The Attack
In late 2025, LXB Studio — a small SEO and web design agency — noticed something wrong. Bing impressions dropped from a steady 6 per day to nearly zero. A site:lxb-studio.com search on Bing returned nothing. The site had been completely deindexed.
Google Search Console told the story. Under "Top linking sites," there were nearly a thousand domains that had never been there before. Most of them looked like this:
xjk4rm2p.garden8fh29bla.tattooq3nwz7xt.sbs
Algorithmically generated garbage. DGA domains — the same technique malware uses to avoid takedowns, now weaponized for SEO attacks.
The Scale
After exporting the full backlink data:
- 994 unique attacking sources
- 6,325 total spam backlinks
- 684 traced to AWS EC2 instances
- 298 confirmed DGA-generated domain names
- 12 coordinated attack clusters sharing infrastructure
The attackers were running hundreds of disposable websites on cloud infrastructure, all pointed at a single small business site. The goal: poison the backlink profile so badly that search engines treat the target as spam.
Why Nobody Could Help
Every tool on the market — Ahrefs, SEMrush, Moz — could detect the spam backlinks. But none of them could do anything about it. They sell you data about the problem. They have zero incentive to solve it.
Google's official position is that their algorithm handles spam backlinks automatically. But Bing's complete deindexing of the site proves otherwise. And Bing doesn't even offer a disavow tool — the only way to protect yourself on Bing is to get the links removed at the source.
The disavow tool is defense. SpamAxe is offense.
The Manual Nightmare
Reporting 684 AWS IP addresses to Amazon's Trust & Safety team manually is a process designed to make you give up. Each report needs structured data: timestamps, source IPs, ports, protocols, destination, log extracts, offending URLs. AWS rejected narrative-format reports — they need CSV-structured fields.
Reporting 298 domains to their registrars means identifying which registrar handles each TLD, finding their abuse contact, formatting a report they'll actually act on, and tracking whether they respond.
Most people hit with negative SEO just... give up. That's what the attackers count on.
Building SpamAxe
SpamAxe was built to automate the entire pipeline: detection, classification, user review, and takedown report generation. Not as another dashboard that shows you the problem — as a weapon that kills the attacker's infrastructure.
The 20-signal detection engine analyzes every backlink source across four phases: pattern analysis (instant, from CSV data alone), DNS intelligence (standard queries, free forever), HTTP probing (lightweight HEAD requests), and network intelligence (public routing tables and certificate transparency logs).
Every classification must be manually approved by the user before any action is taken. False positives can destroy legitimate backlinks. SpamAxe is a tool, not an autonomous agent.
What's Next
SpamAxe is currently in early access. The detection engine runs at 92.2% accuracy across test data, and the full pipeline — upload, analyze, review, export — is operational. The shared threat intelligence database gets smarter with every user who confirms a spam classification.
If you've been hit by a negative SEO attack, you know the frustration. SpamAxe exists because nobody else was willing to build the solution.