blackMORE Ops Learn one trick a day ….
I had some interesting traffic showing up in my Google Analytics today. So far I’ve seen 21 referral traffic from forum.topic44122300.darodar.com to my home page http://www.blackmoreops.com/.
Readers, I highly recommend reading comments section for more views and details.
Making comments doesn’t require registration in this site, so you can leave your views anonymously.
Click here to read three effective solutions for Google Analytics Referral spam
Date: 18 Dec 2014-18 Dec 2014
- Referral Traffic » Source: forum.topic12345678.darodar.com
- Referral Path » / : http://www.blackmoreops.com/
- Referral Sessions » 21
- Avg. Session Duration » 00:13:22
This is an uncommon Domain and URL, so obviously I was suspicious given that my site serves contents specific to security and pentesting. I didn’t wanted to just click on that link and see what’s going on.
Use curl to browse to darodar.com
So I used a Linux session instead and tried to trace what’s going on.
root@kali:~# curl -vvv forum.topic12345678.darodar.com * About to connect() to forum.topic12345678.darodar.com port 80 (#0) * Trying 78.110.60.230... * connected * Connected to forum.topic12345678.darodar.com (78.110.60.230) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.26.0 > Host: forum.topic12345678.darodar.com > Accept: */* > * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 404 Not Found < Server: nginx/0.8.53 < Date: Thu, 18 Dec 2014 03:45:41 DST < Content-Type: text/html < Connection: keep-alive < X-Powered-By: PHP/5.2.11 < Vary: Accept-Encoding < Content-Length: 100 < * Connection #0 to host forum.topic12345678.darodar.com left intact <html><head><meta http-equiv="refresh" content="0;url=http://shopping.ilovevitaly.ru"></head></html>* Closing connection #0 root@kali:~#
So that’s what it is, it’s pointing to http://shopping.ilovevitaly.ru.
Weird!! Why would they do it and why would it appear in my Google Analytics? What’s the benefit here?
I went looking around and found there are other people who are having similar darodar.com referrals showing up in their Google Analytics. Should we be worried?
There are several discussions going on about it right now and the following is the most informative.
A non existent page is showing up on my analytics. (109 posts)
There is also few posts that explains how to block this Referral Spam … and NO, they dont work for this particular case.
Block Darodar.com (.htaccess Method)
Code to add in .htaccess file:
SetEnvIfNoCase Referer darodar.com spambot=yesOrder allow,denyAllow from allDeny from env=spambot
Absolutely bugger all useless. And NO, BPS wont work as well for this darodar.com referrer spam.
Crunching logs
My next step is obviously checking logs for
- Darodar Referral
- IP Address
- or similar
First I checked my Apache logs assuming I might see something.
root@someserver [/logs]# grep -r -H darodar *
I got nothing.
Similarly, lets check their IP address in logs
root@someserver [/logs]# grep -r -H 78.110.60.230 *
Still nothing
Next, check my WordPress logs
root@someserver [/wordpress/access-logs]# grep darodar wordpress-logs.log
Still nothing.
Let’s just check with their IP (by this point I know fully I wont see anything – cause Apache Access log would’ve showed it anyway). But I did it anyway.
root@someserver [/wordpress/access-logs]# grep 78.110.60.230 wordpress-logs.log
Well?? Nothing of course.
I also got ModSec running and I got separate logs for that. I checked and still nothing.
So, what does it all mean? It just means that no one ever visited my website from darodar.com Referral but interestingly Google Analytics is still reporting it as legit traffic.
Explanation of darodar.com referrer spam
The following explains it well and I couldn’t have done better:
Samuel Wood (Otto)
Posted 14 hours ago #
You sure about that
Pretty sure, yes.
This isn’t a WordPress specific thing. This isn’t even specific to individual WordPress plugins. Like you said, your “personal website is CodeIgniter” and you can see it there.
Here’s a quick primer on how Google Analytics works.
So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.
That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.
Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.
I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.
So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.
You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.
That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.
This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.
I agree with Samuel Wood (Otto) a.k.a Tech Ninja. Why?
Because I found no evidence of anyone from darodar or similar sites ever accessing my website, my vps, my entire server. The website in question darodar.com redirect to some shopping website and if you read the LONG discussion here then you will see many people had similar experience but no one could prove that anyone ever visited your website.
Who owns darodar.com?
Easy to find as it seems the person was either careless or used someone elses name.
root@omeserver [~]# dig darodar.com SOA ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> darodar.com SOA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5978 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;darodar.com. IN SOA ;; ANSWER SECTION: darodar.com. 21599 IN SOA ns1.nameself.com. support.regtime.net. 1385014908 10800 900 604800 10800 ;; Query time: 152 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Dec 19 01:54:36 2014 ;; MSG SIZE rcvd: 97
We can find his name, address, phone number using who.is
% Regtime Ltd. WHOIS server Domain name: darodar.com Name servers: ns2.ht-systems.ru ns1.ht-systems.ru Registrar: Regtime Ltd. Creation date: 2007-11-15 Expiration date: 2010-12-05 Status: active Registrant: Vitaly A Popov Email: povitaly@mail.ru Organization: Private person Address: Aurory str. 70-141 City: Samara State: Samara ZIP: 443070 Country: RU Phone: +7.8462791590
SOA Record – darodar.com Name Server ns1.nameself.com Email Email Masking support@regtime.net Serial Number 1385014908 Refresh 3 hours Retry 15 minutes Expiry 7 days Minimum 3 hours
Does this person really owns this domain? We don’t know and this can easily be faked. The domain details were changed on December 17, 2014.
See details in the link above.
Why am I seeing darodar.com in GA?
If you haven’t read the informative post by Samuel I copy/pasted already, here’s the summary
- darodar.com is using your Google Analytics Code to recreate fake information and sending that directly to Google Analytics.
- They are not visiting your website.
- In this case, they are possibly using a script to randomly create Google Analytics code UA-xXxXxXxX-1. Some would work, some wont.
Why use this referral spam?
Not sure it benefits them. Yes, it redirects to a shopping website (and previously it used to redirect to Amazon Affiliate page) but Google and Amazon will demote those links very soon. Those website will never show up in Google search or any search engines… This is possibly just a testing tool for something bigger to come …
Is my server, website, wordpress, VPS hacked?
No, as far the discussion goes,there was no hacking, it’s just referrar spam. Read more here. This spam is exploiting how Google Analytics works, possibly to promote some website (duh! Google will find it and demote it … ).
