Joseph Anady

Posted on May 24 • Originally published at thatdevpro.com

Google's 18 spam policies and how to comply

#seo #googleseo #spam #compliance

Originally published at thatdevpro.com. Part of ThatDevPro's open SEO + AI framework library. ThatDevPro is an SDVOSB-certified veteran-owned web + AI engineering studio. Open-source AI citation toolkit: github.com/Janady13/aio-surfaces.

Google's Explicit Anti-Spam Policies — What Gets Punished, How to Avoid It, and How to Recover

A comprehensive installation and audit reference for understanding Google's documented spam policies, identifying spam policy violations on a website, remediating violations, recovering from spam updates and manual actions, and building structural defenses against accidentally violating spam policies through scale or third-party content. This document is dual-purpose: installation manual and audit document.

Cross-stack implementation note: the code samples in this framework are written in plain HTML for clarity. For React, Vue, Svelte, Next.js, Nuxt, SvelteKit, Astro, Hugo, 11ty, Remix, WordPress, Shopify, and Webflow equivalents of every pattern below, see framework-cross-stack-implementation.md. For pure client-rendered SPAs (no SSR/SSG) see framework-react.md. For Tailwind-specific concerns (purge, dynamic classes, dark-mode CLS, focus accessibility) see framework-tailwind.md.

1. Document Purpose & How to Use This Document

1.1 What This Document Is

This is the canonical reference for Google's spam policies — the documented rules at developers.google.com/search/docs/essentials/spam-policies that define what Google considers manipulative practices, what triggers algorithmic spam updates, and what triggers manual actions. While the rest of the foundational framework library focuses on what to do to earn rankings and citations, this document focuses on what not to do — the practices that result in ranking suppression, deindexing, or manual penalties regardless of how strong other signals are.

Spam policies are operationally distinct from quality frameworks. A site can score 130/130 on E-E-A-T, satisfy YMYL standards perfectly, and still get hit by a spam policy violation that suppresses or removes it from search entirely. Conversely, a site can have weak E-E-A-T and still avoid spam violations. The two systems run in parallel — quality frameworks affect where you rank; spam policies affect whether you can rank at all.

The 2024-2026 evolution of Google's spam policies has been significant. The March 2024 update added three new spam policies (scaled content abuse, site reputation abuse, expired domain abuse) and integrated existing policies more aggressively into core ranking. The May 2024 spam update enforced these policies with substantial site impact. Continuing through 2025 and into 2026, spam updates have run alongside core updates with increasing frequency, and manual action issuance has accelerated for the new policy categories.

This document specifies every documented spam policy, the patterns Google uses to detect violations, defensive structural patterns to prevent accidental violations, response procedures when violations are detected, and recovery protocols for both algorithmic suppression and manual actions.

1.2 Three Operating Modes

Mode A — Install Mode: Building defensive infrastructure into a site to prevent spam policy violations. Follow Sections 2 → 14.

Mode B — Audit Mode: Evaluating an existing site for spam policy compliance. Skip to Section 11.

Mode C — Hybrid Mode: Audit then install for failing items.

1.3 How Claude Code CLI Should Consume This Document

Read Section 2 — collect client variables, especially historical penalty status
Read Section 3 — understand the difference between spam updates, manual actions, and core updates
Apply Section 4 — work through every documented spam policy systematically
Apply Section 5 — special focus on the three policies added in March 2024 (most active enforcement)
Install defensive patterns — Sections 6-9
Validate — Section 11
If active violation suspected — go directly to Section 10 (response and recovery)
Generate report — Section 14

1.4 Conflict Resolution Rules

Conflict	Rule
Existing manual action	Stop all other work. Section 10.3 takes priority.
Suspected scaled content abuse	Audit immediately. Stop publishing AI content until audit complete.
Existing site reputation abuse via subdomain/subfolder leasing	Terminate the arrangement. No remediation works while it's active.
Existing expired domain abuse	Either commit to substantively continuing original purpose or migrate to new domain.
Existing link schemes	Disavow + cease + document for any reconsideration request.
Aggressive SEO contractor recommending policy-violating practices	Do not implement. Document advice in writing for accountability.

1.5 Required Tools

Google Search Console — primary source for manual action notifications and spam-related ranking data
Google Search Console Disavow Tool — for disavowing toxic backlinks
Bing Webmaster Tools — parallel monitoring for Bing manual actions
The actual spam policies documentation — developers.google.com/search/docs/essentials/spam-policies
Originality.ai or similar — AI content detection for scaled content abuse audit
Ahrefs/Semrush/Majestic — backlink profile auditing for link scheme detection
Wayback Machine — historical site state research, especially for expired domain audit
Server logs — to detect cloaking, sneaky redirects, hacked content

2. Client Variables Intake

# ============================================
# SPAM POLICIES FRAMEWORK CLIENT VARIABLES
# ============================================

# --- Business Identity (REQUIRED) ---
business_name: ""
primary_domain: ""
domain_age_years: 0
domain_acquired_from_someone_else: false  # Critical — if true, expired domain abuse risk
previous_domain_owner_known: ""
previous_domain_purpose: ""

# --- Penalty History (REQUIRED) ---
has_received_manual_action: false
manual_action_history: []            # List of past manual actions and dates
has_filed_reconsideration_request: false
reconsideration_request_outcome: ""
historical_spam_update_impacts: []    # Past spam updates that affected this site

# --- Content Creation Patterns (REQUIRED — be honest) ---
publishes_ai_generated_content: false
ai_content_publication_volume: ""    # "low" (<5/month), "medium" (5-50/month), "high" (>50/month)
ai_content_review_quality: ""        # "expert_review", "editor_review", "minimal_review", "none"
ai_content_disclosure: false
publishes_at_high_volume: false      # >10 articles per week
content_outsourced_to_freelancers: false
content_outsourced_volume: ""

# --- Site Architecture (REQUIRED) ---
has_subdomains: false
subdomain_list: []
has_subfolders_with_external_content: false  # Critical for site reputation abuse
external_partners_publishing_on_site: []
allows_user_generated_content: false
ugc_moderation_level: ""             # "none", "post_hoc", "pre_publication", "vetted_only"

# --- Linking Patterns (REQUIRED) ---
has_outbound_paid_links: false
paid_links_use_rel_sponsored: false
has_link_exchange_arrangements: false
has_purchased_links: false
has_used_link_building_services: false
sponsored_content_disclosed: false
affiliate_links_use_rel_sponsored: false

# --- Technical Spam Vectors (REQUIRED) ---
serves_different_content_to_googlebot: false  # Cloaking risk
uses_user_agent_detection: false
has_redirect_chains: false
has_meta_refresh_redirects: false
has_javascript_redirects_obscuring_destination: false
has_doorway_pages: false             # Many pages targeting variations of same intent
has_thin_pages_targeting_keywords: false

# --- Content Quality Signals (REQUIRED) ---
has_scraped_or_syndicated_content_without_value_add: false
has_duplicated_content_across_pages: false
has_machine_translated_content_without_review: false
has_auto_generated_text_filler: false
has_keyword_stuffed_content: false
has_invisible_or_misleading_text: false

# --- Hacking & Security (REQUIRED) ---
last_security_audit_date: ""
has_been_hacked_historically: false
hack_remediation_complete: false
has_2fa_on_admin_accounts: false
has_security_monitoring: false

# --- Affiliate & Monetization (REQUIRED) ---
business_model_includes_affiliate: false
affiliate_content_adds_value_beyond_links: false  # Honest answer
affiliate_disclosure_present: false
affiliate_disclosure_clear_and_conspicuous: false

# --- E-Commerce Specific (if applicable) ---
sells_user_data: false
displays_misleading_product_information: false
deceptive_pricing_practices: false
fake_reviews_present: false
review_acquisition_methods: []        # How reviews are obtained

# --- Compliance Documentation (REQUIRED) ---
has_documented_anti_spam_policies: false
has_third_party_content_review_process: false
has_link_acquisition_policy: false
has_ai_content_policy: false
quarterly_spam_audit_performed: false

After variables are gathered, save as spam-policies-variables.yml.

