Web Analytics Referral Spam

100dollars-seo.com Referral Spam

On June 5th, 2015, Google Analytics showed that my site got a big spike in referral traffic from 100dollars-seo.com. After dealing with the darodar.com and social-buttons.com referral problems in late 2014 early 2015 where these sites spammed Google Analytics trying to get web masters to go to their site, I didn’t automatically go to the 100dollars-seo.com site. I first checked ownership via whois 100dollars-seo.com and found the domain was registered to Whois Privacy Corp on June 5, 2015 through TLD Registrar Solutions, a domain registrar in Nassau, Bahamas.

curl 100dollars-seo.com showed nothing, indicating that the domain redirects, so I tried curl -L 100dollars-seo.com, which displayed the code that had a lot of references for semalt.com, a well known referral spammer. If you are not familiar with semalt.com, read Semalt Hijacks Hundreds of Thousands of Computers to Launch a Referrer Spam Campaign, or Removing Referral Spam from Google Analytics. Next, I used curl -L 100dollars.com > junk1 and curl -L semalt.com > junk2 and then compared the two sites with diff junk1 junk2 and found no differences. None. 100dollars-seo.com is redirecting to semalt.com or is a duplicate of it. To find out, I used curl -I 100dollars-seo.com, and found that it is doing a 302 redirect to semalt.com.

dig 100dollars-seo.com shows an IP address of 217.23.7.144.

Tcpiputils.com shows that the site is hosted in the Netherlands, and that best-seo-offer.com, buttons-for-your-website.com, and website-errors-scanner.com are hosted on the same server.

Removing 100dollars-seo.com from Google Analytics

Next, I went to Google Analytics, and added 100dollars-seo.com to my filters as described in Removing Referral Spam from Google Analytics. This is an excellent article, and I won’t repeat the instructions here. You will find articles that give instructions on adding redirects in .htaccess and for allowing/denying access in the .htaccess file. Neither solutions works at all for the spammers like darodar.com and social-buttons.com that use the vulnerability in Google Analytics’ protocol. The allow/deny .htaccess approach can inadvertantly open up some serious security holes on your site.

Use Google Analytics filter approach described in Removing Referral Spam from Google Analytics.

Trends

To understand the frequency of this attack and other referral spam attacks, I looked at Google Trends and Figure 1 which shows the relative frequency of searches for “referral spam” and Figure 2 which shows the relative frequency for “100dollar-seo.com”. At this posting, there isn’t enough data to generate a Google Trends chart for Figure 2, but my guess is that on Monday June 8th, or Tuesday June 9th, enough web masters will be looking for this to generate a lot of data on it.

Figure 1. Google Trends for search terms “social-buttons.com”, “100dollars-seo.com” and “referral spam” from 2004 to present.
Figure 2. Google Trends for search terms “social-buttons.com”, “100dollars-seo.com” and “referral spam” from last 90 days.

More Information

For more information on referral spam, see

Fixing the Problem

My first reaction in addressing referral spam was to add a line to .htaccess to block these spam referrals (see https://www.htaccess-guide.com/deny-visitors-by-referrer/ for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with darodar.com, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click social-buttons.com to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

An alternative is to switch to self-hosted Piwik for your web analytics; if you do this, it will be immediately clear that the vast majority of Google Analytics referral spam is of the spoofed variety rather than the crawler variety. Piwik does not have the advertising integration nor does it have the demographic information, but for many small-traffic sites it can provide much more information. See Using Piwik as an Alternative to Google Analytics on this web site for more information on why Piwik might work for you and how to implement it.

Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

  • TCPIPutils is a great site for looking up data on an domain or IP address
  • For domain registrations, the command line whois social-buttons.com is very convenient as is https://www.whois.net/
  • For IP lookups, dig social-buttons.com is convenient, as is https://ip-lookup.net/index.php
  • Better Business Bureau
  • To view a site in character mode so that malware doesn’t get downloaded, use curl and curl -L. These are commonly installed on Linux machines, but will require additional software on Windows and OS X, as discussed below.
  • To look up a lot of information on an IP address in one place https://www.tcpiputils.com/browse/ip-address will give you a lot of information quickly.

Command Line Utilities

To use the whois, dig and curl commands on Windows and OS X, you will need to install additional software:

  • On Windows, install Cygwin and add the curl package.
  • On OS X, install MacPorts and add the curl package.

Cygwin and MacPorts have many additional command line and graphical utilities that make life easier in Windows and OS X.

More Information

For more information on referral spam, see

We use cookies to ensure you get the best experience on our website.