Can I block darodar.com and their IP?
Knock yourself out. You can block their IP in .htaccess or in your Firewall. Add the following to your .htaccess in the root of webdocs or wordpress or site folder.
Order Deny,Allow Deny from 78.110.60.230
Will it work? Well it will definitely block all access from 78.110.60.230, but it takes few seconds to change IP. So no, it wont work. But again, they are not visiting you and this Referral domain only appears in Google Analytics.
Can I block darodar.com as a referrer?
Mate, you’re reading the post, but not really paying attention. They never visited you. But if it makes you feel any better, the following code would work nicely to block any referrer spam:
## SITE REFERRER BANNING
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} badsite\. [NC,OR]
RewriteCond %{HTTP_REFERER} sub\.badsite\.com [NC]
RewriteRule .* - [F]
I found this nice website .HTACCESS Banning Generator. You can generate a nice and proper .htaccess block using their online tool.
Again, in this case, it wont work because the referrar was done directly using Google Analytics code and completely bypassed your website. You cannot block sopmething on your server, where your server was not involved at all.
Can I hide or filter darodar.com in Google Analytics?
Of course you can. Use the instructions Google Analytics’s G+ page
Google Analytics: Introducing Bot and Spider Filtering
https://plus.google.com/111224383669619377607/posts/2tJ79CkfnZk
I’ve done it this way
Analytics
|
—–> Admin
|
—–> Account
|
—–> Property
|
—–> Tracking Info
|
—–> Referral Exclusion List.
Then just added each domains with like this
*.darodar.com
*.iliovevitaly.com
etc.
Related contents and links
Some other useful URL’s regarding Google Analytics posted by Alin Marcu in here
- Processing data and applying your configuration settings:
https://analyticsacademy.withgoogle.com/course02/assets/html/GoogleAnalyticsAcademy-PlatformPrinciples-Lesson3.1-TextLesson.html - Transforming & Aggregating Google Analytics Data
https://analyticsacademy.withgoogle.com/course02/assets/html/GoogleAnalyticsAcademy-PlatformPrinciples-Lesson3.4-TextLesson.html
More useful links
- Remove spammers from GA stats:
https://productforums.google.com/d/msg/analytics/IgeiXxnQR3o/FGHQe551_cMJ - Exclude referrers in GA report
https://support.google.com/analytics/answer/1034842?hl=en - More of Excluding referrers in GA report
https://support.google.com/analytics/answer/2795830?hl=en - On-going discussion on WordPress.Org
A non existent page is showing up on my analytics. (109 posts)
What is more scary?
You know what? I am not worried about this darodar.com referral spam / referrer spam. The worst that can happen is you see some funny links in your Google Analytics. Just don’t browse to those sites.
But the part that’s more disturbing is that anyone with some programming skill can actually create a tool to randomize Google Analytics code and send Fake visiting info back to Google. Followings are the implications:
- You can target a legit website and spam others using them as referrer. The result? Google demotes a perfetly good website because someone else spammed forged their GA code to spam others.
- You can target a website and spam using their GA code. The result? That website appears in millions of GA users and if even 5% of them visit that website, it might just overload their server and create a DDoS situation for them. I tested a tool named GoldenEye which was able to create 100’s of legit connections from same IP and GA thought they were real users. There’s obviously some more fine tuning required on Google’s behalf.
- Someone exploits your GA code and Google can just BAN your GA account, no explanations will be given. Your AdSense account can be exploited and banned in similar ways.
What do you do in the meantime?
Few options, some are just to make you sleep well!
- You can block their IP – pointless, IP’s are dime a dozen.
- You can block them as a referrer – maybe good for your GA. See links above for the guides.
- You can filter them in your GA Account – Possibly a good idea.
Just wait a few days and Google will take care of it in Google Analytics. It will not hurt your Analytics account or your website standings in anyway. Lastly, if it makes you happier and you’re a WordPress user who enabled JetPack, just check JetPack statistics. JetPack didn’t see this referrer.
You know what? Someone is having a lot of fun and laughing at us all!!!
Update 20141219:1340: I just saw make-money-online.7makemoneyonline.com popping up in my referrers list. Use Google Analytics Filter to remove them from your reports. You can also apply the filter above to ban them if you feel like.
I was receiving visits from this site every other day until I contacted the owner of the domain with an address in the South Bay. Then I instantly started getting 20 visits a day. Want his number?
A single site is easy to block unlike the one in discussion that’s spamming GA. If you can track their visit and you don’t like it, block them in apache and GA.
Hey thanks for the detailed breakdown, hadn’t been aware of this issue. And yeah, sounds like the Whois is faked on that .ru site, lame spammers. Going to pop into analytics and see if any wonky data shows up on any of the sites I’ve got rigged up. Personally though, I hate filtering out any IPs on GA but my own (data greedy, that’s me). Thanks again! (PS “Mate, you’re reading the post, but not really paying attention.” Lol!)
hummm intersting a russian in love with italy! Any script hacking facebook chats and personating google search pages?
Not italy country, Vitaly is a name. iLoveVitaly.com and .ru
You guys know the diference between a verigign and a symantec digital certificate for a on line bank page? Is it normal to have 2 diferent certificates for the same page on diferent cliks?
Sorry I meant VeriSign, Inc.
Thanks for The details!
Found The same referal in My GA account and could not figure it out.
I hope Google Will solve this soon
Did anyone notice that the XYZ in forum.topicXYZ.darodar.com is the exact GA account number you are using? Dont get me wrong, but it could be a bigger plot to obtain all active GA accounts. This information could be worth a lot more than just some SEO stuff…If people click the link, most commonly would be for them to know this account number is “active” (or at least being watched actively)…
Just my thought
You’re right.
In the “referrals” page shows forum.topicXxxxXxxx.darodar.com, and XxxxXxxx is my exact GA account number.
The hidden plots sounds scary :(
Very Very helpful. I just witnessed this site across a dozen accounts for several clients on several servers and at first thought I had a security issue till I found this. I also noticed a visit or two from iloveitaly.com which you mentioned above too. Same for buttons-for-website.com. And of course, Semalt. Fun times. It seems to be getting more frequent. What are the best ways to prevent all this garbage?
Forgot to mention. On one of our sites – our developer had temporarily removed GA (on accident :) ). And we still got traffic from these guys. Definitely shows they are just firing the script since I wasn’t seeing any traffic from anything other than Darodar.
