Search result pollution spam

by

Did you know your website could be unwittingly promoting illegal content? It might be hidden in your site’s search results.

What is it

Your website’s search result pages (SERP) are just regular web pages. Because they have a unique URL for each search query, they are treated by search engines just like any other page on your website. That means search engines like Google and Bing might include them in their index and provide them as search results.

But what makes them different from many other pages on a website is that they will display user supplied input back to the user. For example if you go to ABC Australia News and search for ‘car crash’ you end up on a URL with the search term in it and it shows you ‘Showing 18126 results for “car crash”’. If you save and open that link again you’ll see it loads that search for you and displays the same search terms.

How malicious actors can take advantage of it

But what happens if you don’t prevent external search engines from indexing your results page? A malicious user may take advantage of this to send their spam. All they have to do is to craft a search query URL with their spam message and create a link to this specific search results page on another website they control. When Google’s crawler follows the link, it will index the search results page and show the spam message in Google’s search results.

They would have to create another website with links to search results with their message. This is enough to tell Google to find and index that page. Now that website is repeating their spam message to other users via Google search results.I stumbled upon these when I noticed some odd searches on a website I run. I searched for the same thing and found they appeared on many other websites. The best one I’ve found is a drug dealer advertising on the US Drug Enforcement Agency (archived):

A screen shot of search pollution spam on the DEA website that offers to sell drugs

Many big brands and other government organisations can be found with similar search result pollution spam. A few I notified were grateful to be told and fixed the issue immediately. Others made it difficult to contact them and never fixed the issue.

A screenshot of Google search results with Cathy Pacific's search pollution spam

With a simple Google search you can find even more currently active right now, with contact details for dealers via WhatsApp, Telegram or Gmail.

A screenshot of other Google results with search pollution spam

Why is it bad for your website, how to prevent and remove it

If you run a website, search result pollution spam is detrimental for a number of reasons:

  • you’re hosting illegal content
  • it looks bad for your band which could cause reputational damage, the erosion of user trust
  • it could negatively impact your SEO and your rank in Google.

So how do you prevent this? Easy, you block the search result pages using one of the many methods available to you as part of the Robots Exclusion Standard:

  • add your search result page to your robots.txt: Disallow: /search
  • add a metatag to the results page: <meta name="robots" content="noindex">
  • add a HTTP header to the results page: X-Robots-Tag: noindex.

If your site has already been hit by this kind of spam, then you’ll need to first block it using one of the above methods. Over time as they crawl your site they’ll remove the URLs. However you should use the tools they provide to submit requests which work quickly. You do this via Google Search Console removal or Bing Webmaster Tools block.

Leave a Comment