How to defend yourself against an ongoing negative SEO campaign — Part 4
There are a variety of ways to unmask people targeting your site with a negative SEO campaign. In Part 4 of our six-part series, contributor Joe Sinkwitz outlines common attack methods and how to shut them down.
You know what negative SEO is (and isn’t). You know how to audit your site to determine if you’ve been hit. You know how to protect yourself to limit your exposure. Now it is time to discuss how to defend yourself against an ongoing negative SEO campaign.
Who is attacking you?
There are a variety of ways to unmask the people targeting you and your site with a negative SEO attack. Some depend on the type of attack you’re experiencing. No matter how they are coming at you, you will need to collect some information in order to shut them down.
Let’s look at common attack methods and see how we can turn the tables and use what they’re doing to us — against them.
Inbound links
Using your favorite link analysis tool, you will need to segment the links you expect to have (your old links) to the new ones you believe are coming from an attack. This step is very easy to oversimplify because link scoring varies significantly, depending on your philosophy of links, risk tolerance and which tool you use to score links. The end result of this step is a list of links you think are part of an attack.
Check to see if the links being used against you are related or follow similar footprints:
- Are you seeing a lot of links from low-quality blogs, scraper sites, bookmarking sites, wikis or directories?
- Did a large number of new inbound links pop up at the same time?
- Are a lot of your new links coming from the same IP address or countries?
- Are the new links using the same anchors over and over?
This massive influx of inbound links can be the work of an individual or group using spam software. Spam software tends to leave some telltale traces, such as a high number of links using the same anchors or a concentration of links from a single specific footprint. An example of this might be links inserted in footers like this: “Powered by phpBB © 2000.”
If you were to look at your backlinks in your favorite link analysis tool, you might not immediately notice specific patterns or certain types of links. Look for unusual patterns such as adult and pharma anchor text phrases in new links, or a high volume of links you cannot attribute to any of your marketing activities. These types of links may indicate a negative SEO attack implemented by someone using a spam tool, or possibly someone using a network of sites.
If someone is using a network of sites (or blog network) in their attack against you, you may want to give a little visual context to your link data and graph those links using a tool like TouchGraph.com or Gephi.org. These tools will give you a visual representation of your inbound links and allow you to spot patterns and footprints. This is much easier than sorting through mountains of data in a spreadsheet.
Injected content and links
If someone has managed to modify your existing site, you will need access to your server logs to determine which internet protocols (IPs) were used for the content or link injection. Some attackers hide the activities behind a series of proxies, but occasionally they slip up and don’t do so, which makes them much easier to find.
If the content created includes URLs you are unfamiliar with, it is even more important to capture IP information on the new URLs, as attackers often return to their targets to check on their work. Sometimes they forget to properly proxy themselves, giving you a glimpse of where they are coming from. There’s a greater chance you can identify the attacker visiting the same unusual URLs from multiple IPs over older links.
Comment spam
Comment spam links are usually built in one of two ways: manually or by using a spamming software. What makes data collection and interpretation easier when it comes to comment spam is the ability you have to access server logs and isolate which IPs were used in the posting attempts.
Comment spam is pretty easy to spot and easier to fix. You can turn off comments until you can add stronger CAPTCHAs and spam traps like Akismet.com. Personally, I would leave comments off unless you absolutely need them, as I have yet to encounter a CAPTCHA that hasn’t been cracked.
Hotlinking
Hotlinking can be hard to notice until a lot of damage has been done. It’s a practice that can negatively affect your site’s performance, since people embed your images on their site by linking directly to them. This practice uses your bandwidth, which makes offenders easy to discover by looking at traffic coming in via your analytics and data usage in your raw logs. The domains hosting your images can be exported into an attackers list.
User signals
While not an ideal situation by any means, the best part of someone manipulating user signals is the trail they leave behind. Trails can be easy to follow and are often reported in analytic programs.
The hard part is determining and isolating what we “think” may be manipulated. We have to determine what is purposely being done versus what can be naturally occurring. If the manipulated user signal is unsophisticated, you’ll likely see spikes of spammy traffic on specific pages, which allows you to quarantine that traffic in your server logs to isolate IPs and user agents. In some cases, you may be lucky enough to trace the referral traffic back to a service or tool.
If the user signal manipulation is any kind of distributed denial of service (DDoS) attack, stop and bring in a forensic expert.
Time to make changes
I have listed the more common negative SEO attack vectors, but for the purposes of introductory data collection, this is enough. The main reason for listing the various steps toward creating a list of attacking sites and ways to stop an attack is to show your attacker you are willing and capable of finding him or her. This makes your site a less appealing victim in the future.
Once you have collected the list of offending IPs and domains, you can attempt to unmask your attacker manually by combing through WHOIS domain registrations and zone files (a text file that exists to describe a DNS zone) looking for registration commonalities. By far the best service to help someone looking to find the person behind a set of IPs and domains is BitDiscovery.com, run by two very famous white-hat hackers, Jeremiah Grossman and Robert Hansen.
The next step before the recovery process can begin is to stop the attacks as best you can and tighten up your site to be less of a target in the future. Here are some main points to consider:
- Think about moving to a dedicated host if you aren’t already on one and layering on a content delivery network for DDoS protection.
- Patch your host and content management system (CMS) with updated security to lessen a future DDoS and point-of-entry attack.
- Make any necessary CMS modifications to decrease the chance of duplicate content, injected content by unnecessary search pages and proper canonicalization.
- Ensure robots.txt is working.
- Turn off comments!
- At your host settings, your content delivery network (CDN) or WordPress, disable hotlinking of your images.
- Run malware checks.
- Send a warning shot in the form of a cease and desist to the individual or group you’ve unmasked as being the attackers of your site.
- Report the attackers for competitor spam.