Search Engine Optimization and Marketing for E-commerce

Favorite spam comment of the week

by Andrew Kagan 18. April 2011 12:25

Comment spam is an ongoing problem, and it’s very difficult to eliminate completely. Putting up spambot barriers is effective, but still some spam slips through, especially human-generated trackback attempts, such as this one, masquerading as an anti-spam comment!

Hello, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam remarks? If so how do you prevent it, any plugin or anything you can suggest? I get so much lately it's driving me mad so any help is very much appreciated.

Of course, this was posted using a bogus email and a trackback to a spam domain, and I wasn’t lured in to enabling it. But unless you are moderating your comments, this one would likely escape attention.

Search engines such as google, yahoo and bing are continuing to try to separate the “wheat from the chaff” when it comes to figuring out which backlinks are relevant to search, and which are just spammers trying to seed backlinks across thousands of unsuspecting blogs and message boards. This practice has accelerated even as search engines have become better at devaluing them, leading to more headaches for moderators and admins.

As noted, comment spam can be completely prevented by moderating comments, but this requires the blog or message board admin to manually evaluate each comment. Even then, spambots and trackback services using live individuals create a tidal wave of comment spam, so using third-party tools like Akismet are a necessity. Google’s free reCaptcha service is another useful tool, but is vulnerable to brute-force attacks by trackback services using humans to solve reCaptchas.

Implementing both of those tools in concert will cut down on comment spam dramatically (usually by 95-98%), but still requires comment moderation to effectively block the 2-5% that gets through. The above spam comment got through both filters on the Search Partner Pro blog.

Tags: , ,


Google vs. China: Lax security led to hacks

by Andrew Kagan 14. January 2010 03:12

As more information was released into the nature of the attacks by Chinese cyberwarriors against U.S. companies, the "smoking email" appears to be lax security procedures on the part of Google, but more importantly on the part of the companies that were successfully attacked (only two are known at this time).

Google quietly started forcing all access to Gmail to be rerouted over secure (SSL) connections it became apparent that Gmail accounts were compromised in order to discover users' corporate account information. As is all too often with webmail accounts, users fail to realize that the entire contents of an email viewed over webmail is easy to intercept at any point ("hop") between the webmailserver and the client. The convenience of webmail far outweighs the security concerns...until now. For the record, most corporate webmail systems, e.g. Outlook Web Access, use secure communications between the server and client for this reason.

Encrypted connections between the Gmail server and client would provide a much higher level of protecting the data in the emails, but it takes a performance toll on Gmail servers that Google probably wanted to avoid. Gmail users had the option of securing communications between them and Gmail's servers, but few took advantage of it.

Of greater concern is the actual cyber attacks, which used a vulnerability in Adobe Reader (the "zero day" vulnerability) to embed a trojan in a PDF, which when downloaded to a user's computer was activated when the PDF was scanned by Windows' Indexing Service. Apparently this vulnerability was used to compromise corporate computers, leading to the security breaches cited recently. Google admitted that at least 32 companies had been attacked...but likely the numbers are much higher.

But the tragedy here is that the vulnerability was announced 9 months ago, prompting both Microsoft and Adobe to release security patches shortly thereafter. It is likely that the companies were attacked more recently, having left these vulnerabilities unpatched, as is so often the case...pity the IT directors who will soon be posting their resumes on Linked In.



Beware the perils of Google's Cache!

by Andrew Kagan 5. January 2010 10:57's bad enough being hacked, but having it rubbed in your face on Google is never fun. One of our favorite long-time Google-sitemap-building tools,, with 1st position in SERPs for "sitemap builder", apparently was hacked by Silent...and while the site has been repaired (somewhat), Google is still caching the hacked meta data and returning it in search results:


This illustrates how security and search rank go hand-in-hand...the better your SEO, the more damage can occur to your brand through a security breach.

What to do if you're hacked!

The fastest way to repair this damage would be to force an update of the sitemap using Webmaster Tools, and use the "Remove URL" request in Webmaster Tools to request the cache be updated (see below):

Google's Webmaster Tools is your friend in this case, and removal requests are read by a human, so the damage can hopefully be minimized if caught early enough.


Hacks | Security

Can reCaptcha be hacked?

by Andrew Kagan 1. May 2009 08:27

Fascinating post on a couple days ago about Time Magazine's online Annual "100 Most Influential People" poll getting hacked by Anonymous. Time Magazine allowed users to vote on its website for the person they considered most influential in 2008, using a simple form. Anonymous seized the opportunity to skew the results by spelling out a message with the first initials of the top 21 entries:


Anonymous used an army of bots to overload Time's legitimate votes, and in an effort to stem the attack, Time first took the form offline, where it continued to be exploited, and then finally put reCaptcha, a popular anti-spam visual-text-matching system, on the form (SearchPartner.Pro uses reCaptcha on our contact us form). reCaptcha is quite effective at defeating known exploits that attempt to use OCR (optical character recognition) to read the image and translate it to text, so Anonymous resorted to a "brute force" attack using members (humans) to place as many votes as possible.

Anonymous also revealed many sophisticated techniques for defeating reCaptcha's pattern logic so that humans could submit entries faster. In the end, Time was unable to stop the hack and you can see the results in the image above. Time did not deny that it had been hacked and downplayed the importance of the results.

The news provoked a strong debate on the reCaptcha newsgroup. Was reCaptcha hacked? Typically, hacking a CAPTCHA would mean using a computer to defeat the protection, so that a human would not have to interact with the form. No one really knows if there is an OCR system that can do this right now, although hackers are constantly evolving this technology. Using brute force to defeat the system with human interaction is also quite common, and there are many teams of hackers in China, India and Russia (and elsewhere) that advertise these services, but this isn't so much of a hack as overwhelming a single point of protection. 

The lesson learned here is that relying on a single technology for protection will inevitably fail, while adding additional steps can slow down brute force attacks by many orders of magnitude, for example by restricting the number of submissions by IP address, embedding hidden text fields on forms (that only a bot would see and try to add data to), adding two-factor verification (e.g. CAPTCHA and random problem match), etc.

Tags: , , , , ,


Powered by BlogEngine.NET
Theme by Mads Kristensen updated by Search Partner Pro