It mostly affect’s Google Analytics. So block these on GA. Links in the guide too.
if they only affect GA, why am I seeing my alexa rank dropping :( as the bounce rate is 100% for these visits. Pl suggest
hello admin..good job could you give me full tutorial about kali linux hecking….
Good job! Vitaly Popov is my real name. http://shopping.iLoveVitaly.ru in http://darodar.com redirect http://shopping.iLoveVitaly.com and http://iLoveVitaly.com is my real sites.
I don’t need to hide my personality, because what I’m doing it isn’t a crime as minimum in Russia. It is just creative marketing.
And yes, I’m having a lot of fun and laughing at you all!
“creative marketing”! Should’ve been more subtle then. I think you’re more likely in a testing stage.
What’s your goal here? Are you doubt just for laughs out to you some other objective?
Go fuck yourself a**sshole!
Every day, I hope and pray and ask God to kill Vitaly slow and painfully. Still waiting … Until then, I’ll use filters.
I didn’t even bother using any filters. Then again, I don’t run a commercial website.
does your ‘creative advertising’ actually work? i can’t imagine people seeing you spam up their analytics and going “oh hey this seems like a cool site i should check it out!”
Traffic from Russia is not permitted on any of my sites. China, India and Africa too.
There’s no need for that. Chinese spammers are now doing it. Can’t block whole world. Just filter it.
got the point, just wondering why then .htaccess blocking works, i’m using piwik
I agree with the analysis above.
I can wipe out the 78.110.60.230 IP from the surface of earth and give this Vitaly Popov a lesson in coding he will never forget.
Let me know…
Hi there! Can you really attack is server? Sounds a good idea.
Lol what about when they change ip addresses? Run Whois on darkest.com, they have at least 8 AWS IPs and that can change at any time
Most of the fake GA hits are from 78.110.60.230. Let’s take this one down first.
I’ll be happy to take down any other IP from Samara/Russia.
I don’t think so. How can you block something that never made an active connection to your server? Did you block it on Google too?
GA lets you “Exclude all hits from known bots and spiders” but how do I get GA to exclude specific sites that may not be known to them?
Here is what’s worked for me (no referrals in stats since Dec 18). Apply a custom filter in GA at the Account Level. Go to All Filters >> Add New Filter and give it a name, then choose Custom. In the Filter Field drop-down, select “Referral” and add this filter:
^((.*)\.|darodar\.)com
Apply it to the appropriate view(s).
Rinse, wash, repeat for other sites such as semalt.com.
Thank Wendy that worked for me as well so far so good. The other way using predefined didn’t work. Take care be well
You are welcome Andre. Don’t forget to create a few views in GA. I have 3. One unfiltered view for raw data. One “active” view for reports. One test view. Apply the filters in the test view before applying it to the active view. Once the output looks like it is working for you, then apply the filters to the active view. This is easily switched at the Account level in GA.
Hi Wendy,
I’ve added your comment to my post. Thanks and enjoy. Cheers,
-BMO
If I read that regex expression ^((.*)\.|darodar\.)com correctly, it should remove all .com website referrals????
^ =from start of string
(
(.*)\. =zero or more of any characters followed by a dot
| =OR
darodar\. =darodar.
)
com
which to me would interpret as *.com OR darodar.com
I think there should not be a vertical bar in the expression.
Wendy??
Hi Mike,
You can verify Wendy’s regex here:
http://www.regexr.com/ or http://regexpal.com/
I checked, seems OK.
If someone is uncomfortable with regex, they can always add *.darodar.com (or any site) instead. Thanks for looking into it though. Cheers,
-BMO
Nice utility…yup – it matches gskinner.com in the first line. It will eliminate all .com referrals. Not a good thing….
Not sure what you’re testing. It worked just fine for darodar.com.
^((.*)\.|darodar\.)comblocks darodar.comUsed http://www.regexr.com/ to test and screengrab:
If you want a simpler one, this would work just fine for any darodar.com (or www . darodar . com) links
darodar\.comThe problem is that the expression start with a caret, so it only finds the first match. If you list darodar.com second, it clearly shows it will match ANY domain.com. Change the first line to blackmoreops.com…
I can’t post an image…
Niceee, you’re correct. I;ll update my post.
However, for referrer spam it wont be a problem as you get 1 referrer per line only (I guess that’s why Wendy’s regex worked). The other regex I posted would work better I think.
darodar\.comFound your update (darodar\.com). Thank you! So it need only look for the domain, not the rest of the URL? It doesn’t match on http://www.forum.topic31043644.darodar.com.
Hello Mike,
Yes! You are correct. That expression matches for google.com using the RegEx tool though I am not familiar with the tool so not sure what I am looking for. Like a lot of folks, I was suddenly finding a bunch of referrer spam in my analytics from semalt.com. I scoured the forums looking for a good solution without much success. Then someone provided the expression and it is the only fix that I found so far that seemed to work. I can tell you that I am no longer getting referrals from semalt.com, darodar.com, buttonsforwebsite.com or 7makemoneyonline.com, but I AM getting referrals from .coms, which is confusing given this new info.
So, what’s a better solution?
BMO, can you repost your regex? And have you had a chance to test it against different GA views?
Thanks!
For semalt, I actually asked them to stop crawling my site and they did about 3-4 days later. I used to have a filter that was just
semalt\.com
For the result, I use an filter on the hostname (as discussed in my article). It looks something like this (a few domains removed for clarity):
.*analyticsedge.com|.*analyticsedge.ca
Purists will note that the filters may match things I didn’t want, like http://www.notanalyticsedge.com, but I watch my website daily, so if that becomes a problem, I will change them.
Each entry is one of my domains. If you need the stricter version, it would be something like this (note, regex can usually solve the same problem with multiple solutions):
.+\.analyticsedge\.com|analyticsedge\.com|.+\.analyticsedge\.ca|analyticsedge\.ca
where .+ means 1 or more characters
\. means the dot
so .+\.mydomain\.com would match http://www.mydomain.com and www2.mydomain.com
The second entry matches the base domain itself: mydomain\.com
Thank you Mike! Based on other user experience, I will not request anything from semalt. I’ve heard that by doing so, you’ll wind up with even more. ;) I will do more testing with your filters. I want filters to cover all variations and levels.
You are right black ops, I have experienced the same, and tried well before searching over google, checked all possible logs in my ubuntu server but there were no records regarding the ipv4 or even ip6 of darodar.com. I believe google should have some way to at least don’t show this to us in analytics.
