Clever new SEO scam hijacks Harvard emails and student blogs

Originally published at: Clever new SEO scam hijacks Harvard emails and student blogs | Boing Boing


Isn’t that how facebook got started?


Do we know for sure that this isn’t the product of an SEO class taught by Harvard?


It really speaks to corruption inside of Harvard, not scammy behavior outside of it. If addresses are being actively sold and/or set up, that’s on them. The scammers are always outside trying to find ways in.


Exactly, right down to the shady and intrusive business practises. From a 2004 IM exchange with a Harvard classmate:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend’s Name]: What? How’d you manage that one?

Zuck: People just submitted it.

Zuck: I don’t know why.

Zuck: They “trust me”

Zuck: Dumb fucks.


Yeah. I hear Harvard’s endowment has reached 58 billion. That school can afford to throw more than a few clams at fixing this kind of problem.


That would require them to care enough to hire the IT staff to handle it. And if there’s one thing I know, people who have lots of money are loathe to part with it. Gotta feel for Harvard’s IT department right now, they’re probably getting shit on despite having done nothing wrong.


They were just registering for online courses at Harvard and using the email addresses generated for their coursework.

Harvard’s response is pretty much:


Good thing none of that is happening.

People are enrolling in a Harvard Extension School course (which costs a couple grand) which means the get an account in Harvard’s single-sign on system. As an active member of the Harvard community, they’re entitled to create a website in a directory on a few different platforms. It’s no one’s job to police how they use the space but at least some do have explicit terms of service which may be violated. I don’t know what kind of takedown procedures there might be for anything other than DMCA violations.

What doesn’t happen is when the student is no longer enrolled in the course, the web content they posted doesn’t disappear, that wouldn’t be a very nice. I don’t know whether the (now former) student can continue to edit it, once they don’t have an active status, but the existence of the links still contribute to

Way too much is being made of this whole situation, just because it’s Harvard. You’ve got run of the mill link farming, that can happen anywhere, and you’ve got liars writing stuff, hoping people will take it more seriously because “” is somewhere in the domain name.

There should be some changes to better respond to identified problem sites and some sort of lifecycle for content but I don’t think Harvard should do anything to prevent this from happening. Some Extension School students already feel like second class citizens and they shouldn’t be prevented from making use of Harvard’s online resources and they shouldn’t be marked to distinguish them (good luck trying to do that in a way that they couldn’t remove of obfuscate anyway).

1 Like

an origin for weapons of mass destruction

1 Like

You answered your own point, though. It is a big deal because the harvard dot edu gives the posts professional, social and search engine credibility. It’s dumb of Harvard to allow unfiltered content to use its branding by hosting user generated content on its domain.


This is actually not that new.

Shitty SEOs have been exploiting university’s student websites for years. I saw this as a graduate student in 2007 and than later working in SEO.

In grad school we were all given subdomains under the main university domain. I would get emails every day from people wanting to pay me for links.

Later working in SEO I would see people selling access to these same sites. Most of this was driven by early google algorithms that assumed that links from .EDU domains had an inherent value.


It is a big deal because the harvard dot edu gives the posts professional, social and search engine credibility.

It’s dumb for people to confer so much value to the slightest connection to Harvard.

What’s the alternative? Should there be a tribunal reviewing every page and page edit before it can be accessed from the Internet? Or should only the most elite of the elite within Harvard be allowed to express themselves in anyway that’s anointed by the precious “Harvard” name?

If the people whose job it is to care about Harvard’s “brand” aren’t jumping all over this, why should we care?

The article’s hypotheticals about pump and dump scams are silly. Anyone who would make serious decisions based on a blog post by “some guy,” even “some guy” with some affiliation with Harvard, probably already lost their shirt based on an equally fraudulent tweet or crypto scam.

The alternative is easy: write your personal stuff on your own personal page or on a social media platform. Harvard shouldn’t be lending its brand name and credibility to a blogging platform with un-vetted, public-facing user generated content. It’s not a function the school needs.

I have no idea why you think it is so critical for Harvard offer an unvetted platform for public-facing user generated content.

1 Like

Because universities are communities in which all members are encouraged to participate. The platforms being abused aren’t for personal content but for professional and scholarly communication by students, faculty, and staff. Those legitimate uses don’t need to be burdened with bureaucracy and staff from some department stuck with the job of deciding what’s “worthy.”

Having supported platforms makes it easier for people to focus on that communication, not the technical or financial details of setting up a site elsewhere. Having it within the domain name does help with findability within the community (e.g. include in a google search) but for any case where it matters, being on such a sub-domain is only one data point to consider when with regards to how current or accurate the information is.

