If you own a website, especially one with English content, chances are that you will get spammed, sooner or later. If you don’t start protecting yourself as soon as possible, you will definitely have some trouble with it.
To help you out, we’ve gathered a list of 5 most common types of SPAM and what you can do to protect yourself against them. You’ll see what exactly SPAM is, why people practice it and how you can fight it back.
If you’ve been in business for a while, then you’ve probably dealt with it already. However, if you’re just starting out, you probably have a lot of things on your mind. Protection against spam might get overlooked. It might not be a big problem at first, but it can get pretty bad if left unattended.
What Is SPAM and Why Does It Exist?
There are two definitions for SPAM:
- A tinned meat product made mainly from ham.
- Irrelevant or unsolicited messages sent over the Internet, typically to a large number of users, for the purposes of advertising, phishing, spreading malware, etc.
Both these definitions are accurate. But why did I cover them both? Well, just as a fun fact. Internet SPAM actually gets its name from the canned meat brand called SPAM. SPAM cans we’re very popular and would often take up large spaces in stores. You could find them everywhere in very large quantities.
When internet mass messaging started to arise, the name SPAM was mentioned somewhere on a forum. It stuck with it and the phenomenon eventually got more popular than the canned food itself. Today, ask someone if they know what SPAM is and they will probably refer to it as unsolicited messages over the internet.
In the early days of the internet, SPAM was usually limited to e-mails but, over the years, internet SPAM has evolved.
Many things are now considered to be SPAM, from sending e-mails to blasting comments on websites.
So why do people use SPAM as a marketing method? Well… in short, because it works. It’s becoming harder to do it because of filters and advanced technology, but it still works. Cold selling is still very effective. If you’ve watched Wolf of the Wall Street then you know how this works.
The difference was that Jordan Belford was cold calling people he knew were interested in stocks. A spammer often doesn’t care about that. They just collect a huge number of e-mails and then blast them with any offer they have. Not once, but continuously.
In SEO, SPAM is usually a byproduct of BlackHat SEO. In order to promote their offers, spammers use techniques like keyword stuffing and article spinning (automatic rewriting of content, using software) as well as automatic link building. You should never engage in such techniques, as it could harm your business and even bring legal issues.
However, this article isn’t about what you shouldn’t be doing, but about how to protect yourself when others try to do shady things. Although spam and scam have many things in common, we’re not going to cover the ‘business’ types behind SPAM, but the methods used to do it.
These being said, here are 5 of the most common methods spammers use and how you can effectively protect yourself against them.
1. Comment Spam
Comment spam is awful. If you get hit by one of these, you’ll be annoyed.
Comment spam is used to build backlinks.
The spammer uses software, such as ScrapeBox, to find potential targets and blasts them with comments. The comments are useless to the victim, but create blacklinks to the spammer’s website.
You might think that removing the possibility of adding links will discourage spammers to target your website. However, this is rarely the case, since most spammers don’t spend too much time checking these things. They just blast everything in their way, as long as they’re related to their niche.
Have a glimpse at the website below. This is what happened because I forgot to protect from comment spam and left unmonitored for a while:
Yes, that’s right. Over 12,000 spammy comments. As you can see, none of these were actually live, since they weren’t autoapproved.
Things get even worse if you have them automatically approved, as spammers usually trade these assets between them.
The spam above resulted the my server getting slow and Google banning my IP for Gmail. That’s actually how I found out about the SPAM. The WordPress notifications were so many in such a short time that Google sent them directly in the Spam section, so I didn’t notice them until I couldn’t send any e-mails at all through my business addresses.
The mistake: Not using a Captcha. I used this WordPress plugin to remove all comments at once. Manually deleting them would’ve taken months. If you’re on another popular platform or CMS (Content Management System), I’m sure you can find similar plugins by searching Google.
Solution #1. I added a Google Recaptcha plugin on every other section of the website, login page, contact forms, etc. You can use any captcha plugin, but note that there are software out there that can solve these automatically. Spammers even use human Captcha solving farms from developing countries.
Solution #2. Activate the Akismet Anti-Spam plugin. It comes pre-installed with WordPress, it’s easy to set up and it’s very effective. Again, similar plugins should be available for other platforms. You should be safe to autoapprove comments with this plugin installed. However, I recommend that you spend some time each week manually approving comments.
Even with Captchas and Anti-Spam plugins, it’s still a good idea to manually approve comments on your website.