Had the same issue installed piwik to see what was going on, now highly recommend using piwik instead of GA given how it seems to be gamed these days..
Thanks for this. Had them come up on my GA just before Christmas and the “hits” have been getting more numerous. It all seems quite fresh so I imagine your right and Google will jump on this
The Bot filtering you suggested in GA is not enough for this type of referral spam. There are three types, and three approaches that can be taken:
http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/
I forgot to reply to this one …
For this particular spam, blocking it in GA is only option. For other types, I’ve shown one example .. Referrer blocking
BTW, I updated my post requesting more info regarding Alexa/Bing/Yandex etc. search engine/SEO abuse. Do you or AnalyticsEdge got a take on that?
I don’t see anyone talking about anything other than GA and GA is just one part of the equation.
That clearly explains it, but I still don’t understand why is he doing this? what’s the benefit for him?
My guess? He sells SEO services and guaranteed an increase in “quality” site visits, where “quality” means they don’t all bounce (and hence must be interested in your products). Since webmasters would look around for the link to their site, there is a good chance that people trying to find out who linked to them would create a large number of non-bounce visits.
NOT being an expert on GA or on .htaccess coding, I tested a variety of semalt/darodar deterence methods on my 70+ WordPress sites.
What works for me on every installation is this: .htaccess Rewrites that are generalized to parse the domain name string without extensions such as .com, .co, .org etc. By being less specific, the rewrite condition can apply to multiple sub-domains and multiple extensions – deceptive techniques that Semalt has used in a variety of ways.
Writing the Rewrite conditions in this more general way is much more efficient, and easier for less experienced webmasters to copy/amend/update for their own circumstances.
Implementing htaccess code as I have done below prevents these referers from reaching my servers, AND, it blocks them from appearing in my Analytics reports.
Yes I’ve read all the comments above about this being GA spam, not actual website visits, that the GA spam can’t be blocked, etc, etc. As I am not an expert I can only relate what I see as a result of my trial and error – the method shown below handles the problem comprehensively on my sites. I have GA reports and raw web logs that prove it.
NOTE: I seen that using the – F coding to 403 Forbid Access to the semalt crawler greatly increases the number of domains and subsequent frequency of ‘visits’ to my sites. Apparently the crawler responds angrily when Forbidden. Ergo I use a redirection on the last line of the code segment instead. You can use any domain you would like to redirect to; I choose to redirect to the sites that Semalt is directing their links to, such as the computer ecommerce section of aliexpress(dot)com.
## BEGIN DETER semalt.com ##
RewriteEngine on
RewriteCond %{HTTP_REFERER} .*7makemoneyonline.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*backgroundpictures.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baixar-musicas-gratis.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blackhatworth.com.*$ [NC]
RewriteCond %{HTTP_REFERER} .*buttons-for-website.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*buyerpricer.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*darodar.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*descargar-musica-gratis.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*econom.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*embedle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*extener.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*fbdownloader.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*fbfreegifts.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*feedouble.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*iloveitaly.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*joinandplay.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*joingames.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*kambasoft.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*musicprojectfoundation.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myprintscreen.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*openfrost.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*openmediasoft.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*pageg.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*savetubevideo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*semalt.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*softomix.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*soundfrost.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*vapmedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*videofrost.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*youtubedownload.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*zazagames.*$ [NC]
RewriteRule ^(.*)$ http://activities.aliexpress.com/computers_channel.php [L]
## END ##
Sweet, I will try that. Many thanks.
I would strongly recommend AGAINST this approach for two reasons:
First, the wildcard matches may at some point block valid traffic that happens to share part of the REFERER. (BTW it’s ilovevitaly, NOT iloveitaly). You are better to make each match a bit more specific so they don’t have unintended side effects.
Second, you are being a bad Netizen, redirecting traffic to someone that maybe didn’t play any part in the initial spam situation. AliExpress had nothing to do with Semalt or most of the domains on your list, and probably had nothing to do with the Vitaly mess.
And as a side note: can you actually prove that this blocks darodar, econom, ilovevitaly, priceg and blackhatworth from appearing in GA? Or are you just assumign since it works for semalt, it would work for all the rest?
How about a technique by which you encrypt Anayltics codes…Ideally Analytics tools like Google should stop giving Numbered GAs & should use some encryption algo.
If this type of spam keeps happening, then I’m sure Google would do something about it. Till then, manual blocking is the only way.
Vitaly is getting better… Today I received a new innovative attack. I just checked my organic results and found this query:
“google -officially -recommends ilovevitaly.com search shell”
If you read it, it says: google officially recommends ***.com search shell. So he wants you to go and visit ***.com to make some money from you.
The full referrer of that visit points to google. And the hostname is apple.com (which is obviously not my domain name).
So… I had to apply a new filter on GA to filter Search Terms. I included darodar.com and other domains since I know I’ll get traffic from there eventually. I’m really tempted to block all Russia and forget about the issue.
…and add hulfingtonpost [.com] to the list as well. By the way, the Include filter on valid hostnames is effective against this and the organic search terms pointed out by JL:
http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/
Yes, I also got visits from “hulfingtonpost.com”. And I have to admit I clicked on hulfingtonpost.com. Didn’t see that was coming :-) I really thought it was the news Site. ha ha. The problem is there are always new ways and new domains. This is something google should fix for everybody. I don’t understand why they didn’t do anything yet.
That’s an idea… not much real traffic coming from there anyway. I’ll try a region block and see if that works. Thanks for bringing it up.
@ Mike Sullivan
“…You are better to make each match a bit more specific so they don’t have unintended side effects…”
When I began this journey there was only semalt.com to consider, and my blocking was more specific. Then Vitaly began using sub-domains, and later, added variants of the TLD extensions of some domains. The amount of work needed to add these numerous variations, coupled with the likelihood of my typos in the dense regex coding, caused me to become less specific in my htaccess conditions. As to blocking legitimate traffic, I see that as a very minor (indeed unlikely) problem given the domain names Vitaly chooses and the niches my clients inhabit.
—
“…you are being a bad Netizen, redirecting traffic to someone that maybe didn’t play any part in the initial spam situation. AliExpress had nothing to do with Semalt or most of the domains on your list, and probably had nothing to do with the Vitaly mess.”