I don’t know why you think it’s so critical for all universities to be heavily policed.

1 Like

Not my phrasing, but cute framing, using “police” (as opposed to my framing using “vetting”) - gives a nice implied authoritarian edge to your frame. But Harvard isn’t the government, and the police aren’t involved, even figuratively, so vetting really is the more accurate term.

Here’s what Harvard has to say about it:

The Center [in charge of the Harvard blogging platform] is increasingly faced with the types of thorny content moderation decisions that many online platforms that are subjects of our research face every day. Making discretionary judgments about speech (including offensive speech) within the context of an academic institution which maintains a commitment to academic freedom, with such a wide range of users (some much more and some much less connected to Harvard), on a platform that bears that institution’s name, at a time where alternative options abound, has become a tricky business. It should come as no surprise that a research center like ours is a fantastic place to study the online ecosystem—including the ecosystem for content moderation—but is less well-equipped to operate a platform at scale either technically or substantively.

With these two sets of issues in mind, we will end our operation of the platform in favor of a new platform managed by Harvard University’s Information Technology team


It’s dumb and yet people do ascribe value to it. Sure, it’s mainly people who went to Harvard (“DidyougotoHarvard?IwenttoHarvard!Isn’tHarvardgreat!Harvardisthebest!We’rethebestbecausewewenttoHarvard!”), unsophisticated people who never went to college, and Republican politicians who transform a few months at Harvard Extension into a degree from the main university, but it happens.

Protecting the university’s brand by crawling the pages every month or week to identify dodgy links in individual blogs. The flagged ones are then reviewed by humans, not an insurrmountable Google- or FB-scale moderation task by any means. Blogs of former or present students are locked after the offending posts are removed under the terms of service or code of conduct (really the blogs should be locked upon student exit, at the same time the .edu e-mail account is closed).

I know, I know, that would take geniuses and people who value an insititution’s brand name and about $150k/year to implement and run such a complex system to protect a brand that’s likely worth tens of millions of dollars at least. Harvard is totally helpless there.

Well, it is amusing to see an institution that plays up the expertise of its MBA programme and the selectivity of what’s published under its name dropping the ball due to administrative laziness, sclerosis, and/or cheapness.

1 Like

While I think in this context they’re largely synonymous, “vetting” is actually worse because it implies a kind of prior restraint while “policing” tends to be reactive.

“Harvard” is a community so that’s not what “Harvard” has to say about it, that’s what decision-makers at the Berkman Klein Center for Internet and Society had to say about the platform they started almost 20 years ago. They don’t really want the platform to go away, they just don’t think it’s fun to have to make the tough calls and want someone else to do it. That was three years ago and the platform is still there because no one else wants to be stuck with job and no one wants to be the bad guy who takes down the whole site and all that content and history.

1 Like

George W. got an MBA at Harvard so…

There are ways in which Harvard is exceptional but in most ways it’s like other universities, big, disorganized, with lots of freedom within its various parts for people to do what they think is best to achieve their goals within their areas. This is best known for faculty, what with tenure and the preservation of academic freedom, but extends beyond those individuals.

The flip side to “administrative laziness” sounds like micromanaging. “Sclerosis” could be rephrased as “institutional inertia,” fair. “Cheapness” is also fair; $150k/year (a number pull from nowhere) is nothing compared to the entirety of Harvard’s operating budget but would likely be a significant ask for whatever group was stuck with solving spam and inauthenticity on the web.

Here’s another hot take for all y’all armchair PR flacks: the Harvard brand is so strong that this stuff is beneath its notice, a barnacle on an oil tanker. Writing responses to this is NBD, way better than dealing with news stories about faculty members sexually harassing people for 30 years or selling out to China.

Nah, companies revoke such privileges all the time when an employee violates the rules or exits the company. It’s not exactly a new issue.

Perhaps a bit of naive arrogance thrown in too.

An admittedly rough estimate based on a few decades of experience estimating such costs, but not unrealistic.

Nothing compared to the value of the brand, which was a conservative estimate on my part (big corporate brand values are estimated in the billions of dollars).

I really doubt it. They’re solving spam and inauthenticity within the domain, probably using off-the-shelf software on a part-time basis. There are no 100% foolproof solutions, of course, but the kind of basic and relatively low-cost enforcement I described would make the domain a hostile no-go zone for 80%+ of SEO spammers and/or their student confederates.

I doubt that would be the view of professors of marketing and of law at the university, but I’m sure they’re all about hot takes too.