Many spam articles created - No clue Topic is solved

[florian_g]

Hello everybody!

I have a strange problem since 2017 consisting in virtually non-existent spam articles (for Googlebot seems to be real). Obviously they are created for backlinks to other sites.
These articles also receive backlinks from other compromised sites.

In 2017 I saw that it was about JCE Editor (I found some files very explanatory and removed them), eventually ending with a fresh Joomla reinstall.
I put some pictures from Google Search Console to see what is about.

GSC links.png

-

GSC links - details.png

I tried several methods to get rid of them but with no success, including:

• rebuild the whole site from scratch (every time, fresh install, deleted all files and folders)

• moving to a different server (created new account)

• install just plain Joomla (no plugins, extension, template, etc)

• switching host entirely

Every install was made fresh, with latest extensions available.
The last one, which was made when I switched hosting company was made in November 11th, 2020. In every case the links kept coming back.
I have several other sites with the same setup and that are ok, no problems.

Any ideas of what it could be the problem?
I mention that the site works fine, with no visible problems.

When I just installed plain Joomla I thought that was it, no way to keep appear but surprise - the articles were there soon. It could be that the reports from GSC are delayed from realtime and not showing the exact reality but the simple Joomla site stood alone for about 10 days and after that the articles were there again. After that I added all the extra plugins and extensions.

I attach the FPA report:

Joomla! Instance :: Joomla! 3.9.23-Stable (Amani) 24-November-2020
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) |
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: true | Cache: true | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 15 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.23: Yes | Database Supports J! 3.9.23: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-962.3.2.lve1.5.39.el7.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate, br | System TMP Writable: Yes | Free Disk Space : 944.82 GiB |

PHP Configuration :: Version: 7.4.13 | PHP API: litespeed | Session Path Writable: Yes | Display Errors: | Error Reporting: 32767 | Log Errors To: error_log | Last Known Error: 15th December 2020 03:25:24. | Register Globals: | Magic Quotes: | Safe Mode: | Allow url fopen: 1 | Open Base: | Uploads: 1 | Max. Upload Size: 100M | Max. POST Size: 110M | Max. Input Time: -1 | Max. Execution Time: 30 | Memory Limit: 256M

Database Configuration :: Version: 5.5.5-10.3.27-MariaDB-log (Client:mysqlnd 7.4.13) | Database Size: 8.71 MiB | #of Tables with config prefix: 97 | #of other Tables: 0 | User Privileges : GRANT ALL

PHP Extensions :: Core (7.4.13) | date (7.4.13) | libxml (7.4.13) | openssl (7.4.13) | pcre (7.4.13) | sqlite3 (7.4.13) | zlib (7.4.13) | bz2 (7.4.13) | calendar (7.4.13) | ctype (7.4.13) | curl (7.4.13) | hash (7.4.13) | filter (7.4.13) | ftp (7.4.13) | gettext (7.4.13) | gmp (7.4.13) | SPL (7.4.13) | iconv (7.4.13) | pcntl (7.4.13) | readline (7.4.13) | Reflection (7.4.13) | session (7.4.13) | standard (7.4.13) | shmop (7.4.13) | SimpleXML (7.4.13) | mbstring (7.4.13) | tokenizer (7.4.13) | xml (7.4.13) | litespeed () | i360 (1.0) | bcmath (7.4.13) | dba (7.4.13) | dom (20031129) | enchant (7.4.13) | fileinfo (7.4.13) | gd (7.4.13) | imap (7.4.13) | intl (7.4.13) | json (7.4.13) | ldap (7.4.13) | exif (7.4.13) | mysqlnd (mysqlnd 7.4.13) | mysqli (7.4.13) | odbc (7.4.13) | PDO (7.4.13) | pdo_mysql (7.4.13) | PDO_ODBC (7.4.13) | pdo_pgsql (7.4.13) | pdo_sqlite (7.4.13) | pgsql (7.4.13) | Phar (7.4.13) | posix (7.4.13) | pspell (7.4.13) | soap (7.4.13) | sockets (7.4.13) | sysvmsg (7.4.13) | sysvsem (7.4.13) | sysvshm (7.4.13) | tidy (7.4.13) | xmlreader (7.4.13) | xmlrpc (7.4.13) | xmlwriter (7.4.13) | xsl (7.4.13) | zip (1.15.6) | ionCube Loader (10.4.3) | Zend Engine (3.4.0) |
Potential Missing Extensions ::
Disabled Functions :: exec | shell_exec | system | passthru | popen | pclose | proc_open | proc_nice | proc_terminate | proc_get_status | proc_close | symlink | syslog | escapeshellcmd | escapeshellarg | ` | posix_kill | posix_mkfifo | posix_setpgid | posix_setsid | posix_setuid | pcntl_alarm | pcntl_exec | pcntl_fork | pcntl_setpriority | apache_child_terminate | link | readlink | dl |

