Web Spam: Some Scams Directed at Webmasters and Siteowners

Posted by on Mar 8, 2015 in Blog | 0 comments

Spammers play a numbers game. They send out thousands of messages and will be happy if only one mark will fall for it. It’s cheap for them to send the messages and the potential return is great. Your standard spam email paints with a very broad brush, targeting everybody with an email address, offering just as many diverse goods and services. But a good marketer wants to target a more specific demographic. How about addressing just website owners? Nothing easier than that. Send spam comments to their blogs, don’t be afraid to use the “Contact Us” page or if you are really good, spam their weblogs and Google Analytics accounts.

Well Known Spam

spam-sm“Hey webmaster,When you write some blogs and share with us,that is a hard work for you but share makes you happly right? yes I am a webmaster too,and I wanna share with you my method to make some extra cash,not too much maybe $100 a day. but when you keep up the work,the cash will come in much and more. more info you can checkout my blog below”

That’s your standard comment spam which can be found also in email that comes in through your contact page.

“Insert your standard offering for first page Google rankings and something about not using bold or italic often enough on your webpage in English worse than mine.”

In the messages above it’s obvious who the target is: the owner or operator of a website. Go ahead, ignore it, send it to the trash. Install a spam blocker on your website. It’s unlikely you will be able to make it go away completely.

What is Referrer Spam?

Google_Analytics_2014So you have been a responsible small business owner who actually pays attention to what’s going on with your website. You are using Google Analytics to check on your monthly traffic, who visited your site and how they got there. Then, next to Facebook, Google and perhaps Craigslist some site named pops up as a referrer, ranked #4 in your traffic log.

Who or what is “a professional webmaster analytics tool that opens the door to new opportunities for the market monitoring, yours and your competitors’ positions tracking and comprehensible analytics business information.”, says one of their taglines. Well, so is Google Analytics and you don’t see it showing up in your statistics. In fact, you don’t see a single bot showing up, because none of the good bots like googlebot, bingbot or others executes the javascript that’s needed to trigger an entry into Google Analytics. does it deliberatly because they want to appear in your statistics and get you interested in their “product”. They are not interested in your site or what you are selling on your site. They want to sell their “professional webmaster analytics tool” to you. No thanks.

There are two ways how to deal with this: exclude it from the statistics, which is easier to do or block them entirely, which needs some technical expertise. More about this in a moment.

Advanced Referrer Spam: Affiliate links

If you don’t have anything to sell yourself, sell other people’s products and get a commission. That’s what affiliate marketing is about. You link to a product, for instance, and you get a certain amount of money into your account (#4957) for every product that’s being sold for a certain amount of time (typically 30 days). The affiliate link is mine. It leads to my hosting provider who wants me to promote their services. It makes sense, I am a webdesigner and local SEO expert. I get asked which hosting company to use all the time. I also disclose when I am sending you to a site where I make money if you buy there.

Here is something sneakier: Somebody recently told me that he gets 20% of his traffic from a site . If you follow to the site, you will immediately be redirected to a site at through a link that, you guessed it, contains an affiliate ID. Which means, every webmaster who sees the link and wonders what’s behind will click on it. One in a thousand may actually end up buying something at, creating income for the spammer.

There are more referrer spammers out there who just try to appear in your statistics and try get you to follow the link.

How To Get Rid of Referrer Spam?

As I said before, you can either block them altogether or at least stop them from showing in the statistics. Here’s a (non-affiliate) link to an article and a video about how to keep out of your Google Analytics statistics at Hello SEO Copywriting.

Raventools here explains how to keep them away from your site by blocking them in your .htaccess file, the place where all the bad boys like spammers and hackers end up.


As if you need to be told: Be careful what links you click and always consider who is sending you certain messages. If you’ve never been in contact with them, there’s a good chance it’s spam. Also, the scammers will find new ways to trick you as fast as you Apple roles out new phones and watches. Faster, actually.

P.S. For obvious reasons I didn’t markup the scammer’s sites as links. Why would I give them any help at all. Besides, you aren’t supposed to go to their sites because they are not trustworthy.