In the end, I removed the comments section altogether, since I don’t really need it on that website. But that’s not the best solution. It might sometimes be a fit but, in general, comments are very useful for SEO. Even 1 year after the publication of some content, if it’s evergreen, comments will start rolling in. This will constantly update your page and we all know Google likes fresh content that keeps getting updated.
You can also force users to log in if they want to comment on your blog. However, this discourages even real users from commenting so it can harm you as well. It’s good however for an eCommerce store, where you mostly want clients to be commenting on your products.
Although spammy links might help a website rank on the short run, it’s not a suitable strategy for serious businesses.
As soon as Google catches a website committing SPAM (sounds like a crime now, it probably should be), it drops it and its chances of ever ranking again are usually pretty low.
Still, even with those risks, people still do it. It wouldn’t be the case, if it didn’t bring them any success (by success I mean $$$).
2. Trackback Spam
Trackbacks were created with the intention of being useful. In a way, they are. Their purpose is to notify the webmaster of new backlinks by creating a link back to the source of the backlink.
In other words, when someone links to you, your website generates a link back to them. This way, you can notice it and quickly establish a connection with the webmasters that mentioned you. This helps a lot with further promotion.
However, spammers quickly noticed that they can easily profit from this.
The mistake: If trackbacks are left unmonitored, spammers can create links to your website from their website. Your website will then respond with a trackback. After the trackback is live, they remove the link to your website, making it look like you’re the one linking to them.
Trackback spam acts very much like comment spam.
Solution: You can disable trackbacks and pingbacks from the Discussion Settings in the WordPress Dashboard.
Disabling trackbacks from the WP Dash won’t affect existing posts. You need to manually disable them. To do this quickly, click on All Posts. From the Screen Options in the top right corner, select the number of items per page to 999. This will stress your internet and PC out, so if you think they can’t handle it, put a lower number and do the action multiple times, on all pages.
After that, select all your articles with the checkmarks and click on Edit. You should be bulk editing all your posts now. You can then disable the Trackbacks and hit the save button.
Since trackbacks are basically comments, you can use the Akismet plugin again to protect your website.
3. Negative SEO Attack
A negative SEO Attack is a type of SPAM that can really harm you and your business. It’s purpose is to make Google think that you’re the one performing BlackHat SEO tactics. It’s usually the work of nasty competitors trying to pull you down instead of lifting them up. Negative SEO can take many forms, like hacking a website, but we will be talking about mass link building.
Although Google said that Penguin 4.0 acts in real time and will ignore spammy links, such as the ones created by Negative SEO Attacks, the truth is that Negative SEO Attacks are still effective.
cognitiveSEO clients commonly use the toolset after a sudden drop in rankings. Many times, they spot massive amounts of spammy and irrelevant links built in a short amount of time, obviously, not by them. Their backlink profile looks something like this:
Mistake: Unfortunately, there’s not much you can do against negative SEO attacks and there is no obvious mistake except for not constantly monitoring your website. The links will be created on various websites and they are practically impossible to remove. Your best bet is to use the Disavow Tool from the Google Search Console to tell Google you don’t want those links to be taken into account.
But how do you know which links are bad and which links are good? You’ve guessed it!
Solution: You can use cognitiveSEO’s Unnatural Link Detection Tool. After the tool identifies the bad links, you can mark them for disavow and export them to a file formatted specially for the Google Disavow Tool.
The best protection against Negative SEO Attacks is prevention. You have to spot the attack as soon as it happens in order to effectively fight against it. Start tracking your backlinks now to keep your website safe.
4. Spiders, Bots and DDoS Attacks
Bots and Spiders come to your website for various reasons. It’s either a search engine crawler, or a tool trying to get information from your website, such as what sites you’re linking to (wink wink). Although they aren’t generally harmful, people can use them to overload your server’s bandwidth, firewall or CPU.
This type of attack is called a DDoS (Distributed Denial of Service) Attack and it’s pretty much just a very large amount of fake traffic being sent to your website in a short amount of time.
Mistake: Again, there is no obvious mistake here except for not keeping an eye on your website.
Solution#1: The first thing you can do to protect yourself is to install a really good WordPress security plugin (like WordFence, for instance). This will usually protect your website from most harmful things, such as brute force attacks, malware or any other hack attempts.
CloudFlare can also offer very effective DDoS protection. The tool passes the traffic coming to your website through its filters and only lets the good one pass. The tool has a free version, it’s pretty easy to set up and even provides your website with free SSL. Before accessing your website, your users will see something like this:
The downside of this is, as the image above says, +5 seconds loading time. Increased website load time can drop conversions.
Google likes fast website and this sort of tool slows your website down.
There’s a trick you can do to overcome this. It’s a little bit more of a hassle, but it works.
Solution #2: You can use Google Analytics to alert you of traffic spikes so you can check them out quickly. If something looks suspicious, you can go into your CloudFlare account and enable the DDoS protection service temporarily.
In your Analytics Dashboard, go to Customization > Custom Alerts. There you can Manage Alerts and Create a new Alert. Set up your name, select Day for Periods, check the Email notification or even add a phone number. Then, select “All traffic” and “Sessions greater than” for the alert conditions. In the Value field, you should enter your estimated daily traffic, times two. So, if you have 100 users per day, you can set up 200 as the value, if you have 500 you can set up 1000 and so on.
The alert will notify you whenever your daily traffic is double than usual. You constantly have to adapt this alert as your website grows. Hopefully, you’ll have to adapt it often.
The minimum time frame for the alert is one day. That’s plenty of time for attackers to crash your site. However, DDoS attacks are usually repeated and can last for days so it’s still a good thing to know that it’s happening. If you search enough, there are probably other ways to get alerted faster when traffic is spiking, either via a plugin on the website itself or directly via the server.
5. E-mail Spam
E-mail Spam is really hard to fight against. If your e-mail gets on the hands of just one mass spammer, it’s pretty much compromised. Luckily for us, Google does a pretty good job at differentiating spam from real, useful e-mails.
However, there’s a downside. Most of the times, there’s a higher chance of important e-mails getting into the Spam folder, than spam e-mails getting into the inbox. I’m not sure if I preferred it the other way or which one would be better.
There are two ways you can get spammed on your e-mail address. One is via your contact form and the other one is through direct e-mail.
Solution #1: The contact form issue is really easy to fix if you use a Captcha, just like for the Comments and Trackbacks SPAM. But, like many other websites, you probably have firstname.lastname@example.org somewhere on your website, be it on the contact page or in the footer section. If you do, then know that your e-mail can be scraped and added to spam lists.
Solution #2: Another way to protect yourself is to use variations such as name [@] yourdomain.com or name at yourdomain.com and so on. Another option would be to use an image of the e-mail address. The downside is that the users’ experience will be lower, as they won’t be able to copy paste the address. But nor will the bots.
You can use variations like name at yourdomain.com instead of email@example.com to prevent your e-mail from being scraped.
Spammers can also get your e-mail through opt-in forms. If you had the shiny object syndrome in your early days of digital marketing, you’ve probably subscribed to hundreds, if not thousands of e-mail lists. Well, chances are that some of those guys actually added your e-mail to their spam list.
Spammers also trade lists between them and cross-promote, so if you’re on just one spam list, be sure that you’ll be in another and another and another.
Solution #3: If you’ve subscribed to too many e-mail lists, you can use Unroll.me to bulk unsubscribe from them. It’s a really useful tool. I’ve realized spammers kept selling my address only when I used this tool to unsubscribe from everything and still got a ton of e-mails.
Anti-SPAM Golden Rules
Before you go, let’s recap some of the most important things that you should do and shouldn’t do in order to protect yourself from SPAM:
Always use Captcha: Captcha is the first line of defense against SPAM in any circumstances. Without it, any bot or software can easily post something on your website. If your website is crawlable and indexed by Google, make sure you have some sort of Captcha installed on your forms, login pages and comment sections.
Keep software up to date: If your website’s software gets old, it also gets vulnerable. A client has recently spotted weird articles on her website that she did not post, as well as a multitude of comments rolling in. It turned out that her website had been hacked and the hackers enabled comments and started adding guest posts with links to their websites. You should also install some sort of security plugin.
Don’t subscribe to e-mail lists with primary e-mail: If you really need to download that free PDF, make sure you download it with an e-mail address that you won’t use daily or on which you don’t receive important e-mails. You never know who lies behind that opt-in form. If you start getting spammed, you can miss important e-mails from clients and business partners.
Monitor your backlinks: In order to prevent your website from a negative SEO attack, you have to constantly monitor your backlinks activity. Any sudden spikes in the number of backlinks pointing to your site can indicate the beginning of a link spam session. If ignored or overlooked, it can become a real pain.
I really hope this article will help you keep safe from SPAM. If you have any questions or suggestions, feel free to leave them in the comments section. The Captcha secured, spam filtered, manually approved comment section.