Yell if Microsoft’s Live.com Spammed You Too - Updated
The bot analysis continues, and this post presents evidence indicating that Microsoft is spamming websites. A big claim, I know, but I can't find a better explanation. You'll have to decide.
The summary: IP addresses belonging to Microsoft are requesting pages from eKstreme.com and blogSci.com (my science blog) with HTTP referer headers suggesting that the hits were from live.com searches. These referer headers are spoofed as the keywords from these supposed searches are sometimes in no way related to the requested page. Additionally, for most of the other supposed searches, the requested pages do not rank in the top 10 (first page of results) in a way to send this traffic.
For some odd reason, the webmaster community has known about this for a couple of months. In September, SE Roundtable posted about other webmasters complaining about this spam. Surprisingly, we also got official confirmation (via a WMW thread) from msndude that this indeed happening and it's (and I'm quoting) "part of a quality check we run on selected pages". This is an unacceptable explanation as you'll see from the data below because it has none of the hallmarks of a quality check but all the marks of referral spam.
The hits discussed below are extracted from the blogSci.com data to keep things simple, but a similar data set exists for eKstreme.com.
The Hits
The whole list of hits is way too long to quote in full here, so here is a sampling of my favorite requests:
- At: 17 August 2007 05:53:27 PM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/result.aspx?q=make+money+online&mrt=en-us&FORM=LVSP
- Remote: bl2sch1082213.phx.gbl [] (65.55.165.119)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
- At: 18 August 2007 03:05:43 PM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/result.aspx?q=make+money+online&mrt=en-us&FORM=LVSP
- Remote: bl2sch1082008.phx.gbl [] (65.55.165.66)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
These two hits above are the first I have in my records. What's amusing about them is that both supposedly came from a search for [make money online].
- At: 19 August 2007 03:55:48 AM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/result.aspx?q=ticket&mrt=en-us&FORM=LVSP
- Remote: bl2sch1081815.phx.gbl [] (65.55.165.25)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
This one is also very random: a blog post about a cool new magnet-based technology to create colors is ranking in the top 10 for the query [ticket]? Not even Live.com generates such irrelevant results.
Anything more recent? Sure:
- At: 11 November 2007 03:26:43 PM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/results.aspx?q=osteoporosis&mrt=en-us&FORM=LIVSOP
- Remote: bl2sch1081815.phx.gbl [] (65.55.165.25)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
- At: 11 November 2007 03:29:24 PM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/results.aspx?q=amazon&mrt=en-us&FORM=LIVSOP
- Remote: bl2sch1081909.phx.gbl [] (65.55.165.43)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
At the time of writing, there are 245 such hits in my records since August 2007.
Not convinced? There is more. Some of these hits came within seconds of being indexed by MSNBot. The pattern is like this: the page is requested by MSNBot (which is authenticated, so it's genuine) and within a few seconds, the very same page is requested as described above with a live.com search are referer. An example:
- At: 10 November 2007 12:05:14 PM GMT
- Routed to: /index.php
- Referred from: (No referer.)
- Remote: livebot-65-55-209-143.search.live.com [] (65.55.209.143)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: text/html, text/plain, text/xml, application/*, Model/vnd.dwf, drawing/x-dwf
- Charset:
- Enconding: identity;q=1.0
- Languages:
- UA: msnbot/1.0 (+http://search.msn.com/msnbot.htm)
- Cookies:
- At: 10 November 2007 12:05:36 PM GMT
- Routed to: /index.php
- Referred from: http://search.live.com/results.aspx?q=problem&mrt=en-us&FORM=LIVSOP
- Remote: bl2sch1081810.phx.gbl [] (65.55.165.20)
- Request: HTTP/1.0 GET
- Accepting:
- HTTP: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
- Charset:
- Enconding:
- Languages: en-us
- UA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)
- Cookies:
The typical delay between the indexing request and the spoofed search hit request is 5-20 seconds.
How to Recognize the Fake Hits
Anyone staring at these hits long enough will see some signatures to detect them:
- Note how all of them have identical user agents (UA field) and pretty much everything else is identical (bar the the requested page and the referer).
