Google Analytics Referral Spam from go-there1.xyz
On Tuesday, May 21, 2019
go-there1.xyz appeared in my Google Analytics referral list with references to
/h/8714471.html a non-existent page on my site–a clear indication that this is a spoofed referral spam attack where no one touched my site, or if they did, they were referred to a non-existent page. Other sites may have a reference to a different page of the same format.
whois go-there1.xyz shows registration on May 21, 2019 (today) at
namesilo.com. The domain was registered at 5:26 AM UTC, or 8:26 AM in Kiev. Prior to about March, 2019 most referral spam domains were registered with ukrnames, but as of about March, 2019, most are registered with namesilo, and are registered a few hours earlier in the day. Also as of March 2019, the domain names are not as readable to native English speakers.
curl -L go-there1.xyz | grep 'semalt' shows references to semalt.com, a big referral spam name a couple of years ago. The signature for this is slightly different than recent
semalt.com attack sites:
<iframe src="http://semalt.com/fbpc.php" style="position:absolute;top:0;left:0" width="1" height="1"></iframe>
DNSLytics.com shows that this is a route to IP address
188.8.131.52. This server is owned by “openfrost.com”, a domain that is privately registered with
ukrnames.com, a registrar that is used by numerous recent Google Analytics referral spam attacks.
Google has become better at detecting but not blocking analytics attacks from this organization. Generally, these referrals now disappear within a couple of days, even though the view that I use for identifying referral spam does not use filters. Given that the extremely high ratio of self-promotion of semalt.com vs. other real web sites, it appears that this may have more to do with placing malware than with selling black-hat SEO services.