3. What Spam Policies Are

Google's spam policies are explicit rules documented at developers.google.com/search/docs/essentials/spam-policies that define manipulative practices Google does not allow in search results. These are operationally distinct from quality frameworks like E-E-A-T or HCS.

3.1 The Three Enforcement Mechanisms

Algorithmic Spam Updates — Periodic updates to Google's spam-detection algorithms. Like core updates, they roll out over days to weeks, are publicly named, and affect rankings broadly. Sites violating spam policies see ranking suppression, sometimes severe. Recovery requires remediation plus time. Recent named spam updates include:

May 2024 Spam Update (enforcement of the new March 2024 policies)
October 2024 Spam Update
December 2024 Spam Update
June 2025 Spam Update
November 2025 Spam Update

Manual Actions — Human-issued penalties communicated via Search Console under Security & Manual Actions. Manual actions can be partial (specific pages or sections affected) or sitewide. Some are reconsideration-eligible (after demonstrating remediation), some are not. Manual action types include:

Site abused with third-party spam
User-generated spam
Spammy free hosts
Structured data issue
Unnatural links to your site
Unnatural links from your site
Thin content with little or no added value
Cloaking and/or sneaky redirects
Pure spam
Cloaked images
Hidden text and/or keyword stuffing
AMP content mismatch
Sneaky mobile redirects
News and Discover policy violations

Algorithmic Demotion (No Manual Action) — Some spam-detection happens algorithmically without manual review, resulting in ranking suppression without an explicit manual action notification. Sites may experience traffic loss without knowing the cause. These cases require diagnostic investigation against spam policy criteria.

3.2 What Distinguishes Spam from Low Quality

Quality issues (low E-E-A-T, weak HCS) are matters of degree — content can be more or less helpful, more or less authoritative. Spam violations are matters of category — content either is or isn't keyword stuffed, scraped, cloaked. Spam policies define bright lines.

The practical implication: improving quality moves rankings up gradually. Eliminating spam violations may unlock sudden ranking restoration once Google's systems re-evaluate the site post-remediation.

3.3 The 2024 Policy Expansions

In March 2024, Google added three new spam policies that have driven substantial enforcement activity:

Scaled Content Abuse — Producing pages at scale primarily for ranking purposes, regardless of whether AI, human, or mixed authorship. Replaced the older "automatically generated content" policy with a broader definition focused on intent and pattern rather than method.

Site Reputation Abuse — Third parties publishing content on a host site primarily to leverage that site's ranking signals. Common pattern: established media sites leasing subdomains or subfolders to coupon, casino, or supplement marketers.

Expired Domain Abuse — Repurposing expired domains with prior authority to host content unrelated to the prior purpose, primarily for ranking benefit from inherited trust signals.

These three policies represent the largest spam policy expansion in years and continue to drive significant enforcement through 2026.

3.4 What Spam Policies Don't Cover

Spam policies don't cover:

Quality issues — addressed via core updates and HCS, not spam policies
Mistakes or accidents — Google distinguishes between intentional manipulation and good-faith errors
Personal preference disagreements — practices Google might not love but doesn't classify as spam
Legal compliance issues — copyright, defamation, etc. are addressed through other mechanisms

When something isn't a spam policy violation, addressing it requires the relevant quality framework.

4. Documented Spam Policies — Comprehensive Reference

This section catalogs every documented spam policy, what it covers, detection patterns, and avoidance requirements.

4.1 Cloaking

What it is: Presenting different content to search engine crawlers than to human users.

Common patterns:

User-agent detection serving different HTML to Googlebot vs browsers
IP-based content swapping
JavaScript that hides content from users that Googlebot sees as text
Reverse cloaking — keyword-stuffed text visible to bots, "cleaner" version to users
Geographic cloaking serving different content based on visitor location for ranking manipulation

Detection:

Google fetches with browser-like user agents and compares
Googlebot also runs in different network locations
Discrepancies between rendered DOM and HTML sent to crawlers flagged

Avoidance requirements:

Serve identical content to all visitors (with legitimate exceptions for personalization, A/B testing through proper Google-supported methods, paywall/login walls properly declared)
If using A/B testing, use Google's recommended approach (canonical to original, no rel=canonical pointing to test variant)
Personalization based on user signals must not differ for Googlebot in ways that would change ranking signals
Geographic content variations must use proper hreflang
Verify with Google's URL Inspection Tool — what Googlebot sees should match what users see

Code pattern (anti-cloaking):

<!-- Same HTML for all visitors -->
<!-- Personalization happens client-side AFTER initial render -->
<!-- Or via Google-recognized signals like cookies, not user-agent -->

4.2 Doorway Pages

What it is: Pages created primarily to rank for specific queries that funnel users to a different destination of less direct utility.

Common patterns:

Multiple landing pages for slight variations of the same query (e.g., "cheap car rental Austin," "affordable car rental Austin," "low cost car rental Austin" all leading to same booking page)
Geographic doorway pages with thin city-specific content but identical service offering
Pages that exist solely to rank, then redirect or funnel users elsewhere
Templated pages with minor keyword variations across each instance

Distinction from legitimate location pages: A genuine local landing page provides location-specific information (local team, local hours, local context, local testimonials). A doorway page just swaps the city name in templated content.

Detection:

Pattern recognition across page templates
Bounce-and-redirect behavior monitoring
Lack of unique value per page in a series

Avoidance requirements:

Each page must offer substantive unique value beyond keyword targeting
Location-specific pages must include genuinely location-specific content
Don't create variations targeting query stems that resolve to the same intent
Consolidate query variations into single comprehensive pages

Programmatic SEO consideration: Programmatic city pages (such as those covering 4,715 city/service combinations) are not automatically doorway pages. They're doorway pages when they're thin and offer no location-specific value. They're legitimate when each page offers genuinely useful location-specific information — local team contact, local pricing variations, local case studies, local testimonials, local regulatory considerations, etc.

4.3 Hacked Content

What it is: Content placed on a site without permission, typically through security vulnerabilities, that's used for spam, phishing, or malware distribution.

Common patterns:

Injected pages selling unrelated products (pharmaceuticals, gambling)
Hidden content (cloaked) only visible to search engines
Redirected pages sending users to malicious destinations
Modified existing pages with injected spam content
Created admin accounts using compromised credentials

Detection:

Google security systems flag known hack patterns
Search Console issues "Hacked" warning
Sudden appearance of pages on unfamiliar topics
Server logs show unusual activity

Avoidance requirements:

Keep all software (CMS, plugins, themes, server stack) current
Use 2FA on all admin accounts
Strong unique passwords (password manager)
Limit admin account count
Regular security scanning (Wordfence, Sucuri, Patchstack for WordPress; equivalent for other stacks)
Web Application Firewall (Cloudflare, Sucuri, Wordfence)
File integrity monitoring
Intrusion detection on server level
Off-site backups for rapid recovery

Response if hacked: See Section 10.5.