Switch User Environment :: PHP CGI: No | Server SU: No | PHP SU: No | Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (---) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (755) |

Elevated Permissions (First 10) ::

Database statistics :: Uptime: 715653 | Threads: 134 | Questions: 937577403 | Slow queries: 2682 | Opens: 9759500 | Flush tables: 1 | Open tables: 1024 | Queries per second avg: 1310.100 |

Components :: Site ::
Core :: com_mailto (3.0.0) 1 | com_wrapper (3.0.0) 1 |
3rd Party:: WF_AGGREGATOR_AUDIO_TITLE (2.9.1) ? | WF_AGGREGATOR_DAILYMOTION_TITLE (2.9.1) ? | WF_AGGREGATOR_VIDEO_TITLE (2.9.1) ? | WF_AGGREGATOR_VIMEO_TITLE (2.9.1) ? | WF_AGGREGATOR_[youtube]_TITLE (2.9.1) ? | WF_FILESYSTEM_JOOMLA_TITLE (2.9.1) ? | WF_LINKS_JOOMLALINKS_TITLE (2.9.1) ? | WF_POPUPS_JCEMEDIABOX_TITLE (2.9.1) ? | WF_LINK_SEARCH_TITLE (2.9.1) ? | WF_ANCHOR_TITLE (2.9.1) ? | WF_ARTICLE_TITLE (2.9.1) ? | WF_ATTRIBUTES_TITLE (2.9.1) ? | WF_AUTOSAVE_TITLE (2.9.1) ? | WF_BROWSER_TITLE (2.9.1) ? | WF_CHARMAP_TITLE (2.9.1) ? | WF_CLEANUP_TITLE (2.9.1) ? | WF_CLIPBOARD_TITLE (2.9.1) ? | WF_CONTEXTMENU_TITLE (2.9.1) ? | WF_DIRECTIONALITY_TITLE (2.9.1) ? | WF_EMOTIONS_TITLE (2.9.1) ? | WF_FONTCOLOR_TITLE (2.9.1) ? | WF_FONTSELECT_TITLE (2.9.1) ? | WF_FONTSIZESELECT_TITLE (2.9.1) ? | WF_FORMATSELECT_TITLE (2.9.1) ? | WF_FULLSCREEN_TITLE (2.9.1) ? | WF_HELP_TITLE (2.9.1) ? | WF_HR_TITLE (2.9.1) ? | WF_IMGMANAGER_TITLE (2.9.1) ? | WF_KITCHENSINK_TITLE (2.9.1) ? | WF_LINK_TITLE (2.9.1) ? | WF_LISTS_TITLE (2.9.1) ? | WF_MEDIA_TITLE (2.9.1) ? | WF_NONBREAKING_TITLE (2.9.1) ? | JCE - Noneditable (1.0.0) ? | WF_PREVIEW_TITLE (2.9.1) ? | WF_PRINT_TITLE (2.9.1) ? | WF_REFERENCE_TITLE (2.9.1) ? | WF_SEARCHREPLACE_TITLE (2.9.1) ? | WF_SOURCE_TITLE (2.9.1) ? | WF_SPELLCHECKER_TITLE (2.9.1) ? | WF_STYLE_TITLE (2.9.1) ? | WF_STYLESELECT_TITLE (2.9.1) ? | WF_TABLE_TITLE (2.9.1) ? | WF_TEXTCASE_TITLE (2.9.1) ? | WF_VISUALBLOCKS_TITLE (2.9.1) ? | WF_VISUALCHARS_TITLE (2.9.1) ? | WF_WORDCOUNT_TITLE (2.9.1) ? | WF_XHTMLXTRAS_TITLE (2.9.1) ? |

