So the spammer would link to my search page with their query param:

    example.com/search?q=text+scam.com+text

On my website, I'll display "text scam.com text - search result" now google will see that link in my h1 tag and page title and say i am probably promoting scams.

Also, the reason this appeared suddenly is because I added support for unicode in search. Before that, the page would fail if you added unicode. So the moment i fixed it, I allowed spammers to have their links displayed on my page.

Reminds me of a recent story on scammers using search queries to inject their scam phone numbers into the h1 header on legitimate sites [1]

[1] https://cyberinsider.com/threat-actors-inject-fake-support-n...

Interesting - surely you'd have to trick Google into visiting the /search? url in order to get it indexed? I wonder if them listing all these URLs somewhere are requesting that page be crawled is enough.

Since these are very low quality results surely one of Google's 10000 engineers can tweak this away.

> surely you'd have to trick Google into visiting the /search? url in order to get it indexed

That's trivially easy. Imagine a spammer creating some random page which links to your website with that made up query parameter. Once Google indexes their page and sees the link to your page, Google's search console complains to you as the victim that this page doesn't exist. You as in the victim have no insight into where Google even found that non-existent path.

> Since these are very low quality results surely one of Google's 10000 engineers can tweak this away.

You're assuming there's still people at Google who are tasked with improving actual search results and not just the AI overview at the top. I have my doubts Google still has such people.

I messed around with our website trying url encoded hyperlinks etc but it was all escaped pretty well. I bet there's a lot of tricks out there for those with time on their hands. Why anyone would bother creating content when Google AI summary is effectively going to steal it to intercept your click is beyond me. So the whole issue will solve it's self when google has nothing to index except endless regurgitated slop and everyone finally logs off and goes outside.

Great blog post. You typically think of people linking to your website as a good thing. This is a good counterexample.

What does Unicode have to do with links?

Lot of spam uses unicode, either for non-English languages or just to swap in lookalike characters to try and dodge keyword filters.

This has been a trick used by "reputation management" people for years.

i imagine the search page echoed the search query. Then, a SEO bot automated search(s) on the site with crypto and spam keywords, which is echo'ed in the search results - said bot may have a site/page full of links to these search results to create fake pages for those keywords for SEO purposes (essentially, an exploit).

Google got smart and found out such exploits, and penalized sites that do this.