Aliexpress.com is one of the largest ecommerce sites in the world with organic search traffic in excess of $2.5 Million PPC-equivalent per month. Aliexpress also buys $30,000 per month of PPC. Their computer category page is the linked-object for several of the domains I have blocked. Do you think that Vitaly chose that specific page by accident? Built out this botnet for amusement? Or is it more likely that aliexpress.com is paying him for a rankings/traffic/sales improvement?
—
“…And as a side note: can you actually prove that this blocks darodar, econom, ilovevitaly, priceg and blackhatworth from appearing in GA? Or are you just assumign since it works for semalt, it would work for all the rest?…”
Michael I respect you for your depth of understanding of analytics and your desire to be helpful. Because I don’t share your specific skills I have based my referer spam deterence approach entirely upon empirical results reflected in my Google Analytics and raw log files.
No, I did not generalize from semalt.com results to a wider case. Yes, I can prove it.
I expect that Vitaly will provide ever more varied ways of earning money at our expense. I look forward to reading more about countermeasures on your blog.
Dennis
@Dennis an excellent response. Thank you for the confirmation: it seems Vitaly uses multiple attack vectors and that adds to the confusion on removing the undesired traffic — what works for one person does not work for another, leading to a lot of confusion and slows down everyone’s response. I must say I am impressed with the ways in which he has managed to circumvent Google’s ability to limit his efforts….so far.
Regarding the specifics of the filter, I caution everyone to be careful. In the haste to make the crap stop, I have seen filters that ended with long-list-of-domains|.* which essentially filtered everything. Read every line, and if you don’t understand it, do not use it.
Mike,
I looked at Vitaly’s referer-spam sites differently today. Using a reverse-domain-lookup-tool I queried all the spammy referrals i’ve received, and I noted the sites that shared the server with them. The result was surprising and helpful in equal measures.
My study showed a surprisingly small source for causing so much trouble. The helpful part is that new spam-referral domains are easier to predict than I imagined, and the list of IPs hosting them is smaller and easier to block.
What follows is a list of domain names that share a server with known semalt-darodar-makemoneyonline spam originating sites. These sites number about 100, and, are based on only six IP addresses.
If you worry about excluding potentially “clean” traffic you should note that there are only a small number of sites on each server; this seems to me to indicate the use of a “reseller” account for convenience of administration. (BTW, a number of them are acknowledged porn sites which you should exclude for that reason alone.)
This list won’t be all of Vitaly’s potential attack domains and IPs, but it is a very good start at deterrence for someone just now beginning:
Semalt server-sharing websites on IP 78.110.60.230
blackhatworth.com
darodar.com
econom.co
forum.topic33796817.darodar.com
forum.topic37285705.darodar.com
forum.topic40191161.darodar.com
forum.topic40382289.darodar.com
forum.topic41650426.darodar.com
forum.topic42962903.darodar.com
forum.topic54115854.darodar.com
forum.topic55056702.darodar.com
forum.topic55890570.darodar.com
forum.topic56518556.darodar.com
forum.topic56554895.darodar.com
forum.topic56695718.darodar.com
forum.topic57111597.darodar.com
forum.topic57275800.darodar.com
forum.topic58172886.darodar.com
healthtools.aarp.org
hulfingtonpost.com
icalc.ilovevitaly.com
iedit.ilovevitaly.com
ilovevitaly.co
ilovevitaly.com
ilovevitaly.ru
iskalko.ru
likevitaly.com
lumb.co
mailru.ilovevitaly.com
maps.ilovevitaly.com
o-o-0-o-o.com
o-o-6-o-o.com
priceg.com
shopping.ilovevitaly.com
startup.ilovevitaly.com
travel.ilovevitaly.com
http://www.o-o-0-o-o.co
Semalt server-sharing websites on IP 217.23.11.15
blog.semalt.com
semalt.com
semalt.net
semalt.semalt.com
http://www.createandcraft.tv
Semalt server-sharing websites on IP 217.23.8.124
buttons-for-website.com
livefixer.com
porn9.org
sharebutton.net
videotiki.com
wmasterlead.com
http://www.buttons-for-website.com
http://www.gomtv.com
http://www.kurtyildiz.com
http://www.matrixsynth.com
Semalt server-sharing websites on IP 217.23.2.19
kambasoft.com
myprintscreen.com
soundfrost.org
http://www.openmediasoft.com
http://www.savetubevideo.com
Semalt server-sharing websites on IP 104.28.20.82
2020eyesite.com
alsaat.com
amateurhotty.xxxbs.com
colorcuboid.com
love4lifechat.com
marlinmaniac.com
nogreatercause.org
noticiasmb.cl
recruitmentform.in
richmenferomon.com
http://www.2020eyesite.com
http://www.dariovignali.net
http://www.spectrumpropertiesofmaine.com
yarisanalizi.com
youtubedownload.com
Semalt server-sharing websites on IP 217.23.7.180
217.23.7.180
7makemoneyonline.com
a2.extener.org
baixar-musicas-gratis.com
darcshare.com
descargar-musica-gratis.net
developers.softomix.com
download.soundfrost.org
s.zazagames.org
softomix.com
srecorder.com
wrztalk.com
http://www.tech-spot.org
http://www.the-vault.org
http://www.vapmedia.org
zazagames.org
My own preference for deterranceis to use .htaccess rewrite conditions that match the “domain-name-string” only plus any number of preceeding characters or following TLDs. Like this:
RewriteCond %{HTTP_REFERER} .*semalt.*$ [NC,OR]
I also prefer to rewrite the refer for redirection rather than use the “-F’ command to generate a 403 Fordidden response. Like this:
RewriteRule ^(.*)$ http://ilovevitaly.com [L]
Doubtless there will be more rubbish from Vitaly so I’ll be updated my response for those interested.
Dennis
This is a strange set-up. Thre are so many sites being targeted that you would assume that it was an automatic set-up. Yet some of the visits that show up in Ga (1/3) come from a mobile, and some open more than 1 page….
Thank you so much for looking into this. Very interesting read! Those weird referrers also showed up in my analytics. Those scammers/spammers are so inventive. And annoying, too.
Hi everyone !
Can we juste add on GA these : and the problem will be fixed ??? for now I have just ilovevitality.com
Analytics
|
—–> Admin
|
—–> Account
|
—–> Property
|
—–> Tracking Info
|
—–> Referral Exclusion List.
Then just added each domains with like this
*.darodar.com
*.iliovevitaly.com
etc.
Ok form its appear on Top keywords not on top refferal on my GA, I added the domain on Refferal exclusion site but it still appear ! do you think I have to put it on Search Term Exclusion List instead ???