Components :: Admin ::
Core :: com_plugins (3.0.0) 1 | com_postinstall (3.2.0) 1 | com_modules (3.0.0) 1 | com_associations (3.7.0) 1 | com_cpanel (3.0.0) 1 | com_messages (3.0.0) 1 | com_config (3.0.0) 1 | com_admin (3.0.0) 1 | com_finder (3.0.0) 1 | com_ajax (3.2.0) 1 | com_media (3.0.0) 1 | com_redirect (3.0.0) 1 | com_banners (3.0.0) 1 | com_cache (3.0.0) 1 | com_fields (3.7.0) 1 | com_users (3.0.0) 1 | com_content (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_contenthistory (3.2.0) 1 | com_joomlaupdate (3.6.2) 1 | com_languages (3.0.0) 1 | com_templates (3.0.0) 1 | com_checkin (3.0.0) 1 | com_search (3.0.0) 1 | com_installer (3.0.0) 1 | com_privacy (3.9.0) 1 | com_tags (3.1.0) 1 | com_categories (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_menus (3.0.0) 1 | com_login (3.0.0) 1 |
3rd Party:: COM_JCE (2.9.1) 1 | COM_OSMAP (4.2.39) 1 | COM_CONVERTFORMS (2.7.4) 1 |

Modules :: Site ::
Core :: mod_whosonline (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_search (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_articles_categories (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_stats (3.0.0) 1 | mod_login (3.0.0) 1 | mod_syndicate (3.0.0) 1 | mod_tags_popular (3.1.0) 1 | mod_articles_news (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_languages (3.5.0) 1 | mod_banners (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_finder (3.0.0) 1 |
3rd Party:: sigplus (1.5.0.284) 1 | Minifrontpage (3.1.0) 1 | mod_convertforms (1.0) 1 |

Modules :: Admin ::
Core :: mod_submenu (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_feed (3.0.0) 1 | mod_version (3.0.0) 1 | mod_quickicon (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_status (3.0.0) 1 | mod_title (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_latest (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_login (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_menu (3.0.0) 1 | mod_popular (3.0.0) 1 |
3rd Party:: mod_cachecleaner (7.3.3) 1 |

Libraries ::
Core ::
3rd Party:: Regular Labs Library (20.11.4202) 1 |

Plugins ::
Core :: plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_joomlaupdate (3.0.0) 1 | plg_user_terms (3.9.0) 0 | plg_user_contactcreator (3.0.0) 0 | plg_user_profile (3.0.0) 0 | plg_user_joomla (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_imagelist (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_extension_joomla (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_module (3.5.0) 0 | plg_editors-xtd_article (3.0.0) 0 | plg_editors-xtd_readmore (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_content_pagenavigation (3.0.0) 1 | plg_content_confirmconsent (3.9.0) 0 | plg_content_pagebreak (3.0.0) 1 | plg_content_fields (3.7.0) 1 | plg_content_vote (3.0.0) 0 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3. 0 | plg_system_updatenotification (3.5.0) 1 | plg_system_remember (3.0.0) 1 | plg_system_log (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_p3p (3.0.0) 0 | plg_system_sessiongc (3.8.6) 1 | plg_system_sef (3.0.0) 1 | plg_system_fields (3.7.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_languagecode (3.0.0) 0 | plg_system_cache (3.0.0) 0 | plg_system_highlight (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_languagefilter (3.0.0) 0 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_logout (3.0.0) 1 | plg_twofactorauth_totp (3.2.0) 0 | plg_twofactorauth_yubikey (3.2.0) 0 |
3rd Party:: plg_editors_codemirror (5.56.0) 1 | plg_editors_tinymce (4.5.12) 1 | plg_editors_jce (2.9.1) 1 | plg_quickicon_jce (2.9.1) 1 | plg_installer_jce (2.9.1) 1 | plg_fields_mediajce (2.9.1) 1 | plg_extension_jce (2.9.1) 1 | plg_search_sigplus (1.5.0.284) 0 | plg_editors-xtd_sigplus (1.5.0.284) 0 | plg_editors-xtd_modulesanywhere (7.11.2) 1 | plg_editors-xtd_articlesanywhere (10.5.1) 1 | plg_editors-xtd_tabs (7.8.0) 1 | PLG_EDITORS-XTD_CONVERTFORMS (1.0) 1 | plg_content_jce (2.9.1) 1 | plg_content_sigplus (1.5.0.284) 1 | plg_system_jce (2.9.1) 1 | System - Helix Ultimate Framework (1.1.2) 1 | plg_system_regularlabs (20.11.4202) 1 | plg_system_modulesanywhere (7.11.2) 1 | plg_system_articlesanywhere (10.5.1) 1 | plg_system_tabs (7.8.0) 1 | plg_system_cachecleaner (7.3.3) 1 | plg_system_ossystem (1.3.1) 1 | System - Aimy H1 Heading (5.0) 1 | plg_system_nrframework (4.4.7) 1 | PLG_SYSTEM_CONVERTFORMS (1.0) 1 | PLG_SYSTEM_CFUPLOADEDFILESCLEANER (1.0) 0 | plg_system_tgeoip (2.2.0) 1 | PLG_OSMAP_JOOMLA (4.2.39) 1 | PLG_CONVERTFORMS_ACYMAILING (1.0) 1 | PLG_CONVERTFORMS_EMAILS (1.0) 1 | PLG_CONVERTFORMS_ERRORLOGGER (1.0) 1 | PLG_CONVERTFORMS_ACTIVECAMPAIGN (1.0) 1 | PLG_CONVERTFORMS_AWEBER (1.0) 1 | PLG_CONVERTFORMS_CAMPAIGNMONITOR (1.0) 1 | PLG_CONVERTFORMS_CONVERTKIT (1.0) 1 | PLG_CONVERTFORMS_DRIP (1.0) 1 | PLG_CONVERTFORMS_ELASTICEMAIL (1.0) 1 | PLG_CONVERTFORMS_GETRESPONSE (1.0) 1 | PLG_CONVERTFORMS_HUBSPOT (1.0) 1 | PLG_CONVERTFORMS_ICONTACT (1.0) 1 | PLG_CONVERTFORMS_MAILCHIMP (1.0) 1 | PLG_CONVERTFORMS_SALESFORCE (1.0) 1 | PLG_CONVERTFORMS_SENDINBLUE (1.0) 1 | PLG_CONVERTFORMS_ZOHO (1.0) 1 | PLG_CONVERTFORMS_ZOHOCRM (1.0) 1 | PLG_CONVERTFORMSTOOLS_CALCULATIONS (1.0) 1 | PLG_CONVERTFORMSTOOLS_CONDITIONALLO (1.0) ? | PLG_CONVERTFORMSTOOLS_PDF (1.0) 1 | PLG_CONVERTFORMSTOOLS_GATRACKER (1.0) 0 |