4.4 Hidden Text and Links

What it is: Text or links placed in a way that human users can't see but search engines can read.

Common patterns:

White text on white background
Text positioned off-screen (text-indent: -9999px)
Text behind images
Tiny font sizes (1px font, 0px line-height)
Display:none or visibility:hidden on text containing keywords
Hiding text with CSS that's recoverable by crawlers
Links in characters like commas or single periods
1×1 pixel images linking to other sites

Detection:

Google rendering identifies hidden content
Comparison of rendered vs HTML content reveals hidden elements
Pattern recognition on common hiding techniques

Avoidance requirements:

All text on the page should be visible to users
Don't use CSS to hide content for ranking purposes
Legitimate cases where content is hidden until user interaction (accordions, tabs, collapsible sections) are acceptable but content should still be visible/accessible upon interaction
Modal/popup content acceptable when triggered by user action
Skip-to-content links acceptable if standard accessibility pattern

Code pattern (legitimate progressive disclosure):

<details>
  <summary>Click to expand</summary>
  <p>Content visible after click. This is acceptable — user can access.</p>
</details>

Code pattern (spam):

<style>.hidden { display: none; }</style>
<div class="hidden">
  Keyword stuffed text invisible to users but indexed by search engines.
</div>

4.5 Keyword Stuffing

What it is: Loading pages with keywords or numbers in attempts to manipulate ranking, especially when it harms user experience.

Common patterns:

Lists of phone numbers without substantive value
Blocks of text listing cities or regions where the page wants to appear
Repeating same words or phrases unnaturally
Hidden keyword lists in meta tags or alt text
Stuffing alt attributes with keyword variations rather than describing images
Awkward sentences padded with keyword variations

Detection:

Keyword density relative to surrounding context
Unnatural phrasing patterns
Disproportionate keyword frequency
Patterns that match known stuffing approaches

Avoidance requirements:

Use keywords naturally in service of communication
Alt attributes describe images, don't list keywords
Meta descriptions describe content, don't pack keywords
Don't list cities/regions/services as plain text blocks
Vary language naturally; let topic-relevant terms appear organically
Write for humans first; if it reads awkwardly, it's stuffed

Word count consideration: Stuffing is about pattern, not absolute frequency. A long article on a specific topic will naturally include the topic term frequently — that's fine. A short article repeating the same phrase 30 times is stuffing.

4.6 Link Schemes

What it is: Links intended to manipulate ranking that aren't editorial in nature.

Common patterns:

Buying or selling links for ranking:

Purchasing dofollow links
Selling dofollow links
Trading goods or services for links
Sending free products in exchange for links without rel="sponsored"

Excessive link exchanges:

"Link to us, we'll link to you" reciprocal arrangements
Triangular link schemes (A→B→C→A)
Link exchange directories purpose-built for SEO

Large-scale article marketing or guest posting with optimized anchor text:

Guest posts where the primary purpose is dropping a link
Optimized anchor text in guest content
Single-author guest posting on dozens of sites
Guest posts with author bios containing manipulated anchor text

Automated link building:

Using software to create links across forums, blog comments, profiles
Paid services that generate links at scale
Link injection through hacked sites

Forum signatures and comments with optimized anchor text:

Strategic forum participation primarily for link drops
Blog comment links with money-anchor text

PBNs (Private Blog Networks):

Network of sites primarily existing to link to a money site
Often built on expired domains
Often interlinked in patterns that reveal coordination

Detection:

Backlink profile analysis showing unnatural patterns
Anchor text distribution analysis
Velocity analysis (sudden link spikes)
Link source quality signals
Pattern matching against known PBN footprints

Avoidance requirements:

Earn links through valuable content, not solicitation
Mark sponsored/paid links with rel="sponsored"
Mark guest post author bio links with rel="ugc" or rel="nofollow" if unrelated to content
Never participate in link exchanges for SEO purposes
Never purchase links for ranking
Never use link building services that promise dofollow links at volume

If unnatural inbound links are discovered:

Disavow via Google's Disavow Tool
Document disavow file in Search Console
File reconsideration request if manual action issued

4.7 Machine-Generated Traffic

What it is: Automated queries or bot traffic to Google or to a site that doesn't reflect real user behavior.

Common patterns:

Sending automated queries to Google (rank checking at high volume)
Bot-driven traffic to a site to manipulate engagement signals
Click manipulation services purchasing bot clicks on search results

Detection:

Pattern analysis of query and click behavior
Unusual session patterns
Click-through patterns not matching organic behavior

Avoidance requirements:

Use Google's official APIs for any automated query needs
Don't use rank-tracking services that send unauthorized queries to Google (most reputable services use their own indexes)
Never use traffic generation services
Never use click-bot services

4.8 Malware and Malicious Behaviors

What it is: Software that harms users — viruses, trojans, ransomware, unwanted software, drive-by downloads.

Common patterns:

Direct malware distribution
Misleading downloads (claiming to be one thing, actually another)
Software that modifies browser settings without consent
Drive-by downloads triggered by visiting a page
Sites distributing pirated software with bundled malware

Detection:

Google Safe Browsing scans
Detected malware triggers Search Console alerts and search result warnings

Avoidance requirements:

All downloads must accurately describe what's being downloaded
No bundled software users haven't consented to
No browser modification scripts
Maintain site security to prevent malware injection
Verify all third-party scripts and ads

4.9 Misleading Functionality

What it is: Sites that don't work as advertised — fake login forms, fake software, fake services.

Common patterns:

Pretending to be a brand the site isn't (phishing)
Promising functionality the site doesn't deliver
Fake "free PDF generator" or similar tools that don't work
Bait-and-switch products or services

Avoidance requirements:

Sites must accurately represent themselves and their function
Promised features must work
Brand impersonation prohibited
Deceptive product descriptions prohibited

4.10 Scaled Content Abuse (Added March 2024)

What it is: Producing many pages whose primary purpose is search ranking manipulation rather than helping users — regardless of whether the content was created by AI, humans, or both.

This is one of the most actively enforced policies in 2025-2026.

Common patterns:

AI-generated articles published at high volume with minimal review
Content farms producing hundreds or thousands of articles per month
Spinning existing content into many variations
Programmatic page generation without genuine per-page value
Templated content with minor variations to target keyword variations
"AI in, content out" workflows with no editorial layer

Critical clarification: AI use isn't automatically scaled content abuse. The violation is scale + low value + ranking primary purpose. AI can be used responsibly as a research and drafting assistant for content that adds genuine value. AI cannot be used to mass-produce content that exists primarily to occupy SERP space.

Detection:

Pattern recognition across publication volume
Content originality and value analysis
Engagement signals indicating low user satisfaction
Linguistic patterns common to AI generation when not edited
Site-wide content quality distribution
Rate of publication relative to organizational capacity

The December 2024 core update specifically targeted scaled content abuse patterns. Many content farms saw 40-80% organic traffic loss. The pattern continues — sites publishing high-volume AI content with minimal review face increasing risk through 2026.

