### Contact

Web Analytics Referral Spam

# Best-seo-solution.com Referral Spam

On April 1, 2015, and again on April 3 best-seo-solution.com showed up in my referral list on Google Analytics. Unlike social-buttons.com referral spam, the hostname in Google Analyitics was filled in correctly. I did a whois best-seo-solution.com and discovered that the domain was registered on April 1, 2015 by Whois Privacy Protection Service, Inc. of Kirkland, WA. Retrieving the site using curl best-seo-solution.com and curl best-seo-solution.com/try.php (the referral URL) showed no response at all; not even a redirect. curl -L best-seo-solution.com showed a redirect to semalt.com.

On April 1, dig best-seo-solution.com showed an IP address of 217.23.7.144 which is hosted by Worldstream in the Netherlands. Google shows this to be a parked domain.

This is clearly referrer spam implemented as a crawler (as opposed to ghost referrer spam).

I attempted to blocked this in .htaccess, as described in Deny visitors by referrer, but this did not work for best-seo-solution.com.

## Current Blocked Referrer List

My current list of blocked referrers is the following, but it does not actually block several of the items due to spoofing:

RewriteCond %{HTTP_REFERER} ^.*semalt\.com.*$[NC,OR] RewriteCond %{HTTP_REFERER} ^.*best-seo-solution\.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^.*best-seo-offer\.com.*$[NC,OR] RewriteCond %{HTTP_REFERER} ^.*best-seo-solution\.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^.*delta-search\.com.*$[NC] RewriteCond %{HTTP_REFERER} ^.*buttons-for-website\.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^.*buttons-for-your-website\.com.*$[NC,OR] RewriteCond %{HTTP_REFERER} ^.*darodar\.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^.*makemoneyonline\.com.*\$ [NC] RewriteRule .* - [F]

## Filtering Referrer Spam in Google Analytics

For a longer discussion of a case of ghost referral spam, see Social-buttons.com Referral Spam on this site. For a great discussion of referral spam in general, see Removing Referral Spam from Google Analytics.

Google Trends is a good way to estimate how badly other sites are getting hit with an outbreak of a referral spammer. Figure 1 shows the frequency of Google queries for both “best-seo-solution.com” and “semalt.com”. I have not figured out a way to get this to render on Firefox due to more restrictive handling of iframes. To see this graph in Firefox, link to https://www.google.com/trends/explore#q=best-seo-solution.com%2C%20semalt.com&date=today%203-m&cmpt=q&tz=.

## An .htaccess Approach that You May See

Several websites suggest the .htaccess approach shown in the snippet shown below. As implemented, this could open up log and other other areas of the site that you really, really do not want to open up. So if you have stumbled across this on a forum somewhere, do not implement it unless you really know what you are doing with .htaccess:

SetEnvIfNoCase Referer ^.*semalt\.com spambot=yes Order allow,deny Allow from all Deny from env=spambot

## Fixing the Problem

My first reaction in addressing referral spam was to add a line to .htaccess to block these spam referrals (see https://www.htaccess-guide.com/deny-visitors-by-referrer/ for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with darodar.com, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click social-buttons.com to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

An alternative is to switch to self-hosted Piwik for your web analytics; if you do this, it will be immediately clear that the vast majority of Google Analytics referral spam is of the spoofed variety rather than the crawler variety. Piwik does not have the advertising integration nor does it have the demographic information, but for many small-traffic sites it can provide much more information. See Using Piwik as an Alternative to Google Analytics on this web site for more information on why Piwik might work for you and how to implement it.

## Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

• TCPIPutils is a great site for looking up data on an domain or IP address
• For domain registrations, the command line whois social-buttons.com is very convenient as is https://www.whois.net/
• For IP lookups, dig social-buttons.com is convenient, as is https://ip-lookup.net/index.php
• To view a site in character mode so that malware doesn’t get downloaded, use curl and curl -L. These are commonly installed on Linux machines, but will require additional software on Windows and OS X, as discussed below.
• To look up a lot of information on an IP address in one place https://www.tcpiputils.com/browse/ip-address will give you a lot of information quickly.

### Command Line Utilities

To use the whois, dig and curl commands on Windows and OS X, you will need to install additional software:

• On Windows, install Cygwin and add the curl package.
• On OS X, install MacPorts and add the curl package.

Cygwin and MacPorts have many additional command line and graphical utilities that make life easier in Windows and OS X.