The traffic is now appearing in my organic Google traffic. 14 visits from Samara yesterday.
1) You rock for this. (2) I would like GA to add something where when you’re looking at your referral links, there’s an option to exclude that source.
So my MozRank and MozTrust have taken a massive hit in the last month. I can’t think of any other reason than this referrer spam issue.
I have multiple sites on the same Analytics account, and it is only the site with the UA account number -01 that is affected, -02, -03, -04 etc. are all fine.
Surely Google should be aware that “traffic” from these sites are not the fault of the site, but really a fault in their own analytics code being so easy to exploit?
Removing the “traffic” from appearing in Analytics surely won’t fix the fact the hits are being registered by Analytics, it is just hidden from our view? Therefore Google will still count this as spammy traffic and adjust (downwards) your rankings accordingly?
Google Analytics data is NOT used in Google Search ranking in any way: https://www.youtube.com/watch?v=CgBw9tbAQhU
MozRank and MozTrust? Do they use Google Analytics data from their customers as a signal in their ranking schemes? You need to ask them.
@Mike Sullivan
January 29, 2015 at 10:00 pm
Google Analytics data is NOT used in Google Search ranking in any way: https://www.youtube.com/watch?v=CgBw9tbAQhU
—
I respectfully disagree Mike. The video/statement by Matt Cutts that you put forward as proof is over four years old.
Pre-Latent Semantic Indexing, pre-Panda, pre-Penguin, pre-numerous cautions about content quality, site speed, position of on-page advertising… if Matt’s statement were true then, it may well NOT be operative now.
My belief is that bounce rate, time-on-site, goal conversion ratios and similar metrics do indeed factor into Google’s algorithms for organic rankings. This would be consistent with their evaluation of landing pages (Quality Scores) which determine CPC rates for individual advertisers.
Even if GOOG are not, strictly speaking, reading GA results to inform their ranking decisions, those responsible for lead generation, conversion optimization, and successful e-commerce results (as I am) – would do well to BEHAVE AS IF THEY DID.
After all, Google’s oft expressed goal is the best possible answer to their searcher’s queries. What better user satisfaction metrics can you find than bounce rate, time-on-site, goal conversions, and so forth?
Dennis
Here is the latest update of my .htaccess file as I promised. It is currently reducing Semalt-related referer spam to zero on my sites and in my GA reports.
The latest changes were the additions of “lumb” and “cenoval” domains. Note also that to exclude “darodar” fully requires a second, slightly different form of the Rewrite Condition:
RewriteCond %{HTTP_REFERER} .*topicXXXXXXXX\.darodar.*$ [OR]
where XXXXXXXX is your unique Google Analytics UA number, and,
the “full stop” between topicXXXXXXXX and darodar is preceeded by a backward slash “\”.
## BEGIN DETER SEMALT ##
RewriteEngine on
RewriteCond %{HTTP_REFERER} .*2020eyesite.*$ [OR]
RewriteCond %{HTTP_REFERER} .*7makemoneyonline.*$ [OR]
RewriteCond %{HTTP_REFERER} .*adviceforum.*$ [OR]
RewriteCond %{HTTP_REFERER} .*alsaat.*$ [OR]
RewriteCond %{HTTP_REFERER} .*anticrawler.*$ [OR]
RewriteCond %{HTTP_REFERER} .*backgroundpictures.*$ [OR]
RewriteCond %{HTTP_REFERER} .*baixar-musicas-gratis.*$ [OR]
RewriteCond %{HTTP_REFERER} .*blackhatworth.com.*$ [OR]
RewriteCond %{HTTP_REFERER} .*buttons-for-website.*$ [OR]
RewriteCond %{HTTP_REFERER} .*buttonsspace.*$ [OR]
RewriteCond %{HTTP_REFERER} .*buyerpricer.*$ [OR]
RewriteCond %{HTTP_REFERER} .*cenoval.*$ [OR]
RewriteCond %{HTTP_REFERER} .*colorcuboid.*$ [OR]
RewriteCond %{HTTP_REFERER} .*createandcraft.*$ [OR]
RewriteCond %{HTTP_REFERER} .*dariovignali.*$ [OR]
RewriteCond %{HTTP_REFERER} .*darodar.*$ [OR]
RewriteCond %{HTTP_REFERER} .*topicYOURGAUA\.darodar.*$ [OR]
RewriteCond %{HTTP_REFERER} .*descargar-musica-gratis.*$ [OR]
RewriteCond %{HTTP_REFERER} .*econom.*$ [OR]
RewriteCond %{HTTP_REFERER} .*embedle.*$ [OR]
RewriteCond %{HTTP_REFERER} .*extener.*$ [OR]
RewriteCond %{HTTP_REFERER} .*fbdownloader.*$ [OR]
RewriteCond %{HTTP_REFERER} .*fbfreegifts.*$ [OR]
RewriteCond %{HTTP_REFERER} .*feedouble.*$ [OR]
RewriteCond %{HTTP_REFERER} .*gomtv.*$ [OR]
RewriteCond %{HTTP_REFERER} .*hulfingtonpost.*$ [OR]
RewriteCond %{HTTP_REFERER} .*ilovevitaly.*$ [OR]
RewriteCond %{HTTP_REFERER} .*iskalko.*$ [OR]
RewriteCond %{HTTP_REFERER} .*joinandplay.*$ [OR]
RewriteCond %{HTTP_REFERER} .*joingames.*$ [OR]
RewriteCond %{HTTP_REFERER} .*kambasoft.*$ [OR]
RewriteCond %{HTTP_REFERER} .*kurtyildiz.*$ [OR]
RewriteCond %{HTTP_REFERER} .*likevitaly.*$ [OR]
RewriteCond %{HTTP_REFERER} .*livefixer.*$ [OR]
RewriteCond %{HTTP_REFERER} .*love4lifechat.*$ [OR]
RewriteCond %{HTTP_REFERER} .*lumb.*$ [OR]
RewriteCond %{HTTP_REFERER} .*marlinmaniac.*$ [OR]
RewriteCond %{HTTP_REFERER} .*matrixsynth.*$ [OR]
RewriteCond %{HTTP_REFERER} .*musicprojectfoundation.*$ [OR]
RewriteCond %{HTTP_REFERER} .*myprintscreen.*$ [OR]
RewriteCond %{HTTP_REFERER} .*nogreatercause.*$ [OR]
RewriteCond %{HTTP_REFERER} .*noticiasmb.*$ [OR]
RewriteCond %{HTTP_REFERER} .*o-o-0-o-o.*$ [OR]
RewriteCond %{HTTP_REFERER} .*openfrost.*$ [OR]
RewriteCond %{HTTP_REFERER} .*openmediasoft.*$ [OR]
RewriteCond %{HTTP_REFERER} .*pageg.*$ [OR]
RewriteCond %{HTTP_REFERER} .*porn9.*$ [OR]
RewriteCond %{HTTP_REFERER} .*priceg.*$ [OR]
RewriteCond %{HTTP_REFERER} .*recruitmentform.*$ [OR]
RewriteCond %{HTTP_REFERER} .*richmenferomon.*$ [OR]
RewriteCond %{HTTP_REFERER} .*savetubevideo.*$ [OR]
RewriteCond %{HTTP_REFERER} .*semalt.*$ [OR]
RewriteCond %{HTTP_REFERER} .*sharebutton.*$ [OR]
RewriteCond %{HTTP_REFERER} .*softomix.*$ [OR]
RewriteCond %{HTTP_REFERER} .*soundfrost.*$ [OR]