Templates :: Site :: beez3 (3.1.0) 1 | protostar (1.0) 1 | shaper_helixultimate (1.1.2) 1 |
Templates :: Admin :: hathor (3.0.0) 1 | isis (1.0) 1 |

[pe7er]

Welcome to Joomla forum!

The Google Search Console reported issues with links that Google tried to access in the past.

I tried a couple of links listed in your Google Search Console image.
They all resulted in a 404 error, meaning that they do not exist (anymore).

Maybe your old website had been hacked, and the crackers added their own .htaccess to reroute traffic to some spam script on your server. If you made a backup of the old website, you could install it on a local machine (using XAMPP) to analyse it.

[florian_g]

Thanks for quick reply!
Since the problem begun I reinstalled Joomla for about 6 - 7 times, every time with a fresh base (deleted every files and folders from account, including htaccess, deleted old database and created new one).
Last time, on November I moved to a new host with fresh install (got rid of anything related to the old host and problems) but with the same results.

I have many backups (files and database) stored on my computer but never installed them locally.
I don't know for what to lookup.

[abernyte]

If you are using anything from the old site - images, pdfs, importing articles - you may be re-infecting your self with whatever back door has been added.
The new build has to be a clean server, new download of joomla, new database, a new download of every third party extension and newly sourced images. Is the development PC you are using clean of infection too?

[sozzled]

This looks like referrer spam—search the term—to me. I'm not going to explain again what people can do about this. The website is not infected. Don't panic. Deal with it.

Referrer spam/spamdexing is common. It's a nuisance but it's not life-threatening.

[florian_g]

Clean server - Check - New host, new account
New Joomla - Check - always download the last version
New database - Check - new account, so new database
New 3rd party extensions - Check - always download the latest versions
New articles - Check - I have the html code in plain text of articles, so no direct import of old ones
New images - ... not new - copied from old image folder
Working PC - ... don't know if is infected - I have to check it with Windows defender - Win10

[florian_g]

This looks like referrer spam—search the term—to me. I'm not going to explain again what people can do about this. The website is not infected. Don't panic. Deal with it.

Referrer spam/spamdexing is common. It's a nuisance but it's not life-threatening.

Thanks for your reply.
The site is working fine, no problem with that but I was a little bit concerned about the ranking side.
Almost stable positions over time with little drops lately but could be related with some other new sites coming in and no new back links.

