🔎 Focus: Technical SEO
🔴 Impact: High
🟠 Difficulty: Medium-High
Sponsored by Ahrefs
Want to automate the grunt work?
Meet Agent A, the AI teammate with full access to your Ahrefs data. From fixing keyword cannibalization to shipping technical reports straight into Notion or Google Docs, it does the work you’d rather not.
Dear Tech SEO 👋
There are many ways to do SEO: technical, on-page, schema, backlinks, digital PR, brand building, CRO… and not a very popular one: Negative SEO. Basically, with negative SEO, you hurt your competitors with attacks of all sorts.
Negative SEO has many techniques and today I will share one I have seen in a few cases this 2026.
Negative SEO?
A while ago, I got an old client’s email.
A client’s organic traffic and rankings just completely dropped off a cliff.
No warning. No manual actions. No broken code deployments. Just a sudden, violent flatline in visibility.
Sudden Drop Due To Attacks
The Google Search Console couldn't explain why it was happening. The site was throwing server timeouts and it was down a few days in a row. They could recover but it went broke again.
We had to go deeper. We bypassed the standard charts and jumped straight into the raw server logs.
That is where the mystery turned into horror.
We were being attacked.
The Googlebot Mask - Fake Bots
Looking at the logs, we noticed a massive, unnatural spike in crawl activity.
At first glance, it looked like a dream come true: Googlebot was working overtime, hitting the site 100x times a day.
But when we looked closer at the actual infrastructure data, the IP addresses made it even worse: the server was using Varnish Cache.
Varnish Cache sits in front of your server to instantly serve saved pages from memory. The requests were so many that the cache broke, backoffice broke, frontend broke…
It was a highly targeted attack. Bad actors were spoofing their User-Agents, wearing trusted masks like Googlebot or Binance crawlers to sneak past basic firewall filters.
What on earth does “Binance“ in my client’s site?
Their weapon of choice: Parameter Bombing.
The Infinite Loop Attack
The attackers targeted the homepage, blasting it with millions of completely random URL parameter variations.
The attack looked like this:
mystore.com?c=23432423mystore.com?c=98723498mystore.com?c=11230498
The server had to work overtime trying to render dynamic page states.
The attack completely burned through the site's crawl budget. It broke Varnish cache.
There was no server left for the real Googlebot.
Googlebot crawled those new parameter pages. The site then got penalized, stopped showing it to searchers.
We did not receive any notification of any penalty or warning from Google. It just happened.
Fake landings in the homepage
The Retaliation
Once we spotted the pattern, we went to war.
First, we isolated the unique behavioral patterns of the fake bots and blocked their entry point directly at the firewall layer.
We implemented a hard 410 Gone HTTP status code on every single one of those malicious parameter URLs.
410s told the real search engine crawlers: "These pages do not exist, they are gone forever, delete them from your crawl queue. Please". A 301 redirect was an option, but we didn't want to signal to Google that those junk URLs actually mattered.
The server stopped choking and those pages stopped being logged in the GSC. The real Googlebot returned, crawled smoothly, and within a short period, the traffic started recovering.
Blocked the attack
Did it work? Yes.
Is it recovering? Yes.
Here an overview of the weekly traffic of the top business topic:
Recovery from Negative SEO Attack
I have seen faster recoveries but in this case server migration + theme migration happened as an attempt to fix the attack. Now we are fixing the migration issues that happened after the attack.
Will they attack again?
Yes.
What we implemented is after the damage is done. Here are the measures we are considering to protect us in the future:
Audit server logs on a daily/weekly basis: Setup a Knime dashboard or Screaming Frog Log Analyser for hidden spikes in unverified bots or endless random parameter loops.
Verify traffic at the very edge: I am fronting my sites with Cloudflare (when possible) and configuring a strict Web Application Firewall (WAF) to instantly challenge or block fake Googlebot user-agents before they ever hit my host server.
Prepare for the cryptographic shift: actively studying and adapting to the upcoming Web Bot Auth protocol signatures, because relying on legacy text user-agents for my server security is officially dead.
Want me to check your crawl health?
If your server load is spiking or you suspect fake bot parameters are draining your visibility, let's look at the data.
Reply to this email with SERVER and your domain name. I'll take a look and see if suspicious drops on your performance, caused maybe by bad people.
Until next time 👋
—