Avoidance requirements:

Publication volume should be proportional to genuine editorial capacity
Every published article must add genuine value beyond what's already available
AI-assisted content requires meaningful human review and editing
Establish editorial review process: research → AI-assisted draft → expert revision → fact-check → publish
Disclose AI use per E-E-A-T framework Section 4.4.6
Maintain author accountability — real bylines, real responsibility for accuracy
Apply Information Gain principles per framework-infogain.md — every article must contribute novelty
Apply HCS principles per framework-hcs.md — content for users, not for search

Quantitative guideline: There's no fixed "publish less than X articles per month" rule. The relevant ratio is editorial capacity to publication volume. A team of 1 reviewing 5 AI-assisted articles per month is reasonable. A team of 1 publishing 100 AI articles per month is not. A team of 20 with rigorous editorial workflow can publish more without violation. Google's systems evaluate the quality outcome, not the input method.

4.11 Site Reputation Abuse (Added March 2024)

What it is: Third-party content published on a host site primarily to take advantage of the host's existing ranking signals, where the third-party content has little oversight from the host site.

Common patterns:

Parasite SEO arrangements:

Major news sites hosting "coupon code" subdirectories run by third parties
Established sites leasing subdomains to gambling, crypto, supplement marketers
Educational sites carrying commercial review sections operated by external SEO firms
Government or non-profit sites hosting commercial content for revenue

Common host targets:

News publications with high domain authority
Educational institutions (.edu)
Government sites (.gov)
Long-established commercial sites with strong ranking signals
Wikipedia-adjacent properties

The May 2024 spam update aggressively enforced this policy. Many high-profile examples of parasite SEO arrangements were de-ranked. Enforcement continues actively through 2026.

Detection:

Subdomain or subfolder content disconnected from main site purpose
Content quality and topic mismatch with host site
Editorial oversight gaps (different bylines, different editorial standards, different design patterns)
Pattern of similar parasite arrangements across multiple host sites

Avoidance requirements:

For host sites:

Don't lease subdomains or subfolders to third parties for content unrelated to your site's purpose
All content under your domain should be editorially controlled by your organization
If accepting sponsored content, treat as such with proper disclosure (rel="sponsored")
Affiliate content should be created under your editorial standards
Brand partnerships should be clearly disclosed and editorially vetted
Coupon/deals sections, if present, should be operated under main editorial oversight

For sites attempting to use parasite SEO:

Don't. The strategy is documented and enforced.
Build authority on your own domain
Use legitimate guest contribution to other sites with rel="sponsored" or rel="ugc" where appropriate

Edge cases:

Press releases distributed via wire services: Acceptable when properly attributed and not optimized solely for ranking
Job listings, classified ads: Acceptable when relevant to host site purpose
Forum content from real community members: Acceptable with moderation
Guest articles: Acceptable when editorially vetted and contributing genuine value
Affiliate review sections: Risk depends on editorial control — content created and vetted by host editorial team is acceptable; content provided by affiliate partners and published with minimal review is parasite SEO

Specific test for site reputation abuse:

Is the content created by the host site's editorial team? If yes, not parasite SEO.
Is the content created externally but rigorously edited by the host's team to its standards? Probably acceptable.
Is the content created externally and published with minimal host editorial involvement, primarily for ranking benefit? Likely site reputation abuse.

4.12 Expired Domain Abuse (Added March 2024)

What it is: Acquiring expired domains with prior authority and repurposing them with content unrelated to the prior site's purpose, primarily to leverage inherited ranking signals.

Common patterns:

Buying expired domain previously used by a non-profit, repurposing for commercial content
Buying expired domain previously a small business site, repurposing as a content site on unrelated topic
Acquiring multiple expired domains to build PBN
Building content sites on expired domains that have nothing to do with original purpose

Detection:

Wayback Machine analysis showing dramatic content shifts
Backlink profile inconsistency with current site purpose
Patterns matching known expired domain reseller markets
Sudden ranking improvements without commensurate content quality

Avoidance requirements:

If acquiring an expired domain:

Continue the original site's purpose if at all possible
If different purpose, build genuinely from scratch and don't expect inherited ranking benefits
Submit reconsideration request if needed clarifying domain purpose change
Be prepared for ranking signals to be re-evaluated post-acquisition

If domain history is unclear:

Wayback Machine review reveals prior content
Major content shifts justify Google's re-evaluation
Disavow inherited backlinks if they're spammy
Build new authority from current activity

Best practice: Build on new domains for new businesses. The "buying an aged domain for SEO benefit" strategy is now actively penalized. The domain age signal that this strategy targeted has been re-weighted to require continuity of purpose.

4.13 Scraped Content

What it is: Content republished from other sources without adding meaningful value.

Common patterns:

Auto-generated scraping of RSS feeds republished as own content
Content "spinning" — taking original content and using software to substitute synonyms
Republishing other sites' content with minor modifications
Aggregator pages with snippets but no substantial value add
Content "rewriting" services that produce technically-different but substantively-identical content

Distinction from legitimate aggregation: Aggregation that adds substantial value (curation, expert commentary, synthesis) is acceptable. Aggregation that adds nothing beyond republishing is scraping.

Detection:

Content similarity matching against original sources
Pattern recognition on spinning techniques
Originality analysis

Avoidance requirements:

All content should be substantively original to the publishing site
Quotes and excerpts permitted with attribution
Curated lists permitted with substantial original commentary
Syndication agreements permitted when properly canonicalized to original
Synthesis across sources permitted when synthesis itself is the contribution

4.14 Sneaky Redirects

What it is: Redirects that send users to a different destination than they expected.

Common patterns:

User clicks search result expecting one type of content, redirected to commercial offer
Mobile users redirected to different content than desktop users expecting the same page
Redirects from one search result to entirely unrelated destination
JavaScript redirects that mask the destination
Conditional redirects based on referrer (only redirect when from Google)

Detection:

Mobile vs desktop content comparison
User-experience signals (bounce rate, behavior)
Crawl path analysis

Avoidance requirements:

Redirects must lead to content matching what the search snippet promised
Mobile and desktop should reach equivalent content for the same URL
Use 301/302 redirects appropriately, not JavaScript redirects to mask destinations
Don't redirect users based on referrer for ranking manipulation

4.15 Spammy Automatically-Generated Content

What it is: Content produced by automated systems primarily for ranking, without value to users. Largely subsumed by the broader Scaled Content Abuse policy.

Common patterns:

Markov chain generated text
Translated text without human review
Automatically combined content from multiple sources
Automatically-created content stitching together database content with templates

Note: This older policy has been broadened into Scaled Content Abuse (Section 4.10). The narrow technical definition of "automatically generated" is now less relevant than the broader "content created at scale primarily for ranking." Same defensive patterns apply.

4.16 Thin Affiliate Pages

What it is: Affiliate marketing pages with little original content beyond the affiliate offers.

Common patterns:

Product review pages that just describe what the product's manufacturer says
Comparison pages with no actual testing or evaluation
"Top 10" lists ranked by affiliate commission rather than user benefit
Pages with no value beyond the affiliate links

Distinction from legitimate affiliate content: Affiliate marketing isn't prohibited. Thin affiliate content is. The standard: would this page be valuable even without the affiliate links? If not, it's thin.

Avoidance requirements:

Affiliate content must add substantial value beyond the affiliate program
Real product testing or experience documented
Evaluation criteria honest and useful
Recommendations based on user benefit, not commission rate
Affiliate disclosure prominent (FTC requirement and quality signal)
Use rel="sponsored" on affiliate links

4.17 User-Generated Spam

What it is: Spam content posted by third parties on a site, often through comments, forums, or open user-content systems.