Looks like I have to live with it but it's annoying.

[GerogescuM]

Clean server - Check - New host, new account
New Joomla - Check - always download the last version
New database - Check - new account, so new database
New 3rd party extensions - Check - always download the latest versions
New articles - Check - I have the html code in plain text of articles, so no direct import of old ones
New images - ... not new - copied from old image folder
Working PC - ... don't know if is infected - I have to check it with Windows defender - Win10

Just scaned your website through virustotal: https://www.virustotal.com/gui/url/acc9 ... /detection

It seems ok (This is a basic scan, can't detect the backdoors)
As long you did a clean install, all the backdoors should be removed.

Would be a good practice to scan all those files before uploading them. ( just to be sure. If they were infected, your antivirus system should note you about them anyway. [thanks to real time protections which quietly runs in the background monitoring and scanning all new files, and the running ones]

[florian_g]

Just scaned your website through virustotal: https://www.virustotal.com/gui/url/acc9 ... /detection

It seems ok (This is a basic scan, can't detect the backdoors)
As long you did a clean install, all the backdoors should be removed.

That's the big question mark I have.
With all new installs and downloads on a new server those articles still appear.
Somewhere, something is not really ok, I guess.
Could be an extension or a plugin but on one ocassion I did a fresh install with plain Joomla only, and after few days the articles were there.

[sozzled]

The subject of this discussion is "Many spam articles created (but no clue how they were created)"

So the question that we have to ask you is simple: where are these "spam articles"? Simple question, isn't it?

With all new installs and downloads on a new server those articles still appear.

Do you really believe that these articles actually exist? Another simple question but it could be the key to the problem. As I wrote before, I don't believe these "articles" exist. I believe that you are a target of ghost spam (or referrer spam or spamdexing); the method has many names. Search for the term to understand what it means and then you can deal with the problem.

If all the "scans" you're doing are not finding these "articles" then it's probably a case of the articles never being created in the first place. That's not to say that you don't have a problem but you're not looking in the right places.

Let me give you one example referrer spam works.

1) Someone has a domain (let's call this domain mydomain.com) and there's a website on this domain: http://mydomain.com. Of course this is just an example.

2) The website is a legitimate website that sells automobile parts, for example.

3) The ghost spammer goes to another website (http://website2.com) that is regularly indexed by Google and posts this at website2.com:

If you want to improve your health, eat more carrots http://mydomain.com/eat-more-carrots

4) The next thing you know, the owner of the mydomain.com sees all these request for the non-existent URL http://mydomain.com/eat-more-carrots (which don't go anywhere, of course) and wonders where these things are coming from. The answer is there, in your server log, that the source of these mysterious GET requests are coming from http://website2.com.

5) The ghost spammer does the same kind of thing on several other websites and, before too long, Google "indexes" references (with dead links) to mydomain.com and "carrots".

No spam articles are created on your website. Bogus links to your website find their way into Google.

So ... is this your problem or is this a problem for the owners of all other websites where references to your website appear?

[florian_g]

So the question that we have to ask you is simple: where are these "spam articles"? Simple question, isn't it?
Do you really believe that these articles actually exist?

Yes, good question. I looked for them in all files and database and they are nowhere.

As I wrote before, I don't believe these "articles" exist. I believe that you are a target of ghost spam (or referrer spam or spamdexing); the method has many names. Search for the term to understand what it means and then you can deal with the problem.

I found an article where I read about "ghost referrer" but I thought it was not this case.
It was about a webmaster (me in this example) who found in Analytics some referrers and wanted to see what website points to his own website and clicks that link to check it.
The spammers counted on this actions to gain visitors to their websites by this method.

If all the "scans" you're doing are not finding these "articles" then it's probably a case of the articles never being created in the first place. That's not to say that you don't have a problem but you're not looking in the right places.

I know something about "negative SEO" and in the offered example looks like more likely to be this, but hard to believe that is from any competitor. In my niche is not any competition, all offers find place on the first two search pages.

Let me give you one example referrer spam works.

1) Someone has a domain (let's call this domain mydomain.com) and there's a website on this domain: http://mydomain.com. Of course this is just an example.

2) The website is a legitimate website that sells automobile parts, for example.

