You are currently browsing comments. If you would like to return to the full story, you can read the full entry here: “Outting Unethical .gov Link Techniques”.
Outting Unethical .gov Link Techniques
New to the Search Marketing Standard Blog?
Subscribe to our blog via our RSS feed and receive updates and tips.
WHAT’S NEXT?
- Read more Link Building articles.
- Subscribe to our weekly newsletter for practical how-to, industry stats and expert advice.
- All articles are available for republishing as long as you provide a link back to the original article.
About the Author
Joe Whyte (35 Posts)
Joe Whyte has been developing, managing and implementing successful, innovative, bleeding edge digital marketing strategies for Fortune 500 companies for over 7 years.
24 Comments
Share Your Thoughts
Of course, a real black hat would first check the robots.txt file before filling this type of page with spam.
http://search.pandemicflu.gov/robots.txt
User-agent: *
Disallow: /
You also don’t need the toolbar, this page is already a get. Even if it wasn’t, if you need a toolbar to figure this out, you shouldn’t be playing with this type of thing.
Beware of ‘SEO Toolbars’.
I’d like to point out that the Web Developer Toolbar is not an ‘SEO Toolbar’
What about your gambling problem? You gotta love that California has a .gov site on gambling. I wonder if the casino guys have bought out anyone at the site yet to give them a few gambling .gov links?
Forgive me for asking – What part does No-ip.com play in this?
>> Web Developer Toolbar
Yes, of course, sorry. Allow me to rephrase… “Beware of ‘Toolbars’”
>> No-ip.com
I think he means that you can use an URL redirect service to add keywords to the url. The problem is inserts an additional 302 and in the case of no-ip in particular, will severely lower the weight of the links you send (high on G’s radar at least).
By doing a redirect you are able to take a URL that is very long, has dynamic symbols in it and is in nature hard to get indexed and condense it so that you are able to get it indexed.
“For anyone considering actually doing this, I emphasize that the technique is not considered ethical. My main purpose here is to bring awareness to .gov sites about this practice to help them prevent spam!”
Without providing a solution, aren’t you just teaching and promoting the technique? I don’t see any spam preventing assistance here.
C’mon Joe…its linkbait.
Its not what you say you intended to happen that counts its what does actually happen that matters. We’re all responsible for the consequences of our actions.
All the amateur wannabe spammers like me will will congregate at Joe’s place in the future if we get red hot tips like this…….
“Without providing a solution, aren’t you just teaching and promoting the technique? I don’t see any spam preventing assistance here.”
How would you expose the technique without revealing the details? Besides, in order to prevent this kind of abuse, those sites need to take control of their servers and their pages.
“Its not what you say you intended to happen that counts its what does actually happen that matters.”
In that case every single SEM tactic is spam. You can tell people how to get quality links but they can use the tactic to promote their spammy ringtone website.
I think its a hoot that this is using Google’s search appliance. Quite possible that the disallow in the robots.txt is placed by default by the appliance.
Forget unethical. This is probably illegal. Since it is technically an XSS exploit (using a link on one server to cause another server to embed unauthorized content) you could, in theory, face prosecution if caught. If you were really evil, you would be embedding a javascript that hijacks user data into the link.
As far as wanting a fix, the only fix for this is improved input checking on the part of the server. The server should be stripping quotes and the greater than and less than symbols, or replacing them with underscores for the database lookup (such that “SELECT * FROM table WHERE field = ‘forminput’” becomes “SELECT * FROM table WHERE field LIKE ‘”.ereg_replace(“[\"\\\']“, “_”, $forminput).”‘” in PHP
Forgive me for being a goofball, how would we check to see if someone exploited our site in this way?
Would I simply look for a file in our web directory folder that I know we didn’t create?
How would we protect ourselves from this in the future?
To check for this, search terms entered by users should be logged every time the results page is shown, with characters such as and ” flagged. This log file MUST be sanitized before it is displayed, or you could be subjected to the same XSS vulnerabilites.
I just posted a somewhat more detailed post on my new blog covering a little bit of what is possible with this type of vulnerability, as well as a few steps to find out if an XSS vulnerability has been posted to your site. Click the link above to check it out, and give me any feedback.
Interestingly Average:
Thanks for the info and the extra post on your blog. I did some testing and our form just gets redirected as an email. The script alerts just came over as text. Our mail program (OE) did not run the scripts.
I did some searching on the big-3 and didn’t find any nefarious links.
Also, I don’t remember who made the comment, but this seems beyond black-hat. To hi-jack someones page in this manner seems illegal. And to leave a nice trail with links back to your site, doesn’t seem all that intelligent.
Doesn’t the use of no-ip.com make tracing the abuser very difficult?
Nice tips, but aren’t you missing one critical point, if found out, don’t you take the risk of what is probably highly unethical and even downright illegal?
You may have hidden your IP, but isn’t your calling card left on the .gov site with the link pointing right back at you?
Kun Dang >> The fact that the link points straight to one site in particular means nothing.
Perhaps your competitor did it all to cause you some grief, perhaps he managed to make the link live by posting it parasitically on some other poor suckers site.
Where’s the evidence to incriminate anyone in particular.
Hell if detection was that easy my in box would not be full of spam every day.
Whilst I bow to superior knowledge outlined above I find it difficult to understand why merely using a search box on someone else’s site should lead to a criminal conviction. If they want to create an orphaned page with a link on it that’s their business. If I want to link to it that’s my business. Can anyone outline why and where its illegal?
For me it’s not so much the SEO, that you can use this to create inbound links. You could embed almost anything into that search results page, including small javascripts that could send session data back to a third party. This could be used for identity theft and more. If this gets added to the search engine, the user thinks they are going to a trustworthy web page because it is on a government domain, but malicious code embedded through this trick opens them up to any number of vulnerabilities. Imagine if you used this method to embed an Iframe or a link to a hostile applet.
So, brand new. “an truly make a difference in an SEO campaign.” ???
this is called XSS attack or whatever term the folks gave it 14-16 months ago… I think I read it on forums around April last year and a ton others posted about this , not very effective , way to get links….
christoph
The robots.txt file of the search.*.gov subdomain wouldn’t be queried, because that isn’t the host to be indexed/ranked. The redirect host would be checked: It’s the address that a person(good, bad, or ugly) would be trying to get indexed.
Testing this a bit further, I can not find any benefit to this XSS attack. Search engines use an interstitial page so that they can track which listing a user clicks on, and this uses a 302 redirect. No major search engine puts any weight on 302 redirects, so the link gained through this method is, in most cases, worthless from an SEO purpose.
Crazy.
Black Hat Spammers use to have to buy .edu & .gov links and now they can learn how to do it themselves! Now the only ones who buy those links are just the lazy ones.
I agree with the need to provide a solution, otherwise this is just self promotion. You might try emailing this article to any and all edu & gov webmasters you can to at least get it in front of the right people.
Just a suggestion.