RewriteCond %{HTTP_REFERER} .*spectrumpropertiesofmaine.*$ [OR]
RewriteCond %{HTTP_REFERER} .*tech-spot.*$ [OR]
RewriteCond %{HTTP_REFERER} .*the-vault.*$ [OR]
RewriteCond %{HTTP_REFERER} .*vapmedia.*$ [OR]
RewriteCond %{HTTP_REFERER} .*videofrost.*$ [OR]
RewriteCond %{HTTP_REFERER} .*videotiki.*$ [OR]
RewriteCond %{HTTP_REFERER} .*wmasterlead.*$ [OR]
RewriteCond %{HTTP_REFERER} .*wrztalk.*$ [OR]
RewriteCond %{HTTP_REFERER} .*xxxbs.*$ [OR]
RewriteCond %{HTTP_REFERER} .*yarisanalizi.*$ [OR]
RewriteCond %{HTTP_REFERER} .*youtubedownload.*$ [OR]
RewriteCond %{HTTP_REFERER} .*zazagames.*$
RewriteRule ^(.*)$ http://activities.aliexpress.com/computers_channel.php [L]
## END DETER SEMALT
Add to that list: https://addons.mozilla.org/en-US/firefox/addon/ilovevitaly/
Apparently they have created several browser add-on and are using it for redirects. I noticed it come up on GA a few days ago. Seems they all are attached to http://iskalko.ru/ –some kind of faux search engine.
Actually it’s a legit and pretty good search Engine. But against Google, Bing and Yandex they just couldn’t make it far enough. They should’ve just gone like DuckDuckGo rather than just concentrating on making profit. I tested their search engine and it’s fair. But just too much bogus results trying to promote product sales … I guess working on search engines gave them the idea and hopefully when it’s all done, we will have more secured search engines.
In general, I agree with you, but in context, with respect to “traffic” that does not exist and only appears in Google Analytics data (darodar), it will have absolutely no impact on search since it will not be picked up as signals for the search algorithms. There is no such referral and there never was a visit. The Google Search people (Webmaster Tools) would not know it exists.
Arron asked why his Moz rankings took a hit. Does Moz (or others) use their access to customer’s GA data to assist with their ranking? That, I do no know. Something to ask the Moz community.
I think it is likely you are correct about darodar. As I have not looked specifically at the site logs regarding that domain, I don’t have the facts at hand. I will say this however, some of the visits from these semalt-related domains are, in fact, real; they do appear as entries in my raw logs.
What spurred me to research Vitaly’s server-related-domains was a drop in Google organic rank at a client site. This young site was on Google’s first page in a very expensive and competitive keyword market. Semalt and darodar spam “visits” ( as indicated in GA ) EXCEEDED real traffic to the site.
The site was previously attracting organic search traffic equivalent to $7,000 (seven thousand dollars) per month on PPC. It was converting surfers to phone calls and form fills at over 10 percent of traffic. Having it drop a few positions was therefore noticeable and PAINFUL as Google organic search was the client’s primary marketing thrust.
Less than a week after substantially deterring Semalt the site’s ranking moved back up to their previous mid-page positions.
Is this one instance of organic-rank-drop-and-recovery-after-semalt-deterrance absolute proof that Google uses GA as a ranking signal?
Certainly not!
But I don’t need absolute proof to justify the small effort needed to eliminate semalt’s potentially negative effects on my clients results.
Best regards,
Denis
I used your article to make a post for my blog :) very nice article.
http://idojo.co/blog/handling-referrer-spam-bots/
Thanks for posting such a thorough insight into those spamf*ckers and how they screw up your GA. I guess it wouldn’t matter so much except that my baby sites only have a few visitors, so it wonks the results enormously.
Thanks for your detailed analysis and solutions…It had worried me for days.
Plus, Ronald and I noticed that XxxxXxxx in forum.topicXxxxXxxx.darodar.com is the exact GA account number. And he worried that maybe someone is using this to collect effective GA account numbers…
Another thing is that the report showed he was using Firefox 33.0, though not sure if this is also fake.
forum.topic59489388.darodar.com
this is mine. my domain is a .com and godaddy is the registrar but as I’ve seen it doesn’t matter. they take somewhere the google analytics ID
Google Analytics should just allow users to set ut authorized domains (or applications) where their code can be loaded.
They already do the same with Google Adsense; you can set domains where your code is authorized. On any other domain, it won’t show up.
If my Analytics code can be loaded only on domains I authorize, I guess that specific problem is over ?
I have seen Semalt, Buttons For Websites, Daroder etc. all arriving on our and our clients websites.
The question I can’t get to the bottom of is SEO related….i.e. will the 100% bounce rate these referrals create impact on ranking factors? Surely a high bounce impact like these cant be good? Does anyone have a definitive source or answer to this point please?
Ideally I’d prefer to find a rock solid way to block the referrals all together. For now I just tend to filter as described by Wendy & others here.
@Mark (S4G) I am asking this question to my Twitter and LinkedIn followers to see if any has a definitive answer.
Definitive answer: no they do not affect your search ranking.
Caveat: be careful lumping them all together — “they” are very different. Semalt actually visits your site; darodar does not; other referral spam uses embedded/hidden links on spam sites. With semalt and darodar, there are no links on the web for the search engines to discover. The “traffic” you see in your web analytics is not visible to the search engines.
http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/
Thanks Mike, great to have an answer (and clarification on their different elements).
