Web Analytics Referral Spam

Justprofit.xyz Referral Spam

On Thursday, October 15, 2015, justprofit.xyz appeared in the Google Analytics referral list for the first time. As with all unknown referral domains, I did not automatically plug it in to my browser and risk a malware download. The landing page was the root page on my site (/) one of the indications for referral spam–all of the real referrals to my site are to article pages, not the root page. I looked justprofit.xyz up on TCPIPutils and found that the domain has private registration and was created on August 17th, 2015. Most referral spam comes from sites that have been registered relatively recently; usually Thursday night is when they are registered for an initial spam attack over the weekend. The site was registered in Panama, which is new for the referral spam sites that I have seen thus far. TCPIPutils for the server 139.162.196.244 shows that this is the only domain on the server; this is unusual for referral spam sites thus far.

Next, I used curl justprofit.xyz to look at the HTML returned; it was actually a pretty small page and did not contain any references to referral spam sites that I have looked at before; it had a reference to counter.yadro.ru, for which TCPIPutils returned almost nothing regardarding registration. A look at the server IP on TCPIPutils shows that this is also the only domain hosted on this server.

I next tried justprofit.xyz/robots.txt and yadro.ru/robots.txt to see if there was a site map listed–and discovered that neither site has a robots.txt file coded. This is very unusual for a web server--most servers want to make sure that robots find them and index the site properly. While the two sites could be registered with Google Search console, it is unusual that no robots.txt file is found.

Next, I tried curl yadro.ru, curl -L yadro.ru, curl -L yadro.ru, and curl -L counter.yadro.ru; all returned absolutely nothing. This is unusual; normally the site would return something.

Reading the HTML return from justprofit.xyz, it is simply a form that buries these two lines:

<h1>Earn <span>HUGE</span> Money From Your Website</h1> <h2>Monetize your users without hard efforts just by injecting few lines of code.</h2>

and then offers blanks for name, email, Skype ID etc.

Although this site has no links to other sites that are known referral spammers, the use of two servers or virtual private servers (VPS) systems along with the complete lack of other information stikes me as unusual. Whether the site is a referral spammer or not, I added them to my the regular expressions that filter out referral spammers.

Trends in Justprofit.xyz Referrals

It is hard to tell just how often this is occurring on any site other than one’s own, but Google Trends may offer some additional information, as shown in the dynamic figure below showing interest in the search term “social-buttons.com”. This graphic currently won’t render on Firefox and Chromium (it will on Chrome), as they appear to handle the X-Frame-Options header more restrictively (and securely) than current versions of Chrome, Safari and Internet Explorer. If you want to see the graphic in these browsers, use https://www.google.com/trends/explore#q=social-buttons.com%2C%20ustprofit.xyz%2C%20referral%20spam&cmpt=q&tz=.

Figure 1. Google Trends for search terms “social-buttons.com”, “justprofit.xyz” and “referral spam” from 2004 to present.
Figure 2. Google Trends for search terms “social-buttons.com”, “justprofit.xyz” and “referral spam” from last 90 days.

Fixing the Problem

My first reaction was to add a line to .htaccess to block these spam referrals (see http://www.htaccess-guide.com/deny-visitors-by-referrer/ for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with darodar.com, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click social-buttons.com to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

Fixing the Problem

My first reaction in addressing referral spam was to add a line to .htaccess to block these spam referrals (see http://www.htaccess-guide.com/deny-visitors-by-referrer/ for a description of how to do this) but with more research, it turns out these referrals weren’t referrals to my site at all, but were insertions of fake referrals into my Google Analytics reports. As was the case with darodar.com, the clear intent is to cause webmasters to go to an unfamiliar site when they see a reference in their Google Analytics reports. Whether the motivation is to generate traffic to their site or to cause webmasters to visit a site that will download malware is unknown.

Based upon the instructions in Removing Referral Spam from Google Analytics, I checked the hostname on the referrals, and all showed “(not set)”–a clear sign that no one ever touched my site and that these were inserted into Google Analytics to get me to click social-buttons.com to generate traffic or download malware onto my computer.

Removing Referral Spam from Google Analytics provides a good description of the problem and some solutions. Understanding and eliminating referrer spam in Google Analytics gives another good description of referral spam and a programmatic solution that is appropriate for plug-in developers but not for administrators of WordPress, Joomla and other content management system (CMS) based sites.

An alternative is to switch to self-hosted Piwik for your web analytics; if you do this, it will be immediately clear that the vast majority of Google Analytics referral spam is of the spoofed variety rather than the crawler variety. Piwik does not have the advertising integration nor does it have the demographic information, but for many small-traffic sites it can provide much more information. See Using Piwik as an Alternative to Google Analytics on this web site for more information on why Piwik might work for you and how to implement it.

Useful Commands and Web Sites for Investigating Referrers

For investigating a referrer, here are some useful commands and web sites:

  • TCPIPutils is a great site for looking up data on an domain or IP address
  • For domain registrations, the command line whois social-buttons.com is very convenient as is https://www.whois.net/
  • For IP lookups, dig social-buttons.com is convenient, as is http://ip-lookup.net/index.php
  • Better Business Bureau
  • To view a site in character mode so that malware doesn’t get downloaded, use curl and curl -L. These are commonly installed on Linux machines, but will require additional software on Windows and OS X, as discussed below.
  • To look up a lot of information on an IP address in one place http://www.tcpiputils.com/browse/ip-address will give you a lot of information quickly.

Command Line Utilities

To use the whois, dig and curl commands on Windows and OS X, you will need to install additional software:

  • On Windows, install Cygwin and add the curl package.
  • On OS X, install MacPorts and add the curl package.

Cygwin and MacPorts have many additional command line and graphical utilities that make life easier in Windows and OS X.

More Information

For more information on referral spam, see

This web site uses cookies to provide user authentication and improve your user experience through the use of Google Analytics and Matomo Analytics. It also uses contact information for email and phone communcation. For details, see the Privacy Policy.