Common patterns:

Comment spam with promotional links
Profile pages created solely to host links
Forum signatures with money-anchor links
Review spam (fake reviews, paid reviews)
Marketplace listings designed for SEO rather than genuine commerce

Detection:

Pattern recognition on common spam content
Volume and velocity of UGC posting
Author signal analysis

Avoidance requirements:

For sites with UGC:

Implement moderation (pre-publication ideally, post-publication minimum)
Require account creation with verification
Use rel="ugc" on links from user-generated content
Implement spam filters (Akismet for WordPress, etc.)
Manual review of high-volume posters
Remove spam content promptly when discovered
Don't allow comments to remain on old posts indefinitely if not moderated
Consider closing comments on older posts if moderation isn't sustainable

If site is hit by user-generated spam manual action:

Audit all UGC for spam patterns
Remove confirmed spam
Strengthen moderation processes
File reconsideration request demonstrating remediation

5. Special Focus: The Three Policies Added March 2024

The three new spam policies introduced in March 2024 represent the most active enforcement areas in 2025-2026. Most penalties issued through this period fall into one of these three categories.

5.1 Scaled Content Abuse — Defensive Implementation

Audit current state:

# Scaled content abuse audit
publication_volume_per_month: 0
authors_per_published_article_average: 0
review_time_per_article_hours: 0
ai_assisted_articles_per_month: 0
ai_unassisted_articles_per_month: 0
content_outsourcing_volume: 0

# Honesty check
publishing_at_capacity: false  # Are we publishing more than we can genuinely review?
each_article_adds_genuine_value: false  # Honest answer
review_process_is_substantive: false  # Honest answer

Risk assessment:

Pattern	Risk Level
<10 articles/month, expert authors, comprehensive review	Very Low
10-50/month, mix of human and AI-assisted, full editorial review	Low
50-200/month, primarily AI-assisted, light editorial review	Medium-High
>200/month, primarily AI-generated, minimal review	Critical
>50/month, single editor reviewing all, no expert input	High

Defensive structural patterns:

Editorial capacity matched to volume: If team can rigorously review N articles per month, publication volume should not exceed N (with margin)
Documented editorial process: Research → Outline → Draft (AI-assisted or not) → Expert review → Fact-check → Edit → Publish
Author accountability: Real bylines, real Person schema with credentials, real responsibility for accuracy
Per-article value gating: Pre-publish check requiring articulation of what the article adds (Information Gain framework)
AI use disclosure: Site-wide policy + per-article disclosure when applicable
Quality monitoring: Track engagement metrics; remove or significantly improve underperforming content
Topical focus discipline: Don't publish on topics outside genuine site authority

If currently exceeding safe patterns:

Stop publishing AI content immediately until audit complete
Audit existing AI content — identify articles with insufficient value
Remove or significantly improve identified articles
Restructure publication cadence to match genuine editorial capacity
Document new process for any reconsideration needs

5.2 Site Reputation Abuse — Defensive Implementation

Audit current state:

# Site reputation abuse audit
hosts_third_party_subdomain_content: false
subdomain_third_parties: []  # List with editorial control level

hosts_third_party_subfolder_content: false
subfolder_third_parties: []  # List with editorial control level

allows_external_publishing_arrangements: false
external_arrangement_details: []  # Description and editorial control level

editorial_control_over_all_subdomains: ""  # "full", "partial", "none"
editorial_control_over_all_subfolders: ""

Acceptable arrangements:

Sponsored content: Clearly disclosed, rel="sponsored", produced or rigorously vetted by host editorial
Guest contributions: Vetted by host editorial team, fits topical focus
Affiliate partnerships: Content created by host team, with affiliate links properly disclosed
Coupon/deals: Operated by host team or under direct host editorial supervision
Press releases: Through proper PR/wire mechanisms with proper attribution
Job listings: Relevant to host site purpose, properly structured

Unacceptable arrangements:

Subdomain leased to third party for content unrelated to host purpose
Subfolder where third party publishes with minimal host editorial involvement
Coupon section run entirely by external SEO agency
Casino/gambling content on educational or news sites
Supplement marketing on health information sites
Any "we'll pay you to host our content" arrangement

Defensive structural patterns:

All content under main domain editorially controlled by main organization
Subdomains used for legitimate technical separation (status.example.com, blog.example.com when run by same team) not for third-party content
Editorial standards applied uniformly across all site content
Sponsored content distinctly marked with rel="sponsored" and visible disclosure
Third-party content prohibited unless rigorously vetted

If currently has parasite SEO arrangement:

Terminate the arrangement — no remediation works while it's active
Remove or migrate the third-party content off the host domain
301 redirect to third party's own domain if appropriate (with proper communication)
Document termination for any reconsideration request
Audit broader site for similar patterns

5.3 Expired Domain Abuse — Defensive Implementation

Audit current state:

# Expired domain abuse audit
domain_acquired_from_someone_else: false
acquisition_date: ""
prior_owner_known: ""
prior_site_purpose: ""

current_site_purpose: ""
purpose_continuity_with_prior: ""  # "same", "related", "unrelated", "completely_different"

wayback_machine_review_completed: false
inherited_backlinks_audited: false
problematic_inherited_backlinks_disavowed: false

Risk assessment:

Pattern	Risk Level
Domain registered from scratch, never previously used	None
Acquired domain, continuing original purpose	Low
Acquired domain, related but evolved purpose	Medium
Acquired domain, completely different purpose	High
Multiple acquired domains in same network	Critical
Acquired domain with documented prior ranking, repurposed	High

Defensive structural patterns:

For new businesses, use new domains — don't acquire aged domains for SEO benefit
For business name acquisitions, focus on the brand value not the SEO equity
If acquiring expired domain, evaluate continuity carefully — substantial purpose continuity is the safe path
If purpose changes substantially, treat as new domain — don't expect inherited ranking benefits
Audit inherited backlink profile — disavow toxic backlinks immediately
Wayback Machine review — document the prior site for context

If domain has expired domain abuse risk:

Wayback Machine audit — what was the prior content?
Backlink audit — what does the inherited link profile look like?
Disavow toxic backlinks through Google Search Console
Make domain change explicit — About page acknowledges the change with substantive purpose explanation
Build current authority through current work — don't rely on inherited signals
Be prepared for slow ranking initially — Google will re-evaluate

6. Defensive Site Architecture

Beyond avoiding specific violations, structural patterns reduce risk of accidental violations.

6.1 Content Publishing Workflow

A workflow that prevents scaled content abuse and thin content:

Topic identification
  → "Why are we covering this?" gate
  → "What can we contribute?" gate (Information Gain)
  → If yes to both, proceed

Research
  → Primary sources gathered
  → Subject matter expert input

Drafting
  → AI-assisted or human-written (either acceptable)
  → Draft completed by named author

Expert review
  → Subject matter expert reviews accuracy
  → Reviewer takes professional responsibility
  → Reviewer signs off with name and credentials

Fact-checking
  → Every factual claim verified against primary source
  → Citations verified to actually support claims
  → Statistics double-checked

Editorial review
  → Quality assessment
  → Information Gain confirmation
  → Style and tone

Pre-publication check
  → Author byline with credentials present
  → Reviewer credit if YMYL
  → Disclosures present (AI use, affiliate, sponsored)
  → Schema valid
  → Internal links appropriate
  → Original imagery

Publication
  → Real bylines with author accountability
  → AI use disclosed if applicable
  → Refresh schedule set

6.2 Link Acquisition Policy

# {{BUSINESS_NAME}} Link Acquisition Policy

## What We Do

- Earn links through valuable content
- Cite primary sources in our content (creating natural inbound interest)
- Participate in industry communities authentically
- Build relationships with relevant publications

## What We Don't Do

- Buy or sell links for ranking purposes
- Participate in link exchange schemes
- Use link building services that promise volume
- Stuff guest post bylines with optimized anchor text
- Manipulate forum signatures or comment links
- Operate or participate in PBNs

## Sponsored Content

- Sponsored relationships disclosed with rel="sponsored"
- Sponsored content visibly marked
- Editorial integrity maintained

## Affiliate Links

- All affiliate links use rel="sponsored"
- Affiliate disclosure present on all affiliate content
- Affiliate recommendations based on user benefit, not commission

## When We Discover Toxic Inbound Links

- Document via backlink audit
- Disavow through Google Search Console
- Update Disavow file as needed

6.3 Third-Party Content Review Process

If the site allows any external content:

# Third-Party Content Review Process

## What We Accept

- Guest contributions from credentialed experts on our topical focus areas
- Sponsored content clearly identified as such
- User-generated content through approved channels

## What We Don't Accept

- Subdomain or subfolder leasing
- Content from external SEO agencies
- Content disconnected from our editorial focus
- Content with manipulated anchor text

## Vetting Process

1. Author/contributor identity verified
2. Content topic fits our editorial focus
3. Quality matches our standards
4. Editorial review by our team
5. Fact-checking through our process
6. Disclosure requirements met
7. Schema and metadata applied per our standards

6.4 AI Content Policy

# {{BUSINESS_NAME}} AI Content Policy

## How We Use AI

- Research assistance and source gathering
- First-draft generation reviewed by humans
- Grammar and style editing
- Outline and structure assistance

## How We Don't Use AI

- Mass-producing articles for SEO
- Publishing AI content without expert review
- Generating fabricated quotes, statistics, or experiences
- Replacing the need for genuine subject matter expertise

## Editorial Standards for AI-Assisted Content

- Every AI-assisted article reviewed by named subject matter expert
- Reviewer takes professional responsibility
- All factual claims verified against primary sources
- AI use disclosed per article when applicable
- Same quality bar as human-written content

## Volume Discipline

- Publication volume matches editorial capacity
- We don't publish more than we can rigorously review
- Quality over quantity is the principle

6.5 Security Posture

Documented at /admin/security-posture.md:

# Security Posture

## Current Configuration
- 2FA enabled on all admin accounts
- Strong unique passwords (password manager required)
- Limited admin account count
- Web Application Firewall active (Cloudflare)
- File integrity monitoring (Wordfence/equivalent)
- Daily off-site backups
- Quarterly security audit

## Monitoring
- Search Console for "Hacked" warnings
- Server logs reviewed weekly for unusual activity
- Malware scanning weekly
- SSL certificate expiration monitoring

## Incident Response
- Hacked content discovered → Section 10.5 protocol
- Credential compromise → password rotation across all accounts
- Successful intrusion → forensic analysis required before remediation

7. Red Flags and Early Warning Signs

Patterns that suggest spam policy violation risk before formal penalty.

7.1 Content Red Flags

Publication volume increasing without staffing increase
AI content disclosure conversations being avoided
Pressure to publish "just to have content" on topics
Articles published that the team hasn't read in full
Topical drift into areas outside genuine expertise
Word count targets driving content padding
Refresh dates being updated without content updates

7.2 Linking Red Flags

Sudden inbound link velocity increases
Inbound links from sites with unrelated topics
Inbound links with optimized anchor text patterns
Outbound link targets the team can't explain
"Link building" budget line items
Email outreach offers for "guaranteed dofollow links"

7.3 Architecture Red Flags

Subdomain or subfolder activity not familiar to main team
Pages indexed that the team didn't create
Geographic content variations beyond legitimate localization
Server log entries showing crawl patterns to unknown URLs
File system changes the team didn't make

7.4 Search Console Red Flags

Manual action notifications (immediate priority)
Security issue notifications
Sudden indexing decreases without explanation
Sudden indexing increases without explanation
"Hacked" warnings
Coverage report errors increasing

7.5 Traffic Pattern Red Flags

Sudden traffic loss without identified core update
Specific page sections losing traffic while others stable
Branded query traffic dropping (suggests manual action)
Sudden traffic gains that seem too good to be true (often precede manipulation detection)

8. Stack-Specific Spam Policy Considerations

8.1 WordPress

High-risk patterns:

Plugins generating content automatically
Themes with hidden links to plugin developer
Comment moderation off by default
Outdated plugins creating security vulnerabilities
"SEO" plugins that recommend stuffing keywords or hiding text

Defensive practices:

Akismet or similar comment spam filtering
Wordfence or equivalent security
Content publishing workflow plugins (Editorial Calendar, PublishPress)
Schema validation through Rank Math or Yoast
Regular plugin and theme updates

8.2 Programmatic SEO Sites (Next.js, custom)

High-risk patterns:

City pages or category pages with templated content lacking unique per-page value
Database-driven pages with insufficient editorial layer
Faceted navigation creating thousands of low-value URLs
Auto-generated pages from third-party data feeds

Defensive practices:

Per-page minimum content threshold enforced at build time
Per-page unique value validation
Robots.txt or noindex on pages below quality threshold
Editorial review of programmatic page templates
Genuinely location-specific or category-specific content per page

8.3 E-commerce Platforms (Shopify, WooCommerce, custom)

High-risk patterns:

Auto-generated product description from manufacturer feeds
Manufacturer review content republished without value-add
Faceted navigation creating duplicate content URLs
Affiliate review sites disguised as e-commerce
Fake or incentivized reviews

Defensive practices:

Original product descriptions per product (or properly canonicalized to manufacturer)
Genuine customer reviews with verification
Faceted URLs properly handled with canonicals or noindex
Clear distinction between affiliate and direct sales

8.4 News and Media Sites

High-risk patterns:

Coupon or deals subdirectories operated by third parties (parasite SEO risk)
Sponsored content not clearly marked
Aggregated wire content republished without value-add
AI-generated breaking news without verification
Programmatic local pages with thin content

Defensive practices:

All editorial sections under direct editorial control
Sponsored content clearly marked and disclosed
AI use restricted to editorial assistance, not authoritative content
Local journalism backed by genuine local presence

9. Cross-Reference to the 14-Tier Framework

Spam Policies compliance interacts with multiple tiers:

Tier 1 SSO — Site Security Optimization prevents hacked content
Tier 1 GCO — Google Compliance Optimization includes spam policies
Tier 2 OBL — Outbound Link strategies must follow link scheme policies
Tier 2 IBL — Inbound Link management must follow link scheme policies
Tier 3 LLMO — AI use must follow scaled content abuse policies
Tier 6 OCO — Original Content Optimization is the inverse of scraped/scaled abuse

Spam Policies compliance is a gate — sites failing here can't benefit from optimization in any other tier.

10. Detection, Response, and Recovery

10.1 Manual Action Detection

Check Search Console at Search Console > Security & Manual Actions > Manual actions weekly.

When a manual action appears:

Read the description carefully
Note whether it's site-wide or partial
Document the action type and date
Begin immediate investigation per Section 10.3

10.2 Algorithmic Spam Update Detection

Use the same protocol as core update detection (see framework-coreupdates.md Section 4):

Monitor SERP volatility trackers
Watch for Google announcements about spam updates
Compare site performance to industry signals
72-hour hold rule before reactive action

When a spam update appears to be active:

Audit site against spam policies (Sections 4-5)
Identify likely violation pattern
Begin remediation

10.3 Manual Action Response Protocol

When manual action received:

Day 1:

Read action description thoroughly
Identify what triggered it
Document current state for "before" reference
Begin remediation immediately

Days 1-7:

Comprehensive site audit per relevant Section 4 policy
Identify all violating content/patterns
Remediate or remove
Document every remediation action with dates

Days 7-14:

Verify remediation is complete
Audit for any missed instances
Strengthen processes to prevent recurrence
Prepare reconsideration request

Reconsideration request structure:

# Reconsideration Request — {{ACTION_TYPE}}

## Manual Action Details
- Action type: {{TYPE}}
- Notification date: {{DATE}}
- Affected pages/sections: {{SCOPE}}

## What Caused the Violation
{{HONEST_DESCRIPTION_OF_THE_PATTERN}}

## What We Have Done to Fix It
1. {{REMEDIATION_ACTION_1_WITH_DATE}}
2. {{REMEDIATION_ACTION_2_WITH_DATE}}
3. {{REMEDIATION_ACTION_3_WITH_DATE}}

## Evidence of Remediation
- {{EVIDENCE_TYPE_1}}: {{LINK_OR_DESCRIPTION}}
- {{EVIDENCE_TYPE_2}}: {{LINK_OR_DESCRIPTION}}

## Steps We Have Taken to Prevent Recurrence
1. {{PROCESS_CHANGE_1}}
2. {{PROCESS_CHANGE_2}}
3. {{POLICY_DOCUMENT_LINK}}

## Acknowledgment
We acknowledge the violation, understand why our prior practices violated Google's policies, and are committed to maintaining compliance going forward.

Submitted by: {{NAME}}
Date: {{DATE}}
Search Console verified property: {{DOMAIN}}

Submit through Search Console > Manual actions > Request a review.

Response timeline: Typically days to weeks. Sometimes longer for complex cases.

10.4 Reconsideration Request Best Practices

Be honest about the violation: Google's reviewers know what happened. Trying to deny or minimize is counterproductive.
Show specific remediation: Concrete actions with dates, not vague statements.
Demonstrate understanding: Show you understand why the practice was prohibited.
Provide evidence: Links to changed pages, screenshots of removed content, documentation of process changes.
Don't promise; demonstrate: "We have removed 247 articles" is better than "We will remove low-quality articles."
Address root cause: Process changes, not just symptom remediation.
Be patient: Multiple rounds of review possible. Don't keep filing requests during review periods.

10.5 Hacked Content Response Protocol

When hacked content is detected:

Hour 1:

Take site offline if compromise is severe (better than serving malware to users)
Document the compromise (screenshots, server log copies)
Notify hosting provider if applicable

Hours 1-24:

Forensic analysis — how did they get in?
Identify all compromised files and pages
Restore from clean backup if available (verified pre-compromise)
Apply security patches that addressed the vulnerability
Rotate all credentials (passwords, API keys, SSH keys)
Add 2FA to all admin accounts if not already
Review user accounts; remove unauthorized accounts

Days 1-7:

Comprehensive site scan for residual compromise
Submit hacked content notice in Search Console
Request review once cleaned
Strengthen security posture per Section 6.5

Long-term:

Document the incident
Review security practices
Implement monitoring to detect future compromises faster

10.6 Link Penalty Response

For unnatural links to your site:

Comprehensive backlink audit
Identify toxic links (spammy domains, manipulated anchor text, link farms)
Attempt outreach to remove (often unsuccessful at scale)
Disavow remaining toxic links via Google Search Console Disavow Tool
Document the disavow file for any reconsideration request
File reconsideration if manual action

For unnatural links from your site:

Audit all outbound links
Add rel="nofollow" or rel="sponsored" where appropriate
Remove links acquired through link schemes
Document remediation
File reconsideration

11. Audit Mode

11.1 Comprehensive Spam Policy Audit

Score the site against every documented policy:

#	Policy Area	Pass/Fail	Notes
SP1	Cloaking
SP2	Doorway Pages
SP3	Hacked Content
SP4	Hidden Text and Links
SP5	Keyword Stuffing
SP6	Link Schemes (inbound)
SP7	Link Schemes (outbound)
SP8	Machine-Generated Traffic
SP9	Malware and Malicious Behaviors
SP10	Misleading Functionality
SP11	Scaled Content Abuse
SP12	Site Reputation Abuse
SP13	Expired Domain Abuse
SP14	Scraped Content
SP15	Sneaky Redirects
SP16	Spammy Auto-Generated Content
SP17	Thin Affiliate Pages
SP18	User-Generated Spam

Score: 18 policies. World-class compliance: 18/18 with zero risks identified.

A site failing any single policy is at substantial risk regardless of other strengths.

11.2 Defensive Infrastructure Audit

#	Criterion	Pass/Fail
DI1	Content publishing workflow documented and enforced
DI2	Link acquisition policy documented
DI3	Third-party content review process exists if applicable
DI4	AI content policy documented
DI5	Security posture documented and current
DI6	Quarterly spam audit performed
DI7	Backlink profile audited within last 6 months
DI8	UGC moderation active if applicable
DI9	Editorial capacity matched to publication volume
DI10	Author accountability infrastructure in place

Score: 10. World-class: 10/10.

12. Maintenance Schedule

12.1 Daily

Monitor Search Console for new manual actions
Watch for security warnings
Spam alert monitoring on user-generated content

12.2 Weekly

Review server logs for unusual patterns
Check for new comment spam or UGC spam
Monitor SERP volatility for spam update signals

12.3 Monthly

Backlink profile review for unnatural patterns
Sample content audit for scaled content patterns
Outbound link audit
Disavow file review

12.4 Quarterly

Full spam policy compliance audit
Security audit
Defensive infrastructure audit
Process documentation review and refresh

12.5 Annually

Comprehensive review against current spam policies (policies evolve)
Strategic compliance posture assessment
Update internal policies for any changes
Reconsideration request review for sites with manual action history

13. Common Mistakes & Anti-Patterns

13.1 Treating Spam Policies as Optional

Anti-pattern: Following SEO advice that violates spam policies because "everyone does it."

Why it fails: Penalties happen. Recovery is hard. The "everyone does it" sites disappear regularly.

Fix: Treat spam policies as bright lines. Don't cross them regardless of competitive pressure.

13.2 AI Content Strategy Ignoring Scaled Content Abuse

Anti-pattern: "We can publish 100 AI articles per month for cheap." Mass production with minimal review.

Why it fails: Active enforcement target. Detection improving rapidly. Penalty severity high.

Fix: Editorial capacity matched to volume. Quality over quantity. Real review process.

13.3 "Renting" Authority Through Parasite SEO

Anti-pattern: Buying space on high-authority site to rank for commercial queries.

Why it fails: Site reputation abuse policy targets exactly this. Both host site and parasite content suffer.

Fix: Build authority on own domain. No parasite SEO arrangements.

13.4 Aged Domain Acquisitions for SEO

Anti-pattern: Buying expired domains with prior authority to skip the authority-building process.

Why it fails: Expired domain abuse policy. Re-evaluation removes the inherited authority.

Fix: Build on new domains. Earn authority through current work.

13.5 Programmatic SEO Without Per-Page Value

Anti-pattern: Generating thousands of city/category pages with templated content lacking unique value.

Why it fails: Doorway pages plus thin content. Multiple policy risks.

Fix: Programmatic pages must have genuine per-page value. Local content must be genuinely local.

13.6 Ignoring Manual Actions

Anti-pattern: Manual action received, ignored or addressed slowly.

Why it fails: Penalties compound. Reconsideration becomes harder over time.

Fix: Manual actions are top priority. Stop other work; address immediately.

13.7 Assuming Algorithmic Demotion Isn't Spam-Related

Anti-pattern: Traffic loss assumed to be core update; spam policy violation never investigated.

Why it fails: Misdiagnosis. Spam-policy-related demotion requires different remediation than core update response.

Fix: Check spam policies first when traffic loss occurs. Manual action notification doesn't always accompany algorithmic demotion.

13.8 Defensive Disavow Without Backlink Audit

Anti-pattern: Disavowing all backlinks indiscriminately "to be safe."

Why it fails: Disavowing legitimate authoritative links damages rankings.

Fix: Audit-driven disavow. Only disavow demonstrably toxic links.

13.9 No Quarterly Audit Cadence

Anti-pattern: Spam compliance treated as one-time setup, never revisited.

Why it fails: Sites drift. New violations creep in. Policies evolve.

Fix: Quarterly audits per Section 12.

13.10 Reconsideration Requests Without Real Remediation

Anti-pattern: Filing reconsideration request with vague claims and no concrete remediation.

Why it fails: Reviewers see this constantly. Request denied. Future requests get stricter scrutiny.

Fix: Concrete remediation, documented evidence, real process changes. Then file.

14. Implementation/Audit Report Templates

14.1 Spam Policy Implementation Report Template

# Spam Policies Framework Implementation Report

**Site**: {{BUSINESS_NAME}}
**Implementation Date**: {{TODAY}}

## Comprehensive Audit Results
{{TABLE_OF_18_POLICIES_WITH_FINDINGS}}

## Critical Issues Identified and Remediated
{{LIST}}

## Defensive Infrastructure Installed
- Content publishing workflow: {{STATUS}}
- Link acquisition policy: {{STATUS}}
- Third-party content process: {{STATUS}}
- AI content policy: {{STATUS}}
- Security posture documentation: {{STATUS}}

## Process Changes Implemented
{{LIST_WITH_DATES}}

## Items Requiring Ongoing Monitoring
{{LIST}}

## Sign-Off
Implementation complete: {{DATE}}
Implementer: {{NAME}}

14.2 Spam Policy Audit Report Template

# Spam Policies Audit Report

**Site**: {{BUSINESS_NAME}}
**Audit Date**: {{TODAY}}

## Executive Summary
{{ASSESSMENT}}

## Compliance Status
- Policies in compliance: {{X}}/18
- Critical violations identified: {{COUNT}}
- High-risk patterns identified: {{COUNT}}
- Defensive infrastructure score: {{X}}/10

## Per-Policy Findings
{{DETAILED_PER_POLICY_FINDINGS}}

## Critical Issues Requiring Immediate Action
{{LIST_WITH_REMEDIATION_PLANS}}

## Risk Patterns Identified
{{LIST}}

## Defensive Infrastructure Gaps
{{LIST}}

## Recommended Remediation Order
{{PRIORITIZED_LIST_WITH_TIMELINES}}

## Manual Action Status
{{NONE / ACTIVE_ACTION_TYPE / HISTORICAL_ACTIONS}}

## Sign-Off
Audit complete: {{DATE}}
Auditor: {{NAME}}

14.3 Manual Action Reconsideration Request Template

# Reconsideration Request — {{ACTION_TYPE}}

## Manual Action Acknowledgment

We received a manual action notification on {{DATE}} for {{ACTION_TYPE}}. We acknowledge the violation and have completed remediation.

## What Caused the Violation

{{HONEST_AND_SPECIFIC_DESCRIPTION_OF_WHAT_HAPPENED_INCLUDING_WHY_IT_HAPPENED}}

## Specific Remediation Actions

### {{REMEDIATION_AREA_1}}
- {{DATE}}: {{ACTION_TAKEN}}
- {{DATE}}: {{ACTION_TAKEN}}
- Evidence: {{LINK_OR_DESCRIPTION}}

### {{REMEDIATION_AREA_2}}
- {{DATE}}: {{ACTION_TAKEN}}
- Evidence: {{LINK_OR_DESCRIPTION}}

## Process Changes to Prevent Recurrence

1. {{NEW_POLICY_OR_PROCESS}}: {{LINK_TO_DOCUMENTED_POLICY}}
2. {{NEW_POLICY_OR_PROCESS}}: {{LINK_TO_DOCUMENTED_POLICY}}
3. {{NEW_POLICY_OR_PROCESS}}: {{LINK_TO_DOCUMENTED_POLICY}}

## Supporting Evidence

- {{EVIDENCE_DOC_1}}: {{LINK}}
- {{EVIDENCE_DOC_2}}: {{LINK}}
- {{EVIDENCE_DOC_3}}: {{LINK}}

## Commitment Going Forward

We understand why our prior practices violated Google's spam policies. We have implemented systematic changes to prevent recurrence. We are committed to maintaining policy compliance and serving users with high-quality content.

---
Submitted by: {{NAME}}
Title: {{TITLE}}
Date: {{DATE}}
Search Console verified property: {{DOMAIN}}
Contact: {{EMAIL}}

End of Framework Document

Document version: 1.0
Last updated: 2026-04-29
Maintained by: ThatDeveloperGuy

Spam policies are the defensive half of search visibility. The frameworks that focus on quality (E-E-A-T, HCS, YMYL, Information Gain) tell you how to earn rankings. This framework tells you how not to lose them. A site that scores perfectly on quality frameworks but violates spam policies will be penalized regardless. A site that maintains spam policy compliance but lacks quality won't rank well but won't be removed.

The 2024-2026 spam policy expansion — scaled content abuse, site reputation abuse, expired domain abuse — represents Google's most aggressive anti-manipulation enforcement in years. Sites that haven't audited against these new policies are at risk regardless of historical compliance. The work in this framework is defensive but essential.

Compliance is a continuous practice, not a one-time setup. Quarterly audits per Section 12 are the minimum. Sites with growth, new content patterns, new partnerships, or new authors require more frequent review. The cost of a penalty — both ranking damage and remediation work — is dramatically higher than the cost of compliance.

Companion documents in this library:

framework-eeat.md — Foundational E-E-A-T (the quality counterpart to spam policies)
framework-ymyl.md — Your Money or Your Life elevated standards
framework-hcs.md — Helpful Content System
framework-sqrg.md — Search Quality Rater Guidelines
framework-coreupdates.md — Google Core Updates
framework-infogain.md — Information Gain
framework-entitysalience.md — Entity Salience
framework-knowledgegraph.md — Knowledge Graph
framework-aicitations.md — AI Citations

About this framework library

This article is the Dev.to republish of a framework reference document from ThatDevPro's SEO + AI engineering library. Canonical source: https://www.thatdevpro.com/insights/framework-spampolicies/

ThatDevPro is an SDVOSB-certified veteran-owned web + AI engineering studio operating from Cassville, Missouri. The studio runs the full 14-tier Engine Optimization stack and ships open-source tooling for AI citation engineering.

Companion 14-tier Engine Optimization stack (each tier is its own article):

Need this framework implemented on your site? See the Engine Optimization service or hire through ThatDevPro contact.