I understand why everyone is choked up about Semalt. Not everyone wanna pay for web analytics. Then accept it that your free counter distorts statistics. And don’t you lash out at those who are a gun at SEO. Well, if you have a blog with kitties with two visitors per day, you don’t need professional tools like Semalt.
Lars,
That’s another way to look at it. Google will just put these in their ignore list, so these wont affect anything. At the end of the day, content rules search results. If you got something unique (a kitty singing Opera!), your site will rank 1st in Google Analytics and no matter what happens, you stay in top. Just my 2cents.
-BMO
Since I don’t get too much traffic from Russia my solution was create a new segment that filter Russia. Hope that helps!
Hi Hernan,
It would be pointless as they’ve never visited your site. Also you will miss on traffic (if any). It’s Google’s problem, let them sort it. Cheers,
-BMO
Google really needs to fix this referral spam and fast! I run several SEO / Adword accounts for my clients and a couple of them spend a reasonable sum of money with Google every month.
To have referring sites appearing in the traffic when they have not even visited the site is huge oversight imho. I have added the .htaccess filter codes and while that certainly seems to stop most of the more traditional spam-referrals I can confirm it has no effect on some of the latest instances (particularly the social button variations).
I expect as soon as this starts impacting Google’s Adword revenue in one way or another we’ll see a fix – ie: I might start suggesting to my clients their Adword $$ are better spent elsewhere – such as a targeted traditional snail-mail campaign.
Now there is a referral keyword coming in as: vitaly rules google ☆:.。.゚゚・ヽ(^ᴗ^)丿・゚゚.。.:☆ ¯_(ツ)/¯(•ิ•ิ)(ಠ益ಠ)(ಥ‿ಥ)(ʘ‿ʘ)ლ(ಠ_ಠლ)( ͡° ͜ʖ ͡°)ヽ(゚д゚)ノʕ•̫͡•ʔᶘ ᵒᴥᵒᶅ(=^. .^=)oo
This guy just doesn’t stop!
Joe seen the spam before it said google loves vitality the new one vilality rules google
I was reading this post last night for another block i did find most of the blocks but this new one no one has the answer at the moment.
I don’t know where it is from so cant set a filter to exclude it
I am going to filter out all of the spam visits I’ve been getting as per the conversation on this thread. However I have just discovered porn and torture spam links in my CONTENT list!! I’m a little perturbed and worried about this… please help
Cathy, Nothing to worry about. It’s all just spam referrals, not real traffic. You can filter it all out with a single valid hostname filter in Google Analytics. I describe it in my Definitive Guide to Removing Referral Spam (linked above):
http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/
I have also started offering a personalized service to install the filters and advanced segments needed to clean up people’s accounts…for those not sure about the whole filter thing.
Hi Mike. Thanks so much for the reply and help offer. I am confident re the whole advanced filter set up thing for the referrer data. I’ve created a duplicate view so I can set up the exclude. I might just exclude the whole of Mother Russia for the hell of it.
It was more the fact that these links are coming into my page content view which made me worried as essentially these are tracking as ‘my pages’ are they not?
Just want to check this doesn’t mean the site is compromised in any way……
Let me say it again, for emphasis:
If you create a single filter to INCLUDE YOUR hostname only, then ALL of those visits would not have bothered you.
By adding individual exclude filters for each new spam source, you will be forever chasing the next spam domain.
This does not work for the likes of semalt and make-money-online, but those crawlers are fewer and do not change as quickly.
Creating a single filter for own hostname would hurt ranking though! Not?
If someone keeps on adding new domains to exclude filters in WebServer/.htaccess, their site will become slow cause there’s just too many things to check. I am yet to see any definitive discussion about how this is hurting search ranking for anyone.
BTW, recently this attack became more sophisticated. I’ve had 700+ extra visitors from Russia, all referral by Google, to my homepage “/”, random stay. If they’d keep this to say 120% instead of 300%, I’d never suspect that it was a spam referral.
I believe Google’s recent encryption for all AdSense data was a respond to such attack. And if Google can encrypt AdSense, they surely can encrypt Analytics. I guess they don’t really care as the main business focus is AdSense…
The porn and torture spam is ghost referrals — they are fake tarffic injected into Google Analytics tracking servers. Since they don’t actually exist, they will NOT affect rankings.
Since they are faking the traffic and never visit your site, they do not actually know what your hostname (website) is. They use a fake one, making them really easy to identify. If you filter to INCLUDE only traffic to YOUR hostname, then ALL of the fake traffic is prevented.
Thanks all. Will add the ‘include only’ filter as you’ve advised and see what it does to the results.
I’ve evaluated and found 3 solutions that are working for these type of spams. Check Three effective solutions for Google Analytics Referral spam
Are the visits except for the samara visits from genuine visitors?
There’s no sure where spammy sessions come from – filtering by Localization isn’t working solution.
Thanks
So, here’s what is strange to me. I just set up a new Analytics account for a new website and ten minutes later I am getting darodar.com referrer spam. How did they know? Are they simply pinging the highest number Analytics account numbers waiting for the next new one to come online?
Referrer spam has gotten so bad these days. It’s ruining GA.
Hi Tim,
Not really. You are not supposed to use GA to measure visitor counts, performance etc. cause Google may or may not censor parts of the data displayed to suite their business model. For an accurate measure you should be using Piwik or something similar that’s built and run in-house.
As for censoring spams, just follow this guide: Three effective solutions for Google Analytics Referral spam.
And if you are really Analytics-OCD (no pun intended), then setup a second GA code, add to your website (so 2 GA code running at the same time- there’s official guide in Google for that). Use all the filters in one to view censored and clean data and the second one with all the spammy ones. Compare and you get the idea. Enjoy,
-BMO
Vitaly Popov, Russian idiot first class. i hope they hang you, upside down, in the streets.
Its a real pain when trying to explain to a customer why their traffic is in fact ‘ghost traffic’ and the fact it has no bearing on their website performance. Unless someone is an expert in writing decent RegEx code permanently filtering this kind of reporting ‘noise’ is challenging.
I wrote an article about it here if anyones interested: http://www.sparks4growth.com/accurate-website-traffic-reporting/
This post is on 17 spot in google’s search results, if you want
more visitors, you should build more backlinks to your posts,
there is one trick to get free, hidden backlinks from authority forums, search on youtube: how
to get hidden backlinks from forums