Web Analytics Referral Spam

Google Analytics Referral Spam from go-there1.xyz

On Tuesday, May 21, 2019 go-there1.xyz appeared in my Google Analytics referral list with references to /h/8714471.html a non-existent page on my site–a clear indication that this is a spoofed referral spam attack where no one touched my site, or if they did, they were referred to a non-existent page. Other sites may have a reference to a different page of the same format. whois go-there1.xyz shows registration on May 21, 2019 (today) at namesilo.com. The domain was registered at 5:26 AM UTC, or 8:26 AM in Kiev. Prior to about March, 2019 most referral spam domains were registered with ukrnames, but as of about March, 2019, most are registered with namesilo, and are registered a few hours earlier in the day. Also as of March 2019, the domain names are not as readable to native English speakers.

curl -L go-there1.xyz | grep 'semalt' shows references to semalt.com, a big referral spam name a couple of years ago. The signature for this is slightly different than recent semalt.com attack sites:

<iframe src="http://semalt.com/fbpc.php" style="position:absolute;top:0;left:0" width="1" height="1"></iframe>

DNSLytics.com shows that this is a route to IP address 217.23.10.44. This server is owned by “openfrost.com”, a domain that is privately registered with ukrnames.com, a registrar that is used by numerous recent Google Analytics referral spam attacks.

Google has become better at detecting but not blocking analytics attacks from this organization. Generally, these referrals now disappear within a couple of days, even though the view that I use for identifying referral spam does not use filters. Given that the extremely high ratio of self-promotion of semalt.com vs. other real web sites, it appears that this may have more to do with placing malware than with selling black-hat SEO services.

Google Trends Information on Referral Spam

Figure 1. Google Trends for search terms “referral spam”.

This web site uses cookies to provide user authentication and improve your user experience through the use of Google Analytics and Matomo Analytics. It also uses contact information for email and phone communcation. For details, see the Privacy Policy.