Making WordPress.org

Opened 4 years ago

Closed 4 years ago

#5497 closed defect (bug) (fixed)

Flag threads with 'dofollow' link attributes for spam review

Reported by: jonoaldersonwp's profile jonoaldersonwp Owned by: dd32's profile dd32
Milestone: Priority: high
Component: Support Forums Keywords: seo spam
Cc:

Description

Forum threads where links have been added which contain a dofollow value in the rel attribute - like https://wordpress.org/support/topic/clash-of-magic/ and https://wordpress.org/support/topic/clash-of-clans-mod-apk/ - should be flagged as spam, and temporarily hidden/archived, pending moderating review.

Despite us procedurally adding a nofollow attribute, these types of threads are being created as a crude type of SEO tactic on behalf of the linked-to sites.

NB, https://wordpress.org/support/topic/clash-of-clans-mod-apk/ alone received ~4.4k visits from Google in the last month.

Change History (8)

This ticket was mentioned in Slack in #forums by carike. View the logs.


4 years ago

#2 @tellyworth
4 years ago

Did the dofollow attribute remain in the final output? We should certainly be stripping that.

Flagging these seems like Akismet's job.

#3 @tellyworth
4 years ago

The Akismet folks are investigating. It sounds like they'll have a solution shortly.

We should still strip out those links. Searching the forum for other examples would probably be fruitful.

#4 @dd32
4 years ago

  • Owner set to dd32
  • Status changed from new to accepted

I went digging and found several examples, many flagged by the moderation team.

We run a variant of wp_rel_ugc() on the forums but that doesn't remove the dofollow flag that's in there.. The variant we run was because wp_rel_ugc() didn't yet exist.

It looks like the core wp_rel_nofollow() & wp_rel_ugc() needs to be enhanced to remove dofollow.

Both core and the forums variant relies upon wp_rel_callback() which doesn't have the ability to remove rel pieces, so I guess we'll probably have to end up inlining that function into our custom one to remove the dofollow item.

All in all, this is not a WordPress.org-specific problem, and a core ticket should be made. We can workaround this on W.org through akismet spam protections, but we might as well also write the code and submit it to core.

#5 @dd32
4 years ago

Actually, I'm tempted to suggest this can be closed as invalid if Akismet treats it as spam.

The HTML spec doesn't support a dofollow rel attribute, even if one is present, we add a nofollow ugc value to it as well. I can't find any references to it being supported by any major search engine either.

This has lead me to think that those who specify it in spam are attempting to bypass bad link filters that skip adding a nofollow when there's already a rel attribute, the presence of the value doesn't actually affect anything.

#6 @jonoaldersonwp
4 years ago

We're at risk of getting a little off track here.
The issue isn't that rel 'dofollow' is present, or harmful. The issue is that we've failed to identify these example threads as spam, when the presence of this attribute is an extremely strong spam signal.

Agreed that the assumption by the attackers here is that "dofollow + nofollow" cancel each other out in some sense. This obviously isn't the case.

I'm nervous about us removing arbitrary rel properties when there might be valid use cases for them.

#7 @tellyworth
4 years ago

Akismet should catch these for us in future. It's not a 100% black & white issue, since someone might innocently paste some code asking for help.

#8 @dd32
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

I'm nervous about us removing arbitrary rel properties when there might be valid use cases for them.

I can't see that being the case in user-submitted content :)

I've reviewed most of the rel=dofollow threads and over half of them were detected as spam, I've reported another bunch of recent ones as spam so I think we can consider this fixed.

Note: See TracTickets for help on using tickets.