tony spencer

So Brett Tabke has let the bots back in after a short breakup. Earlier this year I struggled to understand the reasoning for the Disallow : / and it never really made sense. A few weeks ago I finally learned the true story from a friend. Tabke was cloaking Webmasterworld and the cloaked homepage was linking to his SearchEngineWorld.com site. Google came along and warned him about it, Brett said F-U to Google, Google began de-indexing WMW, and Brett disallowed all to cover his ass.

I’m amazed by the number of times I heard Merry Christmas this year. Only now have I realized that I had turned in my Christmas spirit for a boring ‘Happy Holidays’ spirit about 5 years ago. Even SEO geeks like Andy throw caution to the wind and wish a Merry Christmas. Nice. Even my favorite chef is doing it.

Today I was having a hard time updating my Amazon wishlist so my family can buy me gifts that I actually want. So I decided to get ideas by looking up Amazon wishlists that my friends created. Then it occurred to me that it would be fun to see what folks in the SEO/Search industry wanted in their stocking this Christmas.

Jim Boykin – His wishlist
Jim has a nice list of books including the obligatory Seth Godin “Unleashing the Ideavirus”. Looks like Jim is looking for help executing on ideas and on being a better manager.

Andy Beal – His wishlist
Andy’s wishlist is devoid of business publications. Who would want to read more about search or marketing when you digest as much as Andy does each day? Andys’ looking for the perfect colors for his home.

Aaron Wall – His wishlist
Damn Aaron! You win the award for the biggest wishlist with 198 desired items. Looks like Aaron is trying to build on his prior investment success with his Google stocks as well as brush up on his grammar for all that heavy blogging.

Jensense – Her wishlist
Jennifer is a fan of the soap opera All My Children. Come on Jenn! If you’re going to spend an hour watching soaps its gotta be Y&R! We all could use some business tips from Victor.

Matt Cutts – His wishlist
Matt wants to unwind with some heavy riffs (Great choice BTW. Loads of fun.) Also it looks like Mr. Cutts is suffering from disorganization, and has a soft side for his kitty. It’ll be interesting to watch this wishlist and see how many people attempt bribery through Amazon gifts.

Jason Duke – His wishlist
Spammers need gifts too! Looks like Jason is dabbling in a bit of code hacking as well as mind hacking. No surprise there. Did you ever notice how JasonD takes the Matt Cutts approach and avoids the sauce while everyone else is pounding down beers? Big question Jason: SEO for Dummies??!!

Todd Malicoat – His wishlist
Todd shares Aaron’s interest in Al Franken, as well as my desire to pick up The Tipping Point. And it looks like Todd is working on his abs.

Chris Pirillo – His wishlist
Not much insight with this short wishlist. Chris seems to be a big They Might Be Giants fan.

Sergey Brin – His wishlist
Sergey wins the prize for the most expensive item ($10,995.00) on a wish list for some kind of wakeboarding machine that he can cruise around Google lake on.

Jeremy Zawodny – His wishlist
Jeremy is looking for the best strategy to deal with all of his Yahoo stock options and he shares my love for John Cusack movies and David Sedaris humor. BUT Jeremy wins the award for the most interesting item on a wishlist. Looks like Mr. Zawodny wants to learn more about the mysterious workings of the female clitoris.
Update : Jeremy trimmed back his list including ‘Clitourist’. I didn’t mean to embarrass you too much Jeremy. Anyway, screenshot.

If you are somebody in the search industry and I failed to find your wishlist send me a comment.

Earlier this week I became aware that one of my domains was blacklisted on SpamCop. Ouch. My first thought was that it was no big deal. I’ve often been blacklisted by Yahoo and others simple because I send out opt-in emails (very tame stuff like order confirmations). Its a pain but you typically just have to prove that you aren’t a spammer and you’ve just tripped a sensitive filter.

Unfortunately after much digging through logs I realized this wasn’t the case. I was the victim of a rapidly spreading exploit known as email injection that took advantage of my super secure, locked down tight as a drum code.

Heres how email injection works:
A would be spammer (the email variety, not a search engine spammer) googles for an email contact form. If they find a ‘contact us’ page that is vulnerable they manipulate the form fields to add/change email headers. They accomplish in much the same way a hacker would perform SQL injection or website search results injection. By entering hexadecimal characters in the form field they are able to add carriage returns and spaces. So the following string entered in a form field such as “Your Email”:

“sender@somesite.www%0ACc:victim@victimsdomain.xxx%0ABcc:victim2@victimsdomain.xxx,victim3@victimsdomain.xxx”

will result in a carbon copy of the email being sent to victim@victimsdomain.xxs and a blind carbon copy being sent to victim2@victimsdomain.xxx and victim3@victimsdomain.xxx

As you can see it is easy to manipulate the headers and as a result you can get really fancy and change the subject of the email, mime-type, sender, and the body of the message. The end result is an email open relay. I grabbed a couple of IP’s that were used to POST the data and sure enough they were listed in my database of current open proxies. SecurePHP has a full rundown of the examples.

To secure your email contact form, check each form field against this function. If any one of them fails you can report an error or just silently bail on sending the email. I don’t believe that its necessary to run this check on the body field of the message as this doesn’t have any effect on the headers.

function containsInjectionAttempt($input) {
if (eregi(“\r”, $input) ||
eregi(“\n”, $input) ||
eregi(“%0a”, $input) ||
eregi(“%0d”, $input) ||
eregi(“Content-Type:”, $input) ||
eregi(“bcc:”, $input) ||
eregi(“to:”, $input) ||
eregi(“cc:”, $input)) {
return true;
} else {
return false;
}
}

The problem even exists for the popular CMS Drupal. I can’t tell from this bug report if its been fixed yet but it appears to still be an open issue so you may want to run a test on your own site if you are running Drupal.

About a dozen SEO’rs met up last night for an informal meetup at a London bar. We sent out the invites about a week ago and someone managed to get an email to the infamous black hat master NIK. Low and behold he showed up! I don’t really know if anyone has actually seen him in the flesh. He got quite drunk but didn’t let any secrets slip. However with a little persuasion I did manage to snap a couple of photos with my cell phone. If you’re reading this NIK, please don’t bring down my sites for outting you.

Mike Nott and Andre Chaperon have actually backed me up on this so as they say in London I’m not just taking a piss.