Outting Unethical .gov Link Techniques

24 comments

Link acquisition and dynamic link development take ingenuity. The most effective link developers are those who search for new ways to gain inbound links that can truly make a difference in an SEO campaign. However, some link development tactics use weak spots in websites and take advantage of them in an unethical manner. I’m going to share one of those tactics with you, in the hope that .gov sites that are open to this kind of manipulation can safeguard their security and reputation.

TLDs like .edu’s and .gov’s are highly coveted. I recently did a post showing the power of an .edu link and how to acquire them ethically. The power of these .gov sites come from the many years they have been online, the number of quality links they have, and the “trust” rank they have with search engines.

This technique has been abused in the past, and 9 out of 10 attempts to put it in place still are done incorrectly. For anyone considering actually doing this, I emphasize that the technique is not considered ethical. My main purpose here is to bring awareness to .gov sites about this practice to help them prevent spam!

To illustrate this, I did a search in Google for “.gov”, went to the 5th page of results, and clicked on a random link. The first one I found was pandemicflu.gov. This site is a prime example of the “get posts” exploit.

The first thing you need to do is install the web developer toolbar into your Firefox browser which can be found here.

The next thing is to simply select “forms” from the web developer toolbar and then “convert form” and then “turn posts to gets”. I have included a screenshot so you can see what I have done.

steps to convert

As you can see above, all you need to do is change the form type in order to create links on a dynamic page. After you convert this form, a message will pop up notifying you that you have just converted the forms. At this time, you need to create your ahref code in the search box. I have included an image below that shows you how this is done.

converted

The last step is the results page. This results page has a few elements I want to point out. I have inserted a thumbnail below. Click on the thumbnail to see the entire document. The links that are on this page are real links back to the page I am linking to.

You will see that the URL is pretty dynamic in nature, and most SEOs know that this URL will have a very hard time getting picked up … and will possibly never get picked up. Once you create this page it is live as long as you have a link back to it. The server on the .gov site creates a dynamic orphaned page and catalogs this on their database. In order to have this URL picked up, you can use a service like No-ip.com which masks URLs and makes URLs that are longer and more SEO-friendly.

The nature of the abuse in obtaining links this way is that it not only HURTS the credibility of an SEO, but it can hinder a client’s results. The Internet is a fast-paced and rapidly growing medium. Top-level authority sites like pandemicflu.gov need to take on the responsibility of maintaining and policing their websites to help prevent spam. Unfortunately, spammers will continue to spam, and they will keep using methods that take advantage of weak spots in websites.

As ethical link builders, it is important for us to have forward-looking conversations and create campaigns to prevent the SERPS from filling with garbage. If you are involved with .gov sites, find out if you are vulnerable to this method and put a stop to it. It’s good for everyone in the long run.

About the Author

Joe Whyte has been developing, managing and implementing successful, innovative, bleeding edge digital marketing strategies for Fortune 500 companies for over 7 years.

Add Your Comments

  • (will not be published)

24 Comments

  1. Of course, a real black hat would first check the robots.txt file before filling this type of page with spam. http://search.pandemicflu.gov/robots.txt User-agent: * Disallow: /

  2. You also don't need the toolbar, this page is already a get. Even if it wasn't, if you need a toolbar to figure this out, you shouldn't be playing with this type of thing. Beware of 'SEO Toolbars'.

  3. phaithful

    I'd like to point out that the Web Developer Toolbar is not an 'SEO Toolbar'

  4. What about your gambling problem? You gotta love that California has a .gov site on gambling. I wonder if the casino guys have bought out anyone at the site yet to give them a few gambling .gov links? :)

  5. Pale

    Forgive me for asking - What part does No-ip.com play in this?

  6. >> Web Developer Toolbar Yes, of course, sorry. Allow me to rephrase... "Beware of 'Toolbars’" >> No-ip.com I think he means that you can use an URL redirect service to add keywords to the url. The problem is inserts an additional 302 and in the case of no-ip in particular, will severely lower the weight of the links you send (high on G's radar at least).

  7. By doing a redirect you are able to take a URL that is very long, has dynamic symbols in it and is in nature hard to get indexed and condense it so that you are able to get it indexed.

  8. CS

    "For anyone considering actually doing this, I emphasize that the technique is not considered ethical. My main purpose here is to bring awareness to .gov sites about this practice to help them prevent spam!" Without providing a solution, aren't you just teaching and promoting the technique? I don't see any spam preventing assistance here.

  9. Pale

    C'mon Joe...its linkbait. Its not what you say you intended to happen that counts its what does actually happen that matters. We're all responsible for the consequences of our actions. All the amateur wannabe spammers like me will will congregate at Joe's place in the future if we get red hot tips like this.......