- The IP adresses all belong to the same C-block, namely 65.55.165.*.
- All of the query strings in the live.com referrers have &mrt=en-us in them. Here in the UK, I get &mkt=en-gb when I really use Live.com for a search.
Needless to say, this smells like bot behavior.
An Analysis
Let's think about this for a minute: What on Earth is going? Why are these hits happening? I can think of two explanations:
- The tinfoil/sinister explanation: pure spam from MS. Why? So that webmasters see Live.com referrals coming in increasing numbers. This is not hard to hide: if you only get like 10 referrals from live.com a month, another 10 is a doubling but which sad webmaster would check those out (apart from me)?
- The "surely not" explanation: this is an automated way to check the search results to see where pages rank for keywords the page could potentially rank for. This is what msndude confirmed in the WMW thread, but as you can see above, it doesn't really look like a quality check. Also, if this is indeed a quality check, why not run it on the cached pages and not alert (and annoy) the webmasters? Microsoft have full access to their index and they should use it!
I subscribe firmly to the first explanation: the search keywords are spammy in some cases, always too general, the requested pages never rank in the top 10 as the referring URLs would suggest, the hits have identical user agents (i.e. not the typical variation you would expect from various people using normal browsers on different operating systems withing the same company to show) and the actual referring URL does not match what a human being searching on live.com generates.
In short: it's spam and not a quality control check. What do you think?
Update 1: DazzlinDonna from SEO Scoop has written an excellent background to this fiasco, and Michael VanDeMar is reporting that Microsoft is interfering with AdSense. Ouch.
Update 2: Yuri explains more background and asks What happens next?. Reuben Yau and Kichus have both blocked the IP addresses. Boy are people angry.
Update 3: This story has evolved since I wrote it. Some follow up posts:
Subscribe to Things of Sorts
If you liked this post, please subscribe to the Things of Sorts RSS feed: 
November 13th, 2007 at 8:09 pm
[…] various reasons, msndude’s answer is completely unsatisfactory, and the fact that this is still happening months later, without any further clarification from msndude is even worse. I’ve had some people bugging […]
November 13th, 2007 at 8:13 pm
We’ll see MICROS~1 gloat over “millions of new” Live Search users soon.
November 13th, 2007 at 8:16 pm
that’s a nice observation, I’ll check my webstats to see if I can find similar bot behaviours
November 13th, 2007 at 8:55 pm
I can verify this for my site. Last week, 108/141 hits from search.live.com came from a 66.55.165.* IP address, along with 36/45 so far this week.
Looking even further back, it looks like this started mid September. I have 2 such hits the week ending 2007-09-16, and 89 the following week.
November 13th, 2007 at 8:58 pm
An obvious reason to do this is to detect custom content being served to search bots that isn’t served to actual people, a common SEO(spam) tactic.
The fact that it’s a search for “make money online” does look way more like traditional referrer spam, though. While I’m perfectly willing to believe that MS might engage in referral spam, I can’t think of any reason for MS to do it for those particular keywords, and it’d be pretty easy to spoof your referral spam so it comes from an MS ip address. Perhaps thats part of the problem?
Are these posts copied directly from your logs? I note that the bogus looking requests (make money online and ticket) have “result.aspx” as the referrer, which the more legitimate search terms have the correct “results.aspx” referrer. Perhaps a referral spammer is trying to mask their actions by pretending to be Microsofts content checking bot.
November 13th, 2007 at 9:14 pm
Wow this is causing a bit of a fuss. Thanks for all the comments!
The IP addresses definitely belong to Microsoft. Also we have official confirmation from msndude. We have no evidence that these are open proxies, and as you say the keywords in the referrals are bogus. I hadn’t noticed the results/result.aspx differntiator - thanks for that!
Is it spoofed? Yes. Is it by MS? There is plenty of evidence to say yes and none to contradict it.
As for a cloaking check as arkanes: obviously it’s easy to detect the bogus hits, so it’s easy to cloak for them too. I doubt that’s the real reason.
Pierre
November 13th, 2007 at 10:39 pm
Yeah - I have many of these. I run a wedding photgrapher’s site.