3) The ghost spammer goes to another website (http://website2.com) that is regularly indexed by Google and posts this at website2.com:

If you want to improve your health, eat more carrots http://mydomain.com/eat-more-carrots

4) The next thing you know, the owner of the mydomain.com sees all these request for the non-existent URL http://mydomain.com/eat-more-carrots (which don't go anywhere, of course) and wonders where these things are coming from. The answer is there, in your server log, that the source of these mysterious GET requests are coming from http://website2.com.

5) The ghost spammer does the same kind of thing on several other websites and, before too long, Google "indexes" references (with dead links) to mydomain.com and "carrots".

No spam articles are created on your website. Bogus links to your website find their way into Google.

I found a blog (surely are much more, but this is an example) where the comments section was full of spam.
Among those comments was one from 2016 that pointed to my website with some of the links that appears in GSC, last time founded being this year.
If Google doesn't discard those links it could be very dangerous for me but I guess it treats those with some reserve because they are continuously appear from 2016 and I didn't saw any rank drops.
I put a picture with this blog.

But I don't see the benefit for the spammers to point to my site, they don't gain anything with that, only I can get in trouble with Google for blackhat linkbuilding, unless they succeed to create some real articles on my website that points to theirs. Am I right?

spam links.jpg

[sozzled]

I don't see the benefit for the spammers to point to my site, they don't gain anything with that, only I can get in trouble with Google for blackhat linkbuilding, unless they succeed to create some real articles on my website that points to theirs. Am I right?

The "benefit" is to cause website owners to panic, to write to technical discussion forums (like this one) and waste their time trying to track down the source of website infections when there is no infection. The "benefit" is to get communities (like the J! community) worried about website security and to get people to spend their time chasing phantom rabbits down imaginary rabbit holes. The way to deal with these imagined threats is to understand them and, in the majority of cases, ignore them. In time (and it may take years) they'll go away.

I've written much on this subject but you'll have to dig deep in this forum to find it. A lot of people disagree with me but I don't really care. Everyone has their critics. The more you write, the more you'll be criticised for it. It takes time but, by accepting the inevitable, even criticism will go away, too. Cheers.

[florian_g]

The "benefit" is to cause website owners to panic...

Thanks for your answers.
I don't have control over that blogs so I can't do anything.

[sozzled]

That's right! You don't have control over those other websites but you do have some control over the inbound traffic to your website! I suggest you search for the term "referrer spam" and my username on this forum or, search for "Who’s snooping around your website? " on the internet. Cheers.

[florian_g]

Hello again!
I done some research about those fake articles and links to my site and I found this:

• my site was indeed hacked in 2016 (I have a file backup but without database)

• probably (certainly) there were some articles created (never saw one, but surely were made for bots. I found some malicious .php files that were made for that purpose but I don't understand them)

• other blogs and sites had the same fate as mine and were abused on the comment section with comms that contain links to articles created on my site

• what sites I found have comments generated by that time period, 2016, when my site was compromised

• most of the hits on that fake articles are made by bots (ahrefsbot, googlebot, etc) that follows links from that compromised blogs where spam comments still exists

• most hits return 404 error - but I found an URL that returned a 200 code and points to a live article (this page contains a valid article but also a section of my site that was supposed to shows only on homepage). I attach a picture of this.

https --://mysite/60-mg-prednisone-for-5-days-no-taper - FAKE
https --://mysite/40-retapitare-pat-piele-ecologica - ORIGINAL

I searched the database for a URL term but I didn't found anything. It can be from the fact that URL begins with numbers (40 in legit article and 60 in fake one)?

strange valid url.jpg

[sozzled]

I cannot add to this discussion except to again refer people to research "Who’s snooping around your website?" and/or "referrer spam" at Google. As I've written earlier, the purpose of referrer spam, involving the abuse of comments, discussion forums, etc. around the web to relate mywebsite.com = spam by creating link farms that litter Google, is to cause panic, anxiety and distrust.

If you cannot find any real articles that are unrelated to your website then those articles probably do not exist and you could spend months (or a large part of your budget) going down empty rabbit holes.

Yes, websites do get hacked and, yes, hacked websites are a pain. That's life.

There's no scientific evidence to suggest that articles containing IDs > x (where x is some random number) means that those articles are real or fake.

As I wrote before, the way to analyse these situations is to dig into the server log and find where the GET requests are originating. If GET requests to bogus articles originate from within the target domain then I would suspect that there's something at the target domain generating the links. If the GET requests originate external to the domain then you're probably wasting your time trying to remove the sources; the only thing to do in those situations is to redirect links to bogus URLs elsewhere ... or redirect them back to their source if you want.