and they are happy they are "on" the internet.
The funny thing is that their hotmail address is very likely to be their official email address.
I recently talked with a western company who wanted to have some seo work done. The client was wondering how all these Chinese seo companies guarantee top listings. He rightly stated that if that was true everybody would be in the top 10.
The client was wondering how all these Chinese seo companies guarantee top listings.
Same can be asked with many western companies also... So it's not that different.