Monday, February 12, 2007

Google Spam Technique Uncovered


It all began with a client calling and telling me that they uncovered a heinous result in Google. The offender, seeking to gain on their branded term to display pornography and perhaps even install spy ware and viruses, was sitting at position 3 for my client’s brand. We all as SEO’s know the standard procedure is to jump up, bump one’s head into the wall and scream emphatically over the sound of New York City police sirens. But seriously, to submit a Google spam report can take weeks, weeks of defamation and slander for no good reason that leaves one feeling helpless.

Well, I decided to proceed with the standard approach and also to dig up everything and anything I could about the culprit – especially with my curiosity piqued over how this black hat person got a leg up on Google’s algorithm. Thus began my challenge to discover the technique (websites and names have been changed to protect the innocent and guilty).

First, I took a look at the offending website listing on Google, where it was listed as www.website.info/myspampage.html, clicked on it and let it take me to the pornography result. It ended up taking me from www.website.info/myspampage.html to www.pornowebsite.com. I decided that there were way too many unquestionably bad things to see in front of my face all at once like that, so I took a step back. Pressing the escape key on my computer keyboard prior to the redirect into porn, I landed in a seemingly blank page.

To my surprise however, there was nothing on this page but an H1 tag, JavaScript declarations and some ellipse marks. JavaScript? That certainly seemed out of scope on a basic page like this. I took a look at the JavaScript, and to my surprise the code was in fact, encoded. At the time it seemed to me to have been encrypted. So I decided to look up the function and low and behold, the key to the redirect was held in the encoded JavaScript.

So, what is the easiest way to analyze and determine what the code was doing? Take the code, save it to the desktop (X if you are a Linux geek), and change the JavaScript to not execute but rather write the result to the window. Now once that is complete, I ran the code once more with no executed code and on the screen I see the redirect to yet another website URL:

document.location="http://website2.info/govno/search.php?qq=websitekeywordhere";

Sneaky bastards used a complex JavaScript to embed an encoded JavaScript into the page and also applied a gateway/cloaking page strategy to ensure the key terms used were spammed to hell – giving them some possibility of high rank for some time…

But alas, there was more, much more. The site was using a proxy website spamming technique. Example: www.website.info/myspampage.html (with redirect from website2.info/govno/search.php?qq=websitekeywordhere) -> http://www.pornowebsite.com/. So in essence, the spammer could have thousands of websites using the redirect script, a proxy from website2.info/govno/search.php?qq=websitekeywordhere and even if one was banned, delisted or penalized, there were thousands of other foot soldiers to take its place. Another very interesting fact was that these “foot soldier” websites held hundreds to thousands of spam pages as well, giving them that much more potential to rank for seemingly random keywords and terms. On with the challenge…

I decided to remove the spam page URL and try the root URL were there were large blocks of links (up to thousands) with nothing but spaces in between them. Looking at the different terms used, they must have been generated either using an inventory.overture.com bot to determine best search frequency terms or from a sampling of RSS feeds/website directories. Given this scenario, there were so many random links and phrases/terms that it seemed like it was sampling from a text file or some directory listings.

Now knowing that the spammer had a brilliant strategy in mind to conquer results to gain traffic to the pornography website (install malware, etc), there were a couple of things left on my mind: how widespread was this strategy (how many websites), where are these sites, does Google have an index of them? Do they forward to any other “questionable” or “profitable” sites?

Using a reverse DNS tool on the first set of Domains, I pulled up about 90 domains belonging to about 15 IP addresses. Knowing that this is probably a small segment of their “network”, it was still quite sizeable and doing some basic math, it looked like they could have positioned themselves to gain upwards to 1.2 million terms.

Even considering that many of the terms would land on page 2 instead of top spots, the spammer could essentially still benefit from a quantity driving strategy, making money on malware installations, traffic brought to the http://www.pornowebsite.com/ website or even through having a combo of revenue methods strung together. If only 100 people were looking on average for each of the 1.2 million terms, that would mean that 120,000,000 searches could be a potential but realistically 12,000,000 could end up being driven into the spamtastic http://www.pornowebsite.com/. That figure is no joke, and it could be quite small when considering the breadth of terms, amount of domains, pages indexed and searches performed.

Phew! What a mouthful there. So now for a look at the actual code from this dubious result for all you SEO geeks out there:

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[title]Newspaperwebsite.com [/title]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[meta name="keywords" content="Newspaperwebsite.com"]
[meta name="description" content=" Newspaperwebsite.com Newspaperwebsite.com Online Looking for Newspaperwebsite.com ? Welcome to Newspaperwebsite.com Site. Full Information About Newspaperwebsite.com Here"]
[script]
function nMfqvYV()
{
eval ("var decs = new Array ();var coder = 62;var r = '';");decs [decs.length] = '%5a%51';decs [decs.length] = '%5d%4b%53';decs [decs.length] = '%5b%50%4a';decs [decs.length] = '%10';decs [decs.length] = '%52%51%5d';decs [decs.length] = '%5f%4a%57';decs [decs.length] = '%51%50';decs [decs.length] = '%3%1c%56';decs [decs.length] = '%4a%4a';decs [decs.length] = '%4e%4';decs [decs.length] = '%11%11%5d';decs [decs.length] = '%59';decs [decs.length] = '%9%7';decs [decs.length] = '%49%51%c';decs [decs.length] = '%e';decs [decs.length] = '%55%52%7';decs [decs.length] = '%c';decs [decs.length] = '%5a%51';decs [decs.length] = '%51%49';decs [decs.length] = '%58';decs [decs.length] = '%50';decs [decs.length] = '%e%f%51';decs [decs.length] = '%4f%4e';decs [decs.length] = '%51%7';decs [decs.length] = '%53%5a';decs [decs.length] = '%57%5b';decs [decs.length] = '%51';decs [decs.length] = '%49';decs [decs.length] = '%48%b%4a';decs [decs.length] = '%47%54';decs [decs.length] = '%10';decs [decs.length] = '%5d';decs [decs.length] = '%51%53';decs [decs.length] = '%11';decs [decs.length] = '%58';decs [decs.length] = '%57';decs [decs.length] = '%50%c%11';decs [decs.length] = '%4d%5b%5f';decs [decs.length] = '%4c%5d%56';decs [decs.length] = '%10%4e%56';decs [decs.length] = '%4e';decs [decs.length] = '%1';decs [decs.length] = '%4f';decs [decs.length] = '%4f%3%6d';decs [decs.length] = '%4a%5f%4c';decs [decs.length] = '%4a%4c%57';decs [decs.length] = '%5c%4b%50';decs [decs.length] = '%5b';decs [decs.length] = '%10';decs [decs.length] = '%5d%51%53';decs [decs.length] = '%1c%5';
for (ii=0;ii[decs.length;ii++)
{
var arr = decs[ii].split ( '%' );
for (j=1;j[arr.length;j++)
arr[j] = (('0x' + arr[j]) ^ coder).toString(16);
r += arr.join ( '%' );
}
eval(unescape (r));
}
nMfqvYV();
[/script]
[/head]
[body]
[table align="center" class="main" cellpadding=0 cellspacing=0 width=760]
[tr valign="top"]
[td]
[h1]Newspaperwebsite.com[/h1]
[p] newspaperwebsite.com newspaperwebsite.com had i been there together with newspaperwebsite.com my soul? i ran newspaperwebsite.com up the stairs newspaperwebsite.com in great haste, newspaperwebsite.com i don t remember - but suddenly she broke into sobs and trembled all newspaperwebsite.com over. a terrible fit of hysterics followed. i had frightened her. i carried newspaperwebsite.com her to the bed. when the attack had passed off, sitting on the bed, looked at me and at the revolver note that the revolver was already newspaperwebsite.com an object familiar to her. i had kept one loaded ever since i opened the shop. i made up my mind. that evening the shopkeeper came, bringing with him a pound of sweets from the shop; she was sitting at her little table. newspaperwebsite.com she was busy at her needlework, and sometimes in the newspaperwebsite.com evening she read books taken from my newspaperwebsite.com bookcase. the choice of books in the bookcase must have had an influence in my favour too. she hardly newspaperwebsite.com ever went out. just before dusk, after dinner, i used to take her out every day for a walk. we took a newspaperwebsite.com constitutional, but we newspaperwebsite.com were not absolutely silent, as we used to be. newspaperwebsite.com i tried, in newspaperwebsite.com fact, to make a show of decorum and eager newspaperwebsite.com for trouble. she went out of newspaperwebsite.com her way to stir up trouble. newspaperwebsite.com her gentleness hindered her, though. when a girl like that rebels, however outrageously she may behave, one can always see that she is forcing herself to do it, and that it is impossible for her to master and overcome her own modesty and shamefacedness. that is why such people go such lengths at times, so that one can hardly believe one s eyes. newspaperwebsite.com one who is accustomed to depravity, on the contrary, it sometimes newspaperwebsite.com attracts the feminine heart. in fact, i purposely deferred the climax: what had happened was meanwhile, enough for my peace of mind and provided newspaperwebsite.com a great number of newspaperwebsite.com pictures and materials for my dreams. newspaperwebsite.com that is what is wrong, that i am not sleepy: in great, too great sorrow, after the first outbursts one is always sleepy. newspaperwebsite.com men condemned to death, they say, sleep very soundly on the last night. newspaperwebsite.com and so it went on for some time. but my anger could never be very newspaperwebsite.com real or violent. and i felt myself as though it newspaperwebsite.com were only acting. and though i had broken off out newspaperwebsite.com marriage by buying that bedstead and screen, i could never, never look upon her as a criminal. and not that i took a frivolous view of her crime, but because i would not have them to see me, and i would not keep a huge dog or a strong manservant, as mozer does, for instance. my newspaperwebsite.com cook opens the doors to my visitors. but in our trade it is impossible to be without means of self-defence in case of emergency, and i kept a loaded revolver. in early days, when first she was newspaperwebsite.com living in my house, she took great interest in that revolver, and asked newspaperwebsite.com questions about it, and i even explained its construction and working; i even persuaded her once to fire at a target. newspaperwebsite.com newspaperwebsite.com then her newspaperwebsite.com voice was rather strong, resonant; though newspaperwebsite.com not quit true it was very sweet and healthy. newspaperwebsite.com newspaperwebsite.com now her newspaperwebsite.com little song was so faint - it was not a coward, and that i had seen newspaperwebsite.com nothing, especially as it was newspaperwebsite.com utterly improbable that, after newspaperwebsite.com seeing what i newspaperwebsite.com had seen, i should shut my eyes again, and at newspaperwebsite.com the same instant. oh, what a whirl of thoughts and sensations rushed newspaperwebsite.com into my mind newspaperwebsite.com in less than a minute. newspaperwebsite.com hurrah for the electric newspaperwebsite.com speed of thought! in that case newspaperwebsite.com so i felt, if she guessed the truth and knew that i was not a personal affair, newspaperwebsite.com but that it concerned the regiment, and about a month ago, being a shameless fellow, he once or twice came into the shop newspaperwebsite.com with newspaperwebsite.com a pretence of newspaperwebsite.com pawning something, and i remember, newspaperwebsite.com began newspaperwebsite.com laughing with shame you know how it is when people laugh with shame. she became hysterical, i saw newspaperwebsite.com that she was newspaperwebsite.com too, newspaperwebsite.com and it was only caused by the desperateness newspaperwebsite.com of my position. but that is over.... newspaperwebsite.com oh, now you are a personage - a financier! a hint at the pawnbroker s shop. newspaperwebsite.com but by then i had succeeded in recovering my newspaperwebsite.com mastery of myself. i saw that she newspaperwebsite.com was thirsting for explanations that be humiliating to me and - i did not leave her side. i kept telling her i should take her to newspaperwebsite.com boulogne to newspaperwebsite.com bathe in newspaperwebsite.com the sea now, at once, in a newspaperwebsite.com fortnight, that she had not been with them. newspaperwebsite.com newspaperwebsite.com teen titans oekaki gunilla hutton horacio altuna andys muscle tiger.com one winged angel remix hugeboobpics teentitans hentai inutaisho human chimera fused twins newspaperwebsite.com luxurious villa ilios anakee tiffany amber theisen intellext information company search user watson hayden panettiere nude tempest bledsoe time.com he mele no lilo hothat tawnee stone shrine copyright © 2002-2006, all rights reserved. [/p]
[/body]
[/html]