How to Defend Against Hackers and DDOS Attacks

Posted by on Feb 11, 2014 in Blog | 1 comment

In the last couple of days another series of large scale distributed denial of service (DDOS) attacks has hit the internet.  (1) Wordfence Blog(2) ITNews, Australia   It is again the old arms race: as defense mechanisms get more and more sophisticated, the attackers get smarter, too. The last big DDOS attack against spam blocker SpamHaus produced traffic of 300 Gigabit per second. That’s 12,000 high speed (25Mbps) internet connections for your home, downloading at full throttle. The new attack averaged 350Gbps with peaks at 400Gbps.

Secured Webserver! Keep Out!

What is a distributed denial of service attack?

During a DDOS attack websites and other internet services are bombarded with traffic in order to shut the service down or to gain privileged access. There is a small problem, though. In order to create this massive traffic you need the help of other computers. You often can force other computers to do just that by sending them requests with fake sender addresses or massive reply-to lists. The Domain Name Service DNS used to be the weak spot to do this, but the newest attack is using NTP, the protocol used to keep the time in sync around the world.

What can be done?

There’s actually a nice list of actions that cans be taken with relative small effort and at little to no cost.


CloudFlare was already in the vanguard fighting to mitigate the Spamhaus attack and is again in the midst of things with the current attack, fighting the good fight. CloudFlare is a content delivery network, which helps you speeding up your website, but offers also a massive security layer. On Feb, 8th traffic to the websites I manage increased by a factor of nine and most of it (88%) was rejected by CloudFlare and never reached the hosting service. Needless to say, I will use CloudFlare on all the sites I manage. They offer a very powerful free plan, but sites using SSL need to sign up for their Pro plan.


Wordfence is a WordPress security plugin. It does a few things very well and again for free. A paid option is also available.

  • Wordfence blocks suspicious activity and access from suspicious sources. It also shares this with their command center and distributes block-lists back to the participants. Which means if an attacker gets blocked by Wordfence on some site in the network, it will be blocked on your site right away.
  • It scans your site for vulnerabilities and compares your WordPress installation against a reference list to see if anything has changed. Changed WordPress files often indicate a compromised site that will be used as a virus vector a link scheme or other malicious activities.
  • It also logs live traffic, be it your regular human visitors, Google crawlers and most importantly successful and failed logins.
  • Another log which raises awareness is the “Page Not Found” log. It shows who tried to access these pages and more importantly, which pages. The list tells clearly were there are currently vulnerabilities in websites and who is trying to probe them. For a long time, you could see requests for timthumb.php indicating a weakness in the thumbnail generating software. Current favorite seems to be connector.asp (which is usually irrelevant for WordPress sites)

Some best practices

The list here is long and many can be found on the web. I just want to mention a handful, mostly things that can be done by the user:

  • Strong passwords. See . It takes seconds for a computer to guess an 8 character password.
  • Unique passwords for each site. Use a password manager like LastPass if you can’t remember them all.
  • Hide your admin account by renaming it. It creates more guesswork for the attacker
  • Have only needed plugins installed on your WordPress site. Delete the rest.
  • Keep your installation up-to-date. Update your plugins, themes and WordPress installation as soon as you can. Most updates are security related.


Regular backups won’t prevent hackers from gaining access to your site, but you’ll need them if your site has been compromised. You may need actually multiple versions: one for the last 7 days, and perhaps one for the last four weeks. If your site has been compromised, it is possible that it will take you a while until you notice and your last good backup may be as old as 4 weeks. Come to think of it, make it one more backup for each of the last 6 month.

What’s the golden rule for backups? Learn to restore before you need it. Imagine your site is down and you want to have it back up asap. That’s bad time to watch that how-to-restore tutorial.


Security measures rarely can keep a dedicated attacker away. But they need to be put in place to slow down attackers and to make it costly for attackers. As long as it is more expensive for attackers to hack your site than their potential gain, you are safe. But it will slow you down as well, since some of the measures make it inconvenient for you as well. Don’t give up security for convenience.

The weakest spot in security is the human. Don’t be to lazy to keep your website up-to-date. (It’s okay to hire me for that task). And don’t be reckless with your passwords. Make them complex so it takes a lot of time to guess them and use different ones at each site to avoid your password being sold on the internet for use on other sites.



Image Credit:

Let’s talk about Yext !

