How to Protect Your Digital Brand from Domain Spam

This is a playbook we wrote partially from experience. Earlier this year, the previous version of Prelink — an open user-generated platform — was used as a vector for large-scale SEO spam targeting gambling and crypto keywords. We’ve since deprecated the user-generated layer entirely.

What follows is what we wish we’d known before that happened, written for any creator or operator running a small-to-medium audience with a domain worth attacking.

What “domain spam” actually means

The term gets used loosely. The three patterns that matter most for creators and small platforms:

1. SEO parasite hosting

An attacker creates pages on your domain — through user-generated content, an unsecured CMS, or a misconfigured CDN — targeting keywords like “best online casino”. Your domain’s authority makes those pages rank, the attacker rakes in affiliate revenue, and Google eventually tanks your reputation.

2. Subdomain takeover

You set up blog.yourdomain.com pointing at a SaaS, then later cancel that SaaS without removing the DNS record. An attacker re-registers the dangling target and now serves whatever they want from your subdomain.

3. Brand spoofing

Look-alike domains (yourbrand.co.io, yourbrand-help.com) used in phishing emails or fake tool pages, often with your real logo lifted. Doesn’t live on your domain — lives off your reputation.

The detection layer

You can’t defend what you can’t see. The minimum visibility every brand owner should have:

• Google Search Console + Bing Webmaster Tools. Verify both. Watch for unexpected new indexed pages and impression spikes on keywords that aren’t yours.
• A domain monitoring service like DomainTools, BrandShield, or the free urlscan.io watchlist. Alert on new domains containing your brand name.
• A DNS audit, quarterly. List every record. For every CNAME pointing at a third party, confirm that third party still exists and you control it.
• A Google Alert for site:yourdomain.com plus suspicious terms (casino, viagra, crypto airdrop, etc.). Crude but catches a lot.

The prevention layer

In rough order of leverage:

If you accept user-generated content

This is by far the highest-risk surface. Three rules, learned the hard way:

1. Default to noindex on any user-generated page until trust signals exist. The marginal SEO loss is real but small. The downside protection is enormous.
2. Require some friction — payment, phone verification, or a non-trivial waitlist. Free + instant + indexable = a guaranteed spam pipeline. There is no such thing as a moderation team that scales faster than a script.
3. Lock down outbound links. Add rel="ugc nofollow" to every link inside user-generated content. This kills the SEO incentive that drives most attackers.

If you can’t do all three, seriously consider not having user-generated content at all. We didn’t want to make that choice. After two years of escalating abuse, it became the only sane one.

If you run a CMS

• Enforce 2FA for every editor.
• Audit installed plugins quarterly. Most WordPress compromises trace back to an abandoned plugin.
• Use Cloudflare or similar in front of the origin. WAF rules block 90% of automated injection attempts.

Across your domain

• CAA DNS record — pin your domain to a specific certificate authority so attackers can’t issue rogue certificates.
• DMARC + SPF + DKIM — mandatory for email, and stops your domain being used to send spoofed mail.
• DNSSEC if your registrar supports it.

The recovery playbook

You found spam pages on your domain. What to do, in order:

Day 0 — Stop the bleeding

1. Block the create path. Whatever endpoint, signup form, or upload allowed the spam, take it offline immediately. Don’t debate this.
2. Bulk-noindex the affected URL pattern with <meta name="robots" content="noindex, nofollow"> and an X-Robots-Tag HTTP header.
3. Return 410 Gone for the worst pages so search engines drop them faster than a 404.

Day 1 — Contain

4. Submit a removal request in Google Search Console for the affected URL pattern.
5. Use the URL Inspection tool to force a recrawl on your homepage and key pages so Google sees you’re cleaning up.
6. File a Bing URL removal request as well.

Week 1 — Rebuild trust

7. Publish an explanation post under your real byline. Search engines and ad networks both reward transparent communication after an incident.
8. Push fresh, high-quality content. A burst of new editorial signals to the algorithm that the site is still actively maintained by humans.
9. Update your sitemap.xml to include only the URLs you want indexed and resubmit.

Month 1 — Defend forward

10. Publish a Security/Trust page linking to your privacy policy, contact email, and incident response practices.
11. Audit every other surface (subdomains, WordPress, Cloudflare workers, redirects) for the same class of bug.
12. Retain logs for 90 days minimum so the next incident can be traced quickly.

A note on AdSense and Mediavine

If you’ve been running display ads, an SEO-spam incident will almost certainly trigger a manual review. The networks aren’t hostile — they’re cautious. The fastest way back is the same as the recovery playbook above, plus a written response to the network outlining exactly what happened and what changed.

We’ll publish a separate breakdown of the AdSense reapproval process based on our own experience. Subscribe to Insights to catch it.

---

Most domain spam outcomes are recoverable. The brands that don’t recover are the ones that hide the incident, leave the create-path open, and assume the algorithm will eventually forgive them. It won’t. Defending a brand is mostly about being honest faster than the attacker is opportunistic.