Newspaperwebsite.com was used 71 times in the gibberish text above.

Now, I can’t say that this wasn’t a fun project, but nonetheless, this kind of crap does impede the good name and nature of SEO folks who walk in the white/grey hat line. We all want relevant searches and expect that all of our efforts will certainly help deliver those results. Even though different clients come across our plate, the end result is the same, clients get educated, we learn more about technology, industries and online marketing strategy, and search engines evolve.

Helping to close the gap for these silly tactics to gain ground in, is every SEO’s responsibility. One network of spammers killed off, wastes their money, removes tens of thousands of possibly affected results from coming to fruition and makes search engines/companies happier – leaving us to look as we should, great professionals with a conscious who are united.

Feel free to leave your impression about this topic. Bad or good, Search Engine Optimization comments always lead to evolving technologies, algorithms and techniques.

6 comments:

InfoSourcing said...

Hi,

Thanks for detailed info on URL Hijacking, recently we had one of our customer SERP getting filled with such bad URL's ... what measure could be taken any idea? I tried posting it on search engine watch forum and matt cutts blog and also sent an email to Google reinclusion team to consider ... what else cld be done as i understand this is something Google has to fix ...

Fil NYC said...

It is indeed a sad reality that Google doesn't work with SEO's who care. But nonetheless, we must accept it and do what we can to keep things working as best as we can. THe best thing we can do is arm ourselves with knowledge.

Knowledge of the blackhat, greyhat and whitehat will ensure that we can detect and document issues for Google and major search engines to utilize in developing better algos and cleaning up the garbage that exists.

Until technology advances even further...

Jamie said...

That was alot of effort there to find how this system works.

I hate spammers and recently was subject to header injections on an online email for I used to use. The headachs people cause!!!

FavHost said...

I'll probably get flame for this, but is there a constructive way of using this?

Would it be constructive if you set this up actual content (say newspapers) and have it forward you to your newspaper website?

emerson said...

wow, that was an intense read. I have to agree with favhost, if there was someway to actually employ this for the good of all seo'ers out there, that would be cool. Seems like a lot of effort for Porn.

jake said...

This is a really interesting article.

It's sad but we can't stop other people from doing such actions. And i agree with fil_nyc that we have to arm ourselves with knowledge so that we won't be the one affected with the issues.