Posted by on Jan 28, 2014 in Blog | 0 comments

Being able to be found by their customers is one of the major success factors of a local business. Aside from the search engines directory listings, social media websites and mobile applications have become major tools in directing a customer to a store, a work shop or a contractor. There’s just one problem for the business: there are so many sites and applications listing their business information, allowing for reviews and a offering a social media presence. Keeping track of all listings and maintaining them for accuracy becomes quite a task for the business owner or the employees.

 Yext Directory Network

Yext Powerlistings is a tool that allows to supply more than 50 websites, applications and databases with the key information of a business, like address, business categories, a description of services and more. You’ll need only the Yext account to get listed, no need to sign up on more than 50 sites and manage login and passwords.

The listings provided through Yext are enhanced over the listing site standard free offer. Often you can add special offers, describe your services in great detail, inform your customers about upcoming events or general news.

As an added feature, Yext will keep track of all reviews that are coming in through sites that allow them, including notification by email. Add reports and analytics of your search performance across all sites and you have a nice tool to manage your small business’ web presence.

 device neutral listings

All listings appear on a device neutral manner, including on specialized smartphone apps.

yext-certified-parnter-posFeliz Mobile Applications is a Yext Certified Partner. Check the status of your listings and directory entries here. Markup for YouTube Videos

Posted by on Nov 20, 2013 in Blog | 2 comments

If you make it easier for a search engine to learn what’s on your website, the search engine will reward you with better rankings or better descriptions in the results pages (SERP). For example, you can help Google (Bing, Yahoo, Yandex, Baidu,..) to recognize videos on your site by adding markup data to the video. The exact specification how you can do that can be found at . Here’s a more reasonable approach, useful if your video is already on YouTube, Vimeo or any other hosting service.

Here is an example how Google wants you to markup a video :

<div itemprop="video" itemscope itemtype="">
  <h2>Video: <span itemprop="name">Title</span></h2>
  <meta itemprop="duration" content="T1M33S" />
  <meta itemprop="thumbnailUrl" content="thumbnail.jpg" />
  <meta itemprop="contentURL" 
        content="" />
  <meta itemprop="embedURL" 
        content="" />
  <meta itemprop="uploadDate" content="2011-07-05T08:00:00+08:00" />
  <meta itemprop="expires" content="2012-01-30T19:00:00+08:00" />"
  <span itemprop="description">Video description</span> 

You need to provide the data for each itemprop element. Name, Duration, UploadDate and Description are fairly obvious, the remaining ones can be complicated. Usually all you have is the video id, which is part of the embed link given to you by YouTube. But where are your thumbnails and your contentURL ? Google will help you with their structured data testing tool. The tool extracts markup data from existing pages. Why not extract it from the original YouTube page. Here’s a small segment of the output for one of my client’s videos.


name: Total Concept Salon
description: An affordable, upscale salon in Cary, NC.
paid: False
channelid: UCQNhu_diGlF7OCFoGOw4gcQ
videoid: m6fmZOhs5N4
duration: PT1M1S
unlisted: False
Item 1
Item 2
Item 3
playertype: Flash
width: 1440
height: 1080
isfamilyfriendly: True
regionsallowed: AD,AE,AF,AG,AI,AL,AM,AO,AQ,AR,AS,AT,AU…


This reveals a few things: the thumbnailURL, the embedURL and the encoding for the duration. We also see that Google doesn’t set the contentURL, nor an upload or expiration date. Which means we don’t have to do it either. However, the output mentions just an URL, thus we just add it to our markup.


Let’s apply this to the example of my client’s video:
<div itemprop="video" itemscope itemtype="">
  <p>Check out our new 
   <span itemprop="name">Total Concepts Salon</span> 
   commercial on YouTube !
  <meta itemprop="duration" content="T1M01S" />
  <meta itemprop="thumbnailUrl" 
      content="" />
  <meta itemprop="URL" 
      content="" />
  <meta itemprop="embedURL" 
      content="" />
  ..actual embedded URL here..
  <span itemprop="description">An affordable, upscale salon in Cary, NC.

Google Adwords Revenue at $121 Million per Day

Posted by on Oct 26, 2012 in Blog | 0 comments

According to this article Google is bringing in more than $100 million per day via AdWords.

Quoting the article:

Though investors seemed disappointed by Google’s third-quarter numbers, its core AdWords business is going like gangbusters, according to a new study  by WordStream. The software company found Google earning $100 million a day through AdWords in Q3, serving 5.5 billion impressions per day on search pages and 25.6 billion impressions per day on the Google Display Network.

