If you run a website with a way for users to add content to your site blackhat link SPAMMERS will try to find a way to profit from that content. A few simple to implement safeguards like limiting how much content can be added via a form, strip all HTML code and of course monitoring what your users upload can limit the damage.
Unfortunately, not all businesses take these basic steps and their sites are used by link SPAMMERS.
In my last article about compromised webpages on art.com, at the bottom I showed a screenshot of some forum comment link SPAM with links to webpages which are presumably owned/controlled/abused by the blackhat SEO link SPAMMER: the reason for SPAMMING links to them.
In among the SPAMMY links are links to gravatar.com member profiles.
In the screenshot above there’s a Gravatar members profile link sandwiched between two art.com members profiles.
At first I assumed these were compromised webpages like the art.com webpages (a security exploit), mainly because I believed the developers behind Gravatar (owned by Automatic who also own WordPress) wouldn’t be dumb enough to allow HTML to be posted inside the forms used by Gravatar users to add information about themselves.
I was wrong, it’s not a security exploit, it’s a ‘feature’ allowing Gravatar users to add some HTML tags to their profiles “About Me” section. I’m guessing allowing some HTML is an oversight and not a deliberate ‘feature’.
Allowing HTML inside forms isn’t a problem per se, as long as the owner of the site is monitoring EVERYTHING users add via those forms. For example comments on this site can have dofollow clickable text links and image links (I add them all the time) which opens them to SEO link SPAM abuse (link SPAMMERS love WordPress sites with dofollow links), but I monitor EVERYTHING my users post inside comments and manually delete any SPAM (no link SPAM gets posted).
What Are Gravatar Avatars?
Gravatar.com is owned by Automatic, who also own WordPress, when you see comments on WordPress sites (like comments on this site) with little avatars they are probably served from gravatar.com.
Performance SEO Diversion: The avatars on this site are served via gravatar.com, but I use a custom WordPress plugin to cache the avatar images locally for improved SEO performance (I also lazy load them as well). The connections to gravatar.com at least one for every unique avatar (can be hundreds on heavily commented Posts) causes performance SEO issues (see Google Pagespeed Insights Tool results for pages with a lot of Gravatar avatars) mainly because of poorly thought out server settings at gravatar.com: they only cache their images for 5 minutes which is a huge SEO mistake!!!
To have a custom avatar you need a WordPress/Gravatar account and it looks like our art.com hacker from the previous cyber security article also found the Gravatar.com profiles allow HTML to be added to the “About Me” form and has created hundreds of accounts linking to Clickbank affiliate products.
Gravatar.com Clickbank Affiliate SPAM
Lets look at some of the Clickbank affiliate link SPAM on gravatar.com, a simple Google site: search points us in the right direction. Pop this in a Google search:
This Google site: search will find all webpages on the site using the word Clickbank, as of September 25th 2017 that’s 1,340 results. Not all of these will link out to Clickbank affiliate products, some Gravatar users will legitimately use the word Clickbank, but it narrows down the search.
You can use this search format for finding other SEO link SPAM, replace Clickbank with other highly SPAMMED niches like Payday Loans, Viagra etc…
Example Gravatar.com profile with Clickbank affiliate SPAM screenshot:
As you can see from the screenshot above there’s a single link to a bitly short URL and there’s quite a lot of text in the “About Me” section including the bitly link (which redirects to a Clickbank Hop link) and bold text: so we have at least two allowed HTML tags (links and bold) inside the “About Me” form.
Viewing Source shows this content:
The above content is probably added automatically by a script, the script probably creates a new Gravatar profile and adds the content above to the relevant forms etc…
The SEO experts reading this will note the bitly link is rel=”nofollow” so passes no direct SEO link benefit (passes no PageRank). Passing link benefit (passing any SEO value) is NOT the goal for these SPAMMY Gravatar profiles, the huge wad of text is there to rank in Google for relevant SERPs.
For example search Google for “Jesus Is Your Itemized Guide – Ultimate Weight Detriment” (I think that’s the name of the Clickbank product) lists the Gravatar profile page at number 1.