We have had many fake links from Microsoft for the following search keywords:
atenolol,baccarat,BMW,bontril,cartier,clomid,
cyclobenzaprine,diazepam,hyandai,invicta,keno,
klonopin,nude,phentermine,plymouth,porche,
roulette,ultracet,ultram,valium
As you can see - none of them are relevant to the site. They all seem to be cars or drugs.
The hits date back to 10th Nov 2006, and all have come from two IP addresses:
131.107.0.95 tide525.microsoft.com
131.107.0.96 tide526.microsoft.com
Googling for “tide microsoft” shows that there are a lots of pissed off people, and also that they have been doing this crap since at least August 2005.
Just goes to show that they are totally on the slide and have no control over wtf is going on in their campus.
November 14th, 2007 at 1:43 am
I had noticed funny referrers now for several months, and I knew they had come from live. Originally I had thought it was just a weird mistake and they were ranking sites wrong in different areas (Live does a ton of geographic stuff in their algo). It wasn’t until later that I read another article today that they had been searching themselves on one of there “Quality control tools”. At least your not as bitter as the other guy, he blamed them for lower profits on Adsense
I’m going to cloak my adsense on one of my other sites only against MSN, because that IP also executes the JS so it lowers your CTR 
I noticed it drop a while ago from 4.0+ % to under 3%. So I’ll cross my fingers as to what happens.
November 14th, 2007 at 1:57 am
Put the tinfoil hat away. This is obviously (rather ham fisted) anti-cloaking activity. Google do it too, they just don’t make it quite so obvious.
Bib
November 14th, 2007 at 3:41 am
[…] http://ekstreme.com/thingsofsorts/blogging/yell-if-microsofts-livecom-spammed-you-too […]
November 14th, 2007 at 5:48 am
[…] Pierre: Yell if Microsoft’s Live.com Spammed You Too - Updated […]
November 14th, 2007 at 8:38 am
[…] rank for them in the public search engines. You can learn more about checking your logs for real versus spammed hits at […]
November 14th, 2007 at 5:54 pm
I’ve had the same on a couple of web sites I maintain. Thousands of them every month.
I must admit that I was a little disinterested in them because as referrers they don’t figure very highly in the stats and present no real danger.
I did check a few but couldn’t find my pages on the SRP so I just assumed that they were from a bot that was using false referrer in order to disguise itself whilst it trawls for content.
November 14th, 2007 at 6:10 pm
They’ve done it to me too, but I’ve sent a certified letter to their address on file demanding that they stop. They have nine days left before I file a small claims case on the matter.
The simple fact is that they’re maliciously chewing up bandwidth that you’ve bought to supply to valid users of your site. Demand that they stop, and if they don’t put a $5000 price tag on it and make them spend ten times that dealing with you. If not, at least go to the BBB and lodge a complaint.
MS is going to keep crippling your stats maliciously and intentionally until you either cost them a chunk of money or do something that might negatively impact them in the public eye. Plus it feels really good to screw MS for a change.
November 14th, 2007 at 6:29 pm
Ever hear of CLOAKED PAGES? Thats why seach engines do this, to see if youre serving pages which differ depending on the useragent (spider) and or the refferal.
November 14th, 2007 at 6:36 pm
I noticed this a couple months back, I presumed they were faking referers to catch search spammers who auto gen content or cloak pages unless the referer is from a search engine ..
November 14th, 2007 at 6:38 pm
I’m seeing similar traffic in my reports as well. I’ve been getting hits from Live Search for random keywords, such as login, views, Halloween, seniors, etc. These are keywords that I know I’m not highly ranked for, nor do I want to be. Interestingly, I’m not seeing the IP Address that you mentioned, the ones that stand out in my reports are:
65.55.209.78
65.55.209.79
65.55.209.83
65.55.209.80
65.55.209.82
65.55.209.84
65.55.209.77
65.55.209.81
65.55.209.85
All are lookup back to MSN live Search.
