Flag threads with 'dofollow' link attributes for spam review

[jonoaldersonwp]

Forum threads where links have been added which contain a dofollow value in the rel attribute - like ​https://wordpress.org/support/topic/clash-of-magic/ and ​https://wordpress.org/support/topic/clash-of-clans-mod-apk/ - should be flagged as spam, and temporarily hidden/archived, pending moderating review.

Despite us procedurally adding a nofollow attribute, these types of threads are being created as a crude type of SEO tactic on behalf of the linked-to sites.

NB, ​https://wordpress.org/support/topic/clash-of-clans-mod-apk/ alone received ~4.4k visits from Google in the last month.

[tellyworth]

Did the dofollow attribute remain in the final output? We should certainly be stripping that.

Flagging these seems like Akismet's job.

[tellyworth]

The Akismet folks are investigating. It sounds like they'll have a solution shortly.

We should still strip out those links. Searching the forum for other examples would probably be fruitful.

[dd32]

I went digging and found several examples, many flagged by the moderation team.

We run a variant of ​wp_rel_ugc() on the forums but that doesn't remove the dofollow flag that's in there.. The variant we run was because wp_rel_ugc() didn't yet exist.

It looks like the core wp_rel_nofollow() & wp_rel_ugc() needs to be enhanced to remove dofollow.

Both core and the forums variant relies upon ​wp_rel_callback() which doesn't have the ability to remove rel pieces, so I guess we'll probably have to end up inlining that function into our custom one to remove the dofollow item.

All in all, this is not a WordPress.org-specific problem, and a core ticket should be made. We can workaround this on W.org through akismet spam protections, but we might as well also write the code and submit it to core.

[dd32]

Actually, I'm tempted to suggest this can be closed as invalid if Akismet treats it as spam.

The HTML spec doesn't support a dofollow rel attribute, even if one is present, we add a nofollow ugc value to it as well. I can't find any references to it being supported by any major search engine either.

This has lead me to think that those who specify it in spam are attempting to bypass bad link filters that skip adding a nofollow when there's already a rel attribute, the presence of the value doesn't actually affect anything.

[jonoaldersonwp]

We're at risk of getting a little off track here.
The issue isn't that rel 'dofollow' is present, or harmful. The issue is that we've failed to identify these example threads as spam, when the presence of this attribute is an extremely strong spam signal.

Agreed that the assumption by the attackers here is that "dofollow + nofollow" cancel each other out in some sense. This obviously isn't the case.

I'm nervous about us removing arbitrary rel properties when there might be valid use cases for them.

[tellyworth]

Akismet should catch these for us in future. It's not a 100% black & white issue, since someone might innocently paste some code asking for help.

[dd32]

I'm nervous about us removing arbitrary rel properties when there might be valid use cases for them.

I can't see that being the case in user-submitted content :)

I've reviewed most of the rel=dofollow threads and over half of them were detected as spam, I've reported another bunch of recent ones as spam so I think we can consider this fixed.