These SPAMMY Gravatar profiles have the potential to rank for lots of long-tail SERPs (the example above is particularly long-tail). The blackhat SEO concept behind this type of link SPAM is add hundreds of these webpages to anywhere the link SPAMMER can add them (art.com, gravatar.com etc…) and use forum and other blackhat link SPAM sources to link to them so Google indexes and ranks them.
Most of this will be automated with various scripts and blackhat SEO tools, it’s highly unlikely the SPAMMER is manually creating these profiles one by one.
Google search engine users visit these SPAMMY profiles, are disappointed with the content, but some will click the Clickbank affiliate link (the bitly link) and a small number of those will buy the Clickbank product: the SPAMMER gets paid for the affiliate sales.
Like we found with our art.com members profiles example the gravatar.com profile bitly links redirect through another site which redirect to a Clickbank affiliate Hop link:
The above gives us two important URLs, in the top browser bar a site either owned or controlled by the link SPAMMER and the Clickbank hop link with the Clickbank username promotraf (same username we found with the art.com SPAM).
Any visitors visiting the Clickbank product via a Hop link will result in an affiliate payment if the visitor buys the product. Clickbank affiliates can make a lot of money overtime, I’ve earned tens of thousand of $s from Clickbank without using blackhat SEO techniques.
What is Gravatar Doing Wrong?
Gravatar.com aren’t doing anything ‘wrong’, as I mentioned earlier allowing HTML inside forms is fine as long as what’s entered via those forms is monitored/moderated (like comments on this site).
To put things into perspective the Gravatar.com site has over 73,000 indexed pages, it’s unlikely Gravatar links to all of it’s members profiles so there’s almost certainly significantly more than 73,000 Gravatar profiles (if a webpage isn’t linked to, Google can’t easily find and index it). Gravatar has an enormous task in monitoring what it’s users add to the profile pages and this is where Gravatar has made multiple rookie mistakes making SPAM possible/easy.
Mistake 1: There appears to be no limit to the number of characters a user can add to the “About Me” form. I created a test profile and was able to add the entire The Hound of the Baskervilles Book to the form!
Yes, an entire novel, to the “About Me” section, this book has a word count of over 60,000+ words :-) There should be a limit of 300 characters or similar. Viewing source of my test profile shows the problem, the content within the About Me form results in a webpage with over 7,500 lines of code!
The above could also open them to a malicious attack: wouldn’t be rocket science for a competitor with malicious intent to upload tens of thousands of these profiles with entire novels within them. Imagine the impact on holding all that data in the database if it were paired with a DDoS attack!
Mistake 2a: There appears to be no limit to how many links can be added within the “About Me” form, in my test I added 16 links to one of my sites and was able to add a rel attribute at the start of the URL: Gravatar adds a rel=”nofollow” attribute at the end of the link code. My initial plan was to delete this content after publishing this article, but worth running a short SEO test to see how Google handles the two separate rel attributes: if Google ignores the second rel attribute (highly unlikely) we have a dofollow link.
Mistake 3: The “Display Name” form allows 250 characters, since this is the users name 250 characters is too long unless it’s a Gravatar profile for a Welsh town :-) The Display Name is used as the title tag for the profile webpage, so this allows for maximum SEO of the title tags: generally we want titles between 50-70 characters since Google limits what it shows on a SERP to one line which tends to be way below 100 characters.
If this were limited to below 25 characters (plenty of space for a name) it would severely limit blackhat SEO manipulation of the title tag. In my test example I was able to add “The Hound Of The Baskervilles, by Sir Arthur Conan Doyle” as the Display Name and the end title tag was “The Hound Of The Baskervilles, by Sir Arthur Conan Doyle, Sherlock Holmes – Gravatar Profile” which considering this is a Gravatar profile is pretty good SEO wise. Even with 25 characters we could add “Hound Of The Baskervilles” which is still good (shorter it is, harder to use for long-tail SERPs).
Mistake 4: It would appear the profiles are not monitored/moderated. Some of the examples I found are at least a few months old and with a big business like Automatic their in-house SEO should be regularly cleaning this sort of SEO link SPAM: it damages search engine rankings and damages branding. These are very easy to find, so either no one is looking for them or they are so inundated with this type of link SPAM they can’t manage it (fixing the earlier mistakes would decapitate the SPAM issue).