Have you ever changed your Tumblr username? Has it been over a year since you last logged into your account? A Ukranian might be using using your username to sell the Best Cheap Viagra Online.

Have you ever changed your Tumblr username? Has it been over a year since you last logged into your account? A Ukranian might be using using your username to sell the Best Cheap Viagra Online. Case in point:

What exactly is this? Did the hacker known as 4chan type “ hack --mainframe --tumblr ” into Command Prompt? Was the old owner paid to post spam? Is this magic?

Are these Tumblr accounts hacked?

Not exactly. Certain inactive Tumblr accounts have their usernames released to the public, allowing other users to register those previously-used usernames. These usernames (and their associated [username].tumblr.com blogs) are being re-registered used to sell every random product you could imagine--corporate surveys, fake World of Warcraft hacks, bootleg Gucci watches, and not to mention inconspicuous day-to-day products sold for assorted affiliate marketing programs.

What old Tumblr subdomains are available to be re-registered?

There are two types. First, when usernames are changed, the old usernames (and therefore the associated [username].tumblr.com subdomains) are available for registration by other users. As mentioned in the Tumblr documentation on changing your username and it’s associated URL, “changing your URL will break any existing links to your blog, including those in already-published Tumblr posts and reblogs.”

More substantially, accounts that haven’t been logged into for over a year have been released for re-registration in the past. The implication is that--while username changes are relatively infrequent--these bulk username releases are on a much larger scale, which makes this approach to webspam particularly exploitable.

Note: While Tumblr statedin 2016 that these account releases are an “ongoing thing,” it is unclear if this is still occurring, and if so, to what extent (either way, there are still many previously-used subdomains that are still able to be registered.

Are the old blog’s followers getting spam notifications from whoever re-registers the username?

Not exactly. While Tumblr allows new users to use subdomains (URLs) that were previously used by other users, your content, followers, posts, and reblogs aren’t transfered to re-registrations; subscribers to the original, “real” blog aren’t automatically subscribed to follow these new blogs.

Are spammers using these accounts to show Viagra ads to Tumblr users at all?

Actually, they’re not even trying to get their links seen by Tumblr users; the links are designed to manipulate search engine result pages.

When Google’s PageRank algorithm was implemented in the late 1990s, it revolutionized search engines by drastically improving the quality of search results.

While evaluating the relevance of website content could be done by analyzing the actual words within articles and other webpages, PageRank aimed to quantify the authority, reputability, and quality of webpages. The basic concept behind PageRank was (and still is) simple: The more links that are pointed at a webpage, the more authoritative that webpage is considered to be.

While other search engines, such as Bing, are of course not using Google’s proprietary algorithm, their algorithms are similar and also evaluate inbound links (“backlinks,” as they say) when determining how to rank website.

As mentioned by Matt Cutts in this video, links from major news sites pass more PageRank/authority than links from obscure blogs. The reason why this is true is because PageRank flows through multiple tiers of links.

Consider two scenarios, assuming there are three websites on the Internet:

Nothing → Tumblr → Your Website News Article → Tumblr → Your Website

In the first scenario, your site has one link from a Tumblr blog that no one has ever heard of or linked to. In the second, it has a link from Tumblr, but the Tumblr then in turn has a link to it from a news site. Your Website will have more PageRank/authority in the second scenario.

The reason for registering previously-used Tumblr accounts is that any links that pointed to that Tumblr prior to its expiration are still pointing at that 404 page. When the account is re-registered, the pages can be rebuilt and will out-of-the-box have PageRank/authority from the previously-created links.

How are these cloned Tumblr blogs being built?

Find a previously-used Tumblr username that is available to register. Each username comes with an associated [username].tumblr.com blog (also known as a tumblr subdomain). Make sure that the Tumblr subdomain had links from other websites before it was deleted. Add some content to the subdomain. The most common way to do this is to go to archive.org to find a snapshot of the blog before it was deleted. Add a link to whatever garbage website or product that you’re shilling for, such as my-cheap-cialis.biz. ??? Profit

How Do Spammers Search for Expired Tumblr Blogs?

The basic process is to:

Get a tool like Scrapebox or comparable Choose some keywords relevant to your niche (optional) Enter “site:tumblr.com + [keyword]” into your scraper. This will gather Google search results in bulk for the specified term. Run the scrape Filter out the results that are live (probably by looking at the HTTP status code), which will leave you with the pages that are no longer live (but that are still indexed by Google, since they used to be live at some point). Use a tool like Ahrefs or Majestic to check the backlink profiles of the results to see which ones have backlinks / the best backlink profiles.

For example, Ahrefs shows the following overview for the Tumblr blog demonstrated in the introduction.

And more specifically, the existing backlinks are shown here:

With an automated process like this, thousands and thousands of previously-used Tumblr URLs can be found. Custom scripts (or cheap foreign labor) can also be used to automatically scrape content from archive.org, re-post the content on the previously-registered URL/subdomain, and to then add in a link to Best-Legal-Steroids.co.uk or clash-of-clans-gem-hack.info.

How likely is it that someone will register my old Tumblr?

As mentioned, the goal is to register expired Tumblr URLs that have links pointing at them. If you made a post or two or ten that “went viral,” it’s possible that an old Tumblr account might be used for this type of spam.

Of course, remember that regular, non-spam users might also want to register your old username. If a Tumblr username that you used to control is now run by someone else, it may be a regular, “real” user.

Are other websites affected by similar spam?

To lesser extents, yes. Some other blogging platforms, such as over-blog, also allow for subdomain re-registration existing users close their accounts. This type of spam is particularly relevant to Tumblr because the platform expires URLs on a massive scale due to inactivity. Similarly, Twitter has an inactive account policy that can result in similar use for comparable webspam.

For more content about Tumblr, there is also a post about how Tumblr’s adult-content login-required wall reacts to spoofing a user-agent as Googlebot.

Share This Post