Spam affects SERPs despite Panda and Penguin updates

Google professes to wage war on spam, yet payday loans and cloaking techniques can still be found infecting SERPs.

The following example really ought not to show in search results, for the most basic of SEO reasons… obscene keyword repetition and very thin content.

The search ‘car insurance theft’ (at the time of writing) shows a curious entry in position 3, from the Hitchin Light Orchestra. I’m confident that they’d be surprised to know that they are being returned as a relevant result for search on car insurance theft… yet there they are in third place.

The Google preview pane shows that the page content does indeed contain appropriately matching text:

Hijacked site in SERPs
Hijacked site in SERPs

The cached page:

Keyterm Spam infecting the page content
Keyterm Spam infecting the page content

http://webcache.googleusercontent.com/search?q=cache:nNFrrUPXoJ0J:www.hitchinlightorchestra.org/%3Fq%3Dnode/31+car+insurance+theft&cd=3&hl=en&ct=clnk&gl=uk

A closer look at the repeated text:

Cache zoom of Hitchin Light Orchestra Spam-zoomout
Cache zoom of Hitchin Light Orchestra Spam-zoomout

Surely this is easily detectable – it is utter spam.

Thought: Perhaps the new continuously rolling Panda update misses this type of content ?

On selecting the link from Google SERPs, you are not taken to this cached page (did you expect anything else?), but taken through a series of redirections and meta refresh steps to a page full of adsense.

A series of hops cloaking the destination site
A series of hops cloaking the destination site

Looking more closely at the redirections, there is a meta refresh used on the first redirected site, at personal-adv.com

A cloaked redirection
A cloaked redirection

Ultimate destination page, stuffed with adsense and links that carry affiliate code:

The ultimate page is stuffed with adsense
The ultimate page is stuffed with adsense

For example, one link on the page above:

http://www.confused.com/campaign/display-campaign/car-insurance/car-insurance-nectar-11?MediaCode=1095&utm_medium=display&utm_campaign=DirectMarch13&utm_source=Unanimis&utm_content=Motor&utm_term=Textlink

The tracking source is declared as Unanimis.

It is not the first time Unanimis has had trouble, 2 years ago criminals injected ad code into the Unanimis feed and infected sites such as the London Stock Exchange:

Another link:

http://66.246.72.184/c.php?p=ejTzLxtFPan896Q9Qqkm9VT2IUJe-jgTZn4QrGx66ZyfwlKi010jmeVVtOFO-HthQO9jOB9yXzBR14afciisTgM31nuEgmPxMLUr9_6aGRJYtkX06r37WNAUxPOarZ-VpPXyZXFqe4MNF1f5YhwQvq7ERj1WWMETO2V69D60ZBPV485n5YcZS7DimLL9H70fRTbNUwznlMDVsG6q2O80QFqtGIyUieVQWO2Dth2ZckErscCMxV1cYLmLZ1g0sG-QacaPxZNQi53kKS1RWpit1T6FgVxx6lnNuiO4hVH2Xo9e4J5wAeV1ReSrORSL1NJxtdN0MIZ0fsIDbOpE_p8rKAnVDx0u6hEV3f2m1KGd8k_1cRvftUA6PDkCvHqWIddt5lQ29W2jdOhrspiceLOFX26_BGN5kO3RPFMbHpU-gRnYw1nwLQGSEBYhM-UHsWLzrOpAng1MTourETzzfOrv8EiW-EyjbsNtQHB8HqCEhQT2PO8kn_0qkIfH1xtsb-FKhJkdmFacnTL_VANyKZUnT_zk6o3Fadxgcpyw-zxnqM3h2VniAgTcbaGkGga8GubeAh8on5a3Pj-3OJqZI0lC-2lyy9Puw6ZfLEMADjeBhRBFPRJ9J747ug

The IP address 66.246.72.184 has been associated with brute force SSH attacks since 2005.

This appears to be part of a systematic, organized network. The wider questions is that this technique appears to work AND there are a series of  clear ‘spam’ signals here, that appear to have slipped through Google’s gaze – allowing these infected sites to rank with:

  • Keyword stuffing
  • Thin content on an unrelated domain
  • Cloaked redirects including 3 different domains and one meta-refresh step
  • A final destination stuffed with adsense

Each one of those steps should have been sufficient signal to prevent the site appearing in SERPs, yet still it shows, despite Google’s Panda and Penguin updates.

 

Enhanced by Zemanta

Leave a Reply

Your email address will not be published. Required fields are marked *