Forum Spammers Abound
I have managed the syslog.org site for over a decade now and I have seen a lot of spammers. Fighting the spam battle used to be pretty straight forward on this low volume forum running the Simple Machines software. When a forum only gets a few posts a week, it’s pretty easy to pick out the spam. For a while, the spammers were hell-bent on submitting cleverly written posts with a signature that included a link to the site they were spamming. I like to think of this period in forum spamming as “fitting in”. They didn’t contribute to the conversation, but it wasn’t obnoxious, either. My read is that the spammer hoped the comment would be ignored by moderators. Legit people making real contributions to the forum were and are welcome to include a link in the signature, but everyone else got banned.
“Fitting in” morphed into a much more blatant kind of spam I call the “dump and run”. In the “dump and run”, the spammer submits a post that is generally quite long in the form of a short story or informational paragraph about the topic of the site being spammed. Key words in the post are linked back to the site being promoted. Clearly these posts don’t fit the context of nearly any forum, and so are going to stick out as spam everywhere. Here are my theories on this type of spam:
- As search engines have evolved, they reward sites with links that come in from materially relevant content about the topic of the site in question. Spammers know this.
- There are a significant number of forums out on the Internet that are totally unmanaged, mismanaged or simply too busy to properly catch spam. I think it is these sites that the spammer is hoping to hit on. I suspect they don’t know which is which, and so shoot for quantity, hoping some percentage of what is submitted ends up sticking around.
The “Dump and Runs” still occasionally happen, though far less frequently than in the past. Now there is a new tactic being employed by spammers, which I call “silent account bombing”. In a silent account bombing run, the spammer creates a forum account, activates the account, then updates the web site and signature fields in the account profile to contain the “payload” of spam. The accounts are not intended to be used; rather they lay silent waiting to be indexed by search engine crawler. From the perspective of a spammer, this is a good solution. Few forums pay attention to accounts being created. Those that are diligent about spam are looking for spammy posts, not spammy user accounts.
I’ve noticed a substantial increase in the number of these accounts being created in recent months. I like to think that it’s because my forum is so damn important that everyone wants to have their spam attached to it. I see roughly 100 to 150 unique, automated bots per day to create accounts on the forum. The anti-spam systems are pretty effective at keeping the bots out, but there are a number each day performed by people.
In fact, while I was writing this post, a new spam account was created.
What timing! The spammer is located in the Philippines. The first link to “Charlotte Personal Injury Lawyer” goes to a reputable looking site for a law firm in North Carolina. The second link in the signature goes to a site that helps visitors find a lawyer based on their needs. There is really only one explanation for this: the sites have contracted with a search engine marketer – probably an legitimate looking business in the US. That marketer turns around and sub-contracts emerging market labor (from the Philippines in this case), likely paying a few dollars for per some number of submissions like the one above.
It is clear that the person spamming the site has experience (or good directions from someone with experience) in both search engine marketing AND the forum software used on this site. The account page has been transformed into a fairly wordy “article” about law and lawyers. The Picture/Text area has a nice little quote about law, the signature is a small paragraph about what makes a good lawyer. Well written. Nearly all of them look like this. Whether about car insurance, unlocked cell phones or lawyers.
With a little bit of Google magic it is pretty easy to find the other side of the story. For instance, this link goes to a page full of links. All are profiles from many different forums that a spammer has dropped. I found this site by searching for”www.syslog.org/forum”. Every one of the links goes to a profile that contains a link, in turn, with the anchor tag “yeast infection home remedy” among others, and all of the links, with the exception of 2 or 3, including syslog.org, are still active with the spam links in place.
For those who are new to this, let me give you a little primer… The name of the game is getting your site to the top of a Google search for a keyword, in this case “yeast infection home remedies”. The person owning the target site uses what is called “affiliate marketing” to make money. He places sells a link on his site (the only links, I might add) to a company called Clickbank. The owner of the site gets paid each time someone clicks the link. He knows that the more visitors he gets, the more he will get paid. So, he hires a marketing company (or is a marketer himself), who sets up a few pages linking into the main site with the affiliate links. Then, for each of those sites linking to the main site, he builds a farm of links from forum profiles, containing the right anchor text, like “yeast infection home remedy”. That’s helpful to him, but only if Google knows about them and considers them important. So, he goes and builds ANOTHER layer of sites linking in to the profile pages. Google and other search engines rank sites based on the number and quality of links into a given site for a given key word, among other factors. This is a linking tree, and it is pretty effective. The term “yeast infection home remedy” appears to be quite competitive, and looking at the first few pages of search results for that term show that the majority of sites are spam pages. Unfortunately for the person in our case, the linking tree didn’t get him into the top few pages for that term.
I have not found a way to address either the automated account registrations that leave hundreds of new but unactivated accounts, nor the manually created accounts with a spammy payload. To clean up the mess, about once per week I log into the SMF admin panel, go to the members and sort by number of posts. I spend a few minutes deleting users with zero posts.
So, if you moderate a forum, this is something to look out for. I am curious to see what the next clever angle the spammers will try on my, and other, sites.
[...] a previous post, I described a spam attack the syslog forum was under. The attack intensified pretty dramatically [...]