Web Analytics Referral Spam

Google Analytics Referral Spam from go-there1.xyz

On Tuesday, May 21, 2019 go-there1.xyz appeared in my Google Analytics referral list with references to /h/8714471.html a non-existent page on my site–a clear indication that this is a spoofed referral spam attack where no one touched my site, or if they did, they were referred to a non-existent page. Other sites may have a reference to a different page of the same format. whois go-there1.xyz shows registration on May 21, 2019 (today) at namesilo.com. The domain was registered at 5:26 AM UTC, or 8:26 AM in Kiev. Prior to about March, 2019 most referral spam domains were registered with ukrnames, but as of about March, 2019, most are registered with namesilo, and are registered a few hours earlier in the day. Also as of March 2019, the domain names are not as readable to native English speakers.

curl -L go-there1.xyz | grep 'semalt' shows references to semalt.com, a big referral spam name a couple of years ago. The signature for this is slightly different than recent semalt.com attack sites:

<iframe src="http://semalt.com/fbpc.php" style="position:absolute;top:0;left:0" width="1" height="1"></iframe>

DNSLytics.com shows that this is a route to IP address This server is owned by “openfrost.com”, a domain that is privately registered with ukrnames.com, a registrar that is used by numerous recent Google Analytics referral spam attacks.

Google has become better at detecting but not blocking analytics attacks from this organization. Generally, these referrals now disappear within a couple of days, even though the view that I use for identifying referral spam does not use filters. Given that the extremely high ratio of self-promotion of semalt.com vs. other real web sites, it appears that this may have more to do with placing malware than with selling black-hat SEO services.

Google Trends Information on Referral Spam

Figure 1. Google Trends for search terms “referral spam”.

Fixing the Problem

My first reaction in addressing referral spam was to add a line to .htaccess to block these spam referrals (see http://www.htaccess-guide.com/deny-visitors-by-referrer/ for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with darodar.com, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click social-buttons.com to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

An alternative is to switch to self-hosted Piwik for your web analytics; if you do this, it will be immediately clear that the vast majority of Google Analytics referral spam is of the spoofed variety rather than the crawler variety. Piwik does not have the advertising integration nor does it have the demographic information, but for many small-traffic sites it can provide much more information. See Using Piwik as an Alternative to Google Analytics on this web site for more information on why Piwik might work for you and how to implement it.

Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

  • TCPIPutils is a great site for looking up data on an domain or IP address
  • For domain registrations, the command line whois social-buttons.com is very convenient as is https://www.whois.net/
  • For IP lookups, dig social-buttons.com is convenient, as is http://ip-lookup.net/index.php
  • Better Business Bureau
  • To view a site in character mode so that malware doesn’t get downloaded, use curl and curl -L. These are commonly installed on Linux machines, but will require additional software on Windows and OS X, as discussed below.
  • To look up a lot of information on an IP address in one place http://www.tcpiputils.com/browse/ip-address will give you a lot of information quickly.

Command Line Utilities

To use the whois, dig and curl commands on Windows and OS X, you will need to install additional software:

  • On Windows, install Cygwin and add the curl package.
  • On OS X, install MacPorts and add the curl package.

Cygwin and MacPorts have many additional command line and graphical utilities that make life easier in Windows and OS X.

More Information

For more information on referral spam, see

This web site uses cookies to provide user authentication and improve your user experience through the use of Google Analytics and Matomo Analytics. It also uses contact information for email and phone communcation. For details, see the Privacy Policy.