  10. "Without providing a solution, aren’t you just teaching and promoting the technique? I don’t see any spam preventing assistance here." How would you expose the technique without revealing the details? Besides, in order to prevent this kind of abuse, those sites need to take control of their servers and their pages. "Its not what you say you intended to happen that counts its what does actually happen that matters." In that case every single SEM tactic is spam. You can tell people how to get quality links but they can use the tactic to promote their spammy ringtone website.

  11. Jeff Martin

    I think its a hoot that this is using Google's search appliance. Quite possible that the disallow in the robots.txt is placed by default by the appliance.

  12. Interestingly Average

    Forget unethical. This is probably illegal. Since it is technically an XSS exploit (using a link on one server to cause another server to embed unauthorized content) you could, in theory, face prosecution if caught. If you were really evil, you would be embedding a javascript that hijacks user data into the link. As far as wanting a fix, the only fix for this is improved input checking on the part of the server. The server should be stripping quotes and the greater than and less than symbols, or replacing them with underscores for the database lookup (such that "SELECT * FROM table WHERE field = 'forminput'" becomes "SELECT * FROM table WHERE field LIKE '".ereg_replace("[\"\\\']", "_", $forminput)."'" in PHP

  13. ChrisCD

    Forgive me for being a goofball, how would we check to see if someone exploited our site in this way? Would I simply look for a file in our web directory folder that I know we didn't create? How would we protect ourselves from this in the future?

  14. To check for this, search terms entered by users should be logged every time the results page is shown, with characters such as and " flagged. This log file MUST be sanitized before it is displayed, or you could be subjected to the same XSS vulnerabilites. I just posted a somewhat more detailed post on my new blog covering a little bit of what is possible with this type of vulnerability, as well as a few steps to find out if an XSS vulnerability has been posted to your site. Click the link above to check it out, and give me any feedback.

  15. ChrisCD

    Interestingly Average: Thanks for the info and the extra post on your blog. I did some testing and our form just gets redirected as an email. The script alerts just came over as text. Our mail program (OE) did not run the scripts. I did some searching on the big-3 and didn't find any nefarious links. Also, I don't remember who made the comment, but this seems beyond black-hat. To hi-jack someones page in this manner seems illegal. And to leave a nice trail with links back to your site, doesn't seem all that intelligent.

  16. pale

    Doesn't the use of no-ip.com make tracing the abuser very difficult?

  17. Nice tips, but aren't you missing one critical point, if found out, don't you take the risk of what is probably highly unethical and even downright illegal? You may have hidden your IP, but isn't your calling card left on the .gov site with the link pointing right back at you?

  18. Pale

    Kun Dang >> The fact that the link points straight to one site in particular means nothing. Perhaps your competitor did it all to cause you some grief, perhaps he managed to make the link live by posting it parasitically on some other poor suckers site. Where's the evidence to incriminate anyone in particular. Hell if detection was that easy my in box would not be full of spam every day. Whilst I bow to superior knowledge outlined above I find it difficult to understand why merely using a search box on someone else's site should lead to a criminal conviction. If they want to create an orphaned page with a link on it that's their business. If I want to link to it that's my business. Can anyone outline why and where its illegal?

  19. For me it's not so much the SEO, that you can use this to create inbound links. You could embed almost anything into that search results page, including small javascripts that could send session data back to a third party. This could be used for identity theft and more. If this gets added to the search engine, the user thinks they are going to a trustworthy web page because it is on a government domain, but malicious code embedded through this trick opens them up to any number of vulnerabilities. Imagine if you used this method to embed an Iframe or a link to a hostile applet.

  20. So, brand new. "an truly make a difference in an SEO campaign." ??? this is called XSS attack or whatever term the folks gave it 14-16 months ago... I think I read it on forums around April last year and a ton others posted about this , not very effective , way to get links.... christoph

  21. The robots.txt file of the search.*.gov subdomain wouldn't be queried, because that isn't the host to be indexed/ranked. The redirect host would be checked: It's the address that a person(good, bad, or ugly) would be trying to get indexed.

  22. Testing this a bit further, I can not find any benefit to this XSS attack. Search engines use an interstitial page so that they can track which listing a user clicks on, and this uses a 302 redirect. No major search engine puts any weight on 302 redirects, so the link gained through this method is, in most cases, worthless from an SEO purpose.

  23. Black Hat Spammers use to have to buy .edu & .gov links and now they can learn how to do it themselves! Now the only ones who buy those links are just the lazy ones. I agree with the need to provide a solution, otherwise this is just self promotion. You might try emailing this article to any and all edu & gov webmasters you can to at least get it in front of the right people. Just a suggestion.