November 14th, 2007 at 7:55 pm
Nothing about what seems incredulous Microsoft is being accused of is beyond the pale, reality. They are capable of the worst sort of subterfuge their sinister, duplicitous mind set can whip up.
I’ve come as far as deleting IE7 completely, using the Firefox IE extension whenever required, I stopped all updates, eliminating as many links to Microsoft as possible. I’m not being paranoid. I’m being realistic.
November 14th, 2007 at 8:17 pm
I don’t see how this is spam, you don’t have open stats so why would they referral spam you? I think something odd is going on, maybe an msn server became a zombie bot through a trojan or something..very odd.
November 14th, 2007 at 8:20 pm
Did you ever think that perhaps they’re not trying to inflate anything and want to make sure that you’re showing the same results to a “normal” non-MSNBot user that you show to MSNBot. Google does this a lot…
November 14th, 2007 at 8:28 pm
[…] deal that content marked with “Noindex:” in robots.txt shouldn’t be indexed. Microsoft’s bogus spam bot which doesn’t bother with robots.txt because it somewhat hapless tries to emulate a human […]
November 14th, 2007 at 9:14 pm
[…] ekstreme] Link to This […]
November 14th, 2007 at 9:17 pm
They spammed my site (morons.org) for several days before I added a firewall rule to block them.
I attempted on several occasions to alert them to their abuse, and all I got back was their insistence that they don’t even own the netblock they were spamming from. Although in whois, the block plainly belongs to them, their idiot support drones only know how to do a reverse DNS lookup (and their reverse is misconfigured).
Here’s my article on the topic:
http://beta.morons.org/tally-ho/article/read/7608
And here’s the firewall rule I added to block them:
add 28 unreach net-prohib ip from 65.55.165.0/24 to me // MSFT search.live.com rampant referrer spam
And yes, I get referrer spam *constantly* even though I don’t publish my referrer stats anywhere. It got so bad that I wrote a servlet filter to intercept and honeypot it and learn from its past interceptions.
November 14th, 2007 at 10:56 pm
This is obviously done in order to detect pages that serve separate content to people and search engines.
Nothing evil there.
November 14th, 2007 at 11:10 pm
Given the search terms that supposedly led to your site, if this really is a quality control move, then the quality of their indexing sucks bigtime and nobody with half a mind should be using them.
November 15th, 2007 at 1:58 am
No doubt in my mind that MS is just trying to inflate its market share numbers. If they double their referrals, my stats would show that live.com sends me 12% of my se traffic when in reality, it’s 6%.
How lame….
November 15th, 2007 at 4:40 am
Yes, my domain email accounts listed on my website are receiving Live.com email spam as well, even though those addresses aren’t used for signing up for anything at all.
November 16th, 2007 at 2:13 pm
My website has been hit with Live.com spam for last few months now. I had read a post somewhere that had some kind of clarification from MSN team stating that they were trying to conduct some kind of quality program to ensure that the posts were not spam content. I guess, Live.com could have used something better to do that. It does not affect much but after reading your post, I am understand that this might be getting tons of traffic back to Live.com. Eh?
November 20th, 2007 at 10:54 am
They may catch poor man’s UA cloaking every once in a while, but that’s not worth pissing of that many webmasters. They might even catch some cloaking sites relying on the reverse lookup alone (without a current IP list) or not checking for bot activity when there’s a HTTP_REFERER. However, if they aren’t completely insane and/or the referrer spam is their newest marketing toy, this makes no sense from a search quality dept. point of view:
- They never fooled savvy cloakers.
- Since the referrer spam was reported back in August, most sites have updated their code and serve the same spider fodder to MSNbot and the spam bot.
- They persistently spam sites which obviously don’t cloak.
- Not even a M$ code monkey is brain dead enough to check for professional cloaking in a that amateurish way.
Maybe checking for other patterns search quality bots might leave is a good idea, just in case the referrer spamming is a huge red herring.
Broadcasting their flawed internal categorizing could be done in the newish Webmaster Console. That would be its first functionality that makes sense, beside the sitemap submissions.
In any case, the harmful MS referrer spam bot counts as unethical search engine activity. Faking human traffic is plain theft, regardless the motives.
November 22nd, 2007 at 5:09 pm
[…] If anyone else has experienced getting hits from other IP blocks, please comment on it here or yell at eKstreme about it (he’s been tracking this as […]
November 27th, 2007 at 8:59 am
There is no need to download JavaScript and CSS to detect cloaking. Who writes a cloaking script that only cloaks when Adsense JS is downloaded?
Sending a fake referrer = referrer spam.
It looks even more suspicious because Microsoft is using keywords that usually match the general content of the site. It suggests that they are trying to send referrers on topics that might interest the webmasters who check their logs.
December 4th, 2007 at 8:28 pm
[…] Yell If Microsoft’s Live.com Spammed You Too […]
December 5th, 2007 at 4:12 am
[…] several months now many websites have been getting referer spammed by Microsoft’s Live Search. You’d get what looked like a regular GET request from an IP […]
December 5th, 2007 at 5:49 pm
[…] had come forward earlier. I wonder if they would have come forward at all without significant kicking and screaming in the blogosphere and social media […]
December 17th, 2007 at 6:59 pm
Why not just intercept the bot and redirect it to the referring page?
February 22nd, 2008 at 12:51 pm
[…] right folks, after the initial fuss, the backtracking (with its very own official statement!), Microsoft’s Live search engine is still […]
April 3rd, 2008 at 8:51 pm
[…] a background on this, start here, then read this post, and close off with the follow […]
June 4th, 2008 at 8:38 am
I have been getting these under 65.55.165.* for quite a while messing up my statistics. So last week I blocked this in
.htaccess
After a few days of “silence” (they turned up as 403 in the log files) the attack has changed IP address to 65.55.110.*
BTW: I haven’t got adsense or any other advertising on my website, so I guess this is not their (only?) target.
June 5th, 2008 at 9:08 pm
Hi scribbler
They claim it’s a quality check, and a bug in some of the bot’s versions caused it to mess with AdSense.
Interesting you’re seeing two C-block IP addresses. I’ll look into that. Thanks!
Pierre
June 20th, 2008 at 6:58 am
Just banned Microsoft Live, MSNbot (spambot, from now) from my company’s website. Gotta fix my own blog, too.
July 4th, 2008 at 7:44 am
Over the past 2 weeks our contact form started getting spammed. The hits all came from the same domain, seemed like a proxy, somewhere in china. We blocked the range of IPs today, and noticed a number of 403 responses to the next hits. Good. Then, something odd happened. A live search from MSFT, looking for the form:
65.55.109.51 - - [03/Jul/2008:23:22:43 -0700] “GET /opt-in.htm HTTP/1.0″ 200 8070 “http://search.live.com/results.aspx?q=wrlds&form=QBHP” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)”
I searched back in the logs, and this happened just before the spamming occured of the contact forms. This looks like some entity, using a proxy was spamming the contact form, (it sent 100s of links in the body of the message). When it was blocked, a some entity from MSFT tried to find another access point.
WHY? and should this be reported?
The strange this was my Outlook 2007 stopped downloading mail properly, (I noticed I was not receiving all my mail, checking it against logs). I called MSFT, and they went on my machine and started polking around the registry. 6 hours of them doing this, (6 different calls), it worked less than before. So I stopped using it, changed my firewall, etc. This is when the spamming of the contact form began.
Should I report this to MSFT? or?
Thanks
July 6th, 2008 at 8:54 am
Thanks for this Pierre, I had wondered why all of a sudden search.live.com took over 30% of my blog stats as a referring domain; just after adding adsense to my blog, too. Sods. If I wasn’t already using Linux I’d start right now.
Off to block the cretins from Redmond…
July 7th, 2008 at 1:03 pm
[…] Scheint tatsächlich Spam zu sein, hier eine Zusammenfassung, hier eine Menge weiterführende Links. Wie heißt es so schön: Ist […]
July 7th, 2008 at 3:39 pm
I am experiencing similar issues. Our contact form, (contactform.htm) is getting spammed. I placed an IP rule to block the offending IP, and then I get a msnbot hit, and seconds later a search from live, searching for our form again.
You can see from the lines from our log below, that the IP was successfully blocked. Unfortunately it just happens again and again using a new IP.
194.8.74.158 - - [03/Jul/2008:22:59:33 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [03/Jul/2008:23:14:15 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
65.55.211.53 - - [03/Jul/2008:23:18:39 -0700] “GET /robots.txt HTTP/1.1″ 404 - “-” “msnbot/1.1 (+http://search.msn.com/msnbot.htm)”
65.55.211.53 - - [03/Jul/2008:23:18:39 -0700] “GET /opt-in.htm HTTP/1.1″ 304 - “-” “msnbot/1.1 (+http://search.msn.com/msnbot.htm)”
65.55.109.51 - - [03/Jul/2008:23:22:43 -0700] “GET /opt-in.htm HTTP/1.0″ 200 8070 “http://search.live.com/results.aspx?q=wrlds&form=QBHP” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322)”
194.8.75.204 - - [03/Jul/2008:23:25:59 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [03/Jul/2008:23:29:28 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [03/Jul/2008:23:44:27 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [03/Jul/2008:23:59:32 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.75.204 - - [04/Jul/2008:00:05:37 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [04/Jul/2008:00:14:57 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [04/Jul/2008:00:28:48 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
194.8.74.158 - - [04/Jul/2008:00:43:27 -0700] “POST /feedbackWS.php HTTP/1.1″ 403 - “http://wrlds.com/contactform.htm” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
July 8th, 2008 at 8:49 pm
I excluded all MSNBots from indexing my websites and this stopped. Traffic from MSN/live.com is close to irrelevant anyway.
robots.txt:
User-agent: msnbot
Disallow: /
User-agent: psbot
Disallow: /
User-agent: msrbot
Disallow: /
July 8th, 2008 at 11:04 pm
Live searches now account for 48% of traffic to my site. I run a small diving gear online shop… this amount of traffic is riduclous. Google used to be the biggest referrer now they’re only 11% ha… likely.
Are you guys sure that this isn’t some sort of password fishing thing that might be trying to access the back end to my shop.
Can it really be just spam?
July 9th, 2008 at 7:57 am
Thanks for the comments everyone. I already blocked MSNBot here and on one other site where this was getting out of hand.
BTW, this story evolved quite a bit since the above write-up. Some posts on the subject:
http://ekstreme.com/thingsofsorts/web-programming/ms-admits-to-referral-spamming-for-as-cloaking-check
http://ekstreme.com/thingsofsorts/web-programming/ms-live-still-referral-spamming
http://ekstreme.com/thingsofsorts/ekstremecom/killing-livecom-bot
http://ekstreme.com/thingsofsorts/web-programming/livecom-spambot-ignores-robotstxt
Fun, no?
Pierre
October 28th, 2008 at 7:21 pm
I suspect there’s a simple explanation for all this … just follow the money.
I think M$ is trying to convince people that their live.search.com is sending you all kinds of visitors … and, of course, that means you should be advertising with them.
It’s possible that search.live.com is not only showing people the search hits BUT also visits (at least) some (large!) number of pages in that list.
E.G., when I look at the referrers for the last 3 days for one of our sites, I see entries like:
- 10 hits : http://search.live.com/results.aspx?q=license
- 1 hit : http://search.live.com/results.aspx?q=licenses
- 1 hit : http://search.live.com/results.aspx?q=upgrades
- 7 hits : http://search.live.com/results.aspx?q=contacts
… and on and on.
So, if they’re hitting our pages for these kind of search terms, you can imagine that they’re hitting hundreds of thousands of pages — possibly for each person’s search.
That way it looks like there are “sooooo many people” visiting your site because they’ve used search.live.com … and, of course, that’d mean you really should be advertising with them.
When all this started, we suddenly saw referrals go from about 3% of the number of Google search referrals to more than the number of Google-search referrals … all within a few days. Analyzing the resulting traffic from these referrals makes it fairly obvious that they’re not real people visiting.
In the end, I just attribute this to the normal kind of business behavior that’s consistent for Microsoft. What sleazebags!