The article is a pretty interesting look into the world of online advertising. Here are a couple of key numbers: The average click-through rate (CTR) is 3.5% for search and 0.18% for display. Average cost per click (CPC) is $0.53 for search and $0.35 for the display network. And finally the conversion rate is 5.63% for search and 4.78% for display ads.

What does this mean? A conversion on the search engine costs you on average 20 times the cost per click. This comes to $9.41 for the search network and $7.31 for the display network. Please bear in mind these are grand averages, the actual costs can vary widely by industry, market, profession or location and yes, even the time of day.  The CPC for a limited area can be 10 times as high as a US wide search.

The only way to find out the exact cost is to use the tools available with a Google AdWords account. Google currently hands out coupon codes for $100 worth of free advertising, if you spend $25 of your own. Please use our contact form and we will send you a code, no strings attached.


  • (CTR) click-through rate = percentage of visitor who see the ad and actually click to see what’s behind it.
  • (CPC) cost per click = amount of money paid if somebody clicks the ad. Just displaying the ad is free. Advertisers bid for their ads to be placed.
  • Conversion rate = percentage of visitors to your website who perform certain key actions typically within a month after they clicked an ad. Those key actions can be things like signing up to a mailing list, actually ordering something from your online store or just leaving a message through a contact form.

Have Some Cake

Posted by on Aug 14, 2012 in Blog | 0 comments

Here’s a great example of a small business webpage: Angel Cake Creations of Cary, NC. They create, decorate and customize cakes. From kids and adult birthday cakes, to cakes for special occasions like your office party to wedding cakes. You’ll find the structure of the website in many other small business sites:

  • About the nature of the business.
  • What we do for our customers.
  • Who we are, you are dealing with people after all.
  • A gallery of offerings, with pictures across multiple pages, easily managed after the site goes life.
  • A Pricelist and a Contact page
  • A blog, to keep the customers engaged and report about what’s happening at this business

Here is a screenshot:

Angel Cake Creations Screenshot

For a small local business the most important factor for a website is getting found. According to a recent survey among SEO experts, the most important factor is Google Places. Get your business properly listed there and you have already won half the battle:

  • Proper address and categorization in Google Places
  • Authority of your website, which is hitting the right keywords in search and if other sites link to you.
  • Be listed in business directories.
  • Proper address on the webpage
  • Quantity, Quality and Authority of citations and reviews

Once these aspects are clear, the goal of a well placed search engine listing is easily conquered with due diligence. Most of it depends on you, our customers, since you are the one that knows your business best.

NolanDalla.Com is live

Posted by on Jul 27, 2012 in Blog | Comments Off on NolanDalla.Com is live

My friend Nolan Dalla asked me to help him creating his blog. I know Nolan as a writer of poker and sports betting advice and great travel reports. His rants are a work of art and he is open to state political opinions.

Nolan Dolla Blog Home Page


Within a few days of moving things around and discussing features of the blog, we came up with this layout. It is using WordPress together with the Trim theme by Elegant Themes. We did some tweaks to modify the color scheme and add a few buttons. We’ve also added a Twitter integration to get the word out when new articles appear.  We picked Westhost as hosting provider, but had to use a different domain registrar since the domain was in existance before we started the project. Some tutoring in the general use of WordPress and some search engine optimization (SEO) advice is part of the package.


Update: August 2012

Some time has gone by and the blog took off very well, due to Nolan’s writing prowess and the fact that he is well known among his peers. Within 2 weeks the number of followers on twitter went from 20 to now 550. Those twitter followers drop by regularly to read their daily essay. We had to make some changes, like going from black background to white background, since many readers complained about it. It seems to be a common enough problem to consider it when deciding on a color scheme for a blog or a web page. Here’s another screenshot.Nolan Dalla Blog

Update: January 2014

It’s been a while. We have been updating the theme, changing out some images. Adding and removing plugins, for instance adding social media buttons. Some SEO measures were taken as well. The site is doing well. Nolan is adding content almost daily. He got a couple of shares on facebook that send the visitor numbers through the roof and some of his articles got linked by news outlets. The higher traffic volume made me take a hard look at the overall performance, but aside from a few tweaks, no major changes in the configuration or hosting plan were necessary. Here’s another screenshot: