There is another question here, How to prevent negative SEO?, which gives the same advice found on most other online sources: Just have more good links to outweigh the bad.
That's nice in theory, but doesn't work for small companies with a limited budget up against a large (but unknown) unscrupulous company with deep pockets, they can easily outbuild our positive SEO efforts with spam links.
For the past several months, week by week, we have been fighting a never-ending battle where our rankings and sales drop, we get a list of links and go through them by hand, disavow domains, try and place a few good links, then check rankings again at the end of the week to find that our ranking have fallen, because while we were cleaning up last week's attack, they were executing a new one!
At this point, it's clear that this isn't some angry "Pop" in his garage who read about negative SEO and want to help "Mom". This is a large-scale and sustained attack by someone that views us as a serious threat and can and will outspend us to keep us down.
So when "just build more and better links" won't cut it because the attackers have a bigger budget and because spam links are easier and faster to build than good ones (that's the whole point of spamming!),
Question:
What can a small business or individual do to identify those involved in the negative spam?
Update 6/8/16:
We've got about 160 domains disavowed at this point.
Some of it is many domains with the same auto-generated content. The content on each page/domain is different, but it is clearly computer generated (it changes on each refresh) and uses the same template and "money word" anchor text after each paragraph. Example: spysony[DOT][ORG].
I also talked with an attorney. It would cost about $7,000 just to find out who is behind it, because you would have to sue "john doe" to get access to a judge, then you could send subpoenas to hosts, ISPs and other companies to discover who "john doe" is. Assuming the entire chain is under US jurisdiction. You could then continue or dismiss the lawsuit.
But then what? He said this is not the type of case attorneys take on contingency (where the attorney gets a percent of winnings rather then you paying him an hourly rate) because there is no clear body of law and no precedents. So there are legal theories that are theoretically applicable, but untested in court.
Which means just knowing who is behind it isn't enough, you would also need to pay the full cost of litigation out of pocket, hundreds of thousands of dollars, and then you might not even win, or you might win but not get damages or fees back. So I would say that at this point in time, there is no practical legal system answer unless you are rich or a big corporation.
In the meantime, I'm still optimistic that there is some process (that doesn't violate any laws but doesn't involve lawyers) to reverse engineer these attacks and find the source.
Update 6/18:
A few example links were requested. I'm not going to make these links so as not to be linking to spam sites.
There are several types of spam we're seeing, at a rate of about 20 new links per week.
Cheesy blog comments with exact match anchor text pointing to the wrong page.
Forum signature with only exact match anchor text, usually two keywords as links and nothing else, owned by a one post count forum member(name varies), usually making a useless post. Forum topics are usually not related to our niche at all.
Random domains with computer generated (spun) content and exact match keyword links. Appears completely automated and re-randomizes on each page load. A given link will only appear on a given page sometimes. There are hundreds of these domains. These domains are registered to a company calling itself "seoconqueror.org" although no such company exists. "seoconqueror.org" is blocked by whois guard. Here's a few samples:
liquidchikombucha[DOT]com
bubblieblondie[DOT]com
hanil-rental[DOT]net
marshmary[DOT]com
ti-89[DOT]org
acertemail[DOT]com
spysony[DOT]org
BMG-PTS[DOT]COM
The rabbit hole:
seoconqueror[DOT]org is a site with no content, registered at enom (namecheap I think?), and protected by whois guard.
seoconqueror[DOT]org resolves to IP 192.254.235.140, and uses ns2858.hostgator[DOT]com as nameservers
BMG-PTS[DOT]COM has a Twitter and Linked profile, which list its website as conquer-marketing[DOT]com. conquer-marketing[DOT]com is a default wordpress install with no content.
conquer-marketing[DOT]com resolves to ip 104.207.255.123 and uses dns1022-2.nexcess[DOT]net. conquer-marketing[DOT]com is registered with godaddy, but the database contains no contact info (an ICANN violation?)
208.69.120.27 - Nexcess[DOT]net L.L.C.
NEXCESS appears to be a legitimate hosting company based out of Michigan
Fake image search. There are tons of these. Examples:
gallerydata[DOT]net
gogalleryart[DOT]com
imagecoolpub[DOT]com
viewcoollibrary[DOT]com
picsonline[DOT]org
artpicturesonline[DOT]com
awesomepix[DOT]net
Fake and spammy blogspot, livejournel and other "make a free site" networks. These have all been removed.
What I call "China Spawn". Tons of these, they all look about the same:
yxnews[DOT]gov[DOT]cn
lwjfry[DOT]com
Lots of other random junk:
modbase[DOT]pl
nothingbutfun[DOT]com
And of course, no NSEO campaign would be complete without a bunch of crap domains 301 redirected at you, and without a bunch of pages which are cloaking. Some cloaked pages I have been able to see the links on with the googlebot user agent. But I think some of these pages actually check the reverse ip to make sure you're googlebot (which only Google is) before showing what they're hiding. You have to be really savvy to know to do that.
These are just a few examples. There are many, many, more and counting. The links seem to be built at a rate of about 5-20 per week, and based on found dates in link reports, this has been going on steadily for years!