Home / Security / [Updated] darodar.com referrer spam and should you be worried?

[Updated] darodar.com referrer spam and should you be worried?

I had some interesting traffic showing up in my Google Analytics today. So far I’ve seen 21 referral traffic from forum.topic44122300.darodar.com to my home page http://www.blackmoreops.com/.

Readers, I highly recommend reading comments section for more views and details.

Making comments doesn’t require registration in this site, so you can leave your views anonymously.

 

Click here to read three effective solutions for Google Analytics Referral spam darodar.com referral spam - blackMORE Ops -1

Date: 18 Dec 2014-18 Dec 2014

  1. Referral Traffic » Source: forum.topic12345678.darodar.com
  2. Referral Path » / : http://www.blackmoreops.com/
  3. Referral Sessions » 21
  4. Avg. Session Duration » 00:13:22

This is an uncommon Domain and URL, so obviously I was suspicious given that my site serves contents specific to security and pentesting. I didn’t wanted to just click on that link and see what’s going on.

Use curl to browse to darodar.com

So I used a Linux session instead and tried to trace what’s going on.

root@kali:~# curl -vvv  forum.topic12345678.darodar.com 
* About to connect() to forum.topic12345678.darodar.com port 80 (#0)
*   Trying 78.110.60.230...
* connected
* Connected to forum.topic12345678.darodar.com (78.110.60.230) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: forum.topic12345678.darodar.com
> Accept: */*
> 
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 404 Not Found
< Server: nginx/0.8.53
< Date: Thu, 18 Dec 2014 03:45:41 DST
< Content-Type: text/html
< Connection: keep-alive
< X-Powered-By: PHP/5.2.11
< Vary: Accept-Encoding
< Content-Length: 100
< 
* Connection #0 to host forum.topic12345678.darodar.com left intact
<html><head><meta http-equiv="refresh" content="0;url=http://shopping.ilovevitaly.ru"></head></html>* Closing connection #0
root@kali:~#

So that’s what it is, it’s pointing to http://shopping.ilovevitaly.ru.

Weird!! Why would they do it and why would it appear in my Google Analytics? What’s the benefit here?

I went looking around and found there are other people who are having similar darodar.com referrals showing up in their Google Analytics. Should we be worried?

There are several discussions going on about it right now and the following is the most informative.

A non existent page is showing up on my analytics. (109 posts)

There is also few posts that explains how to block this Referral Spam … and NO, they dont work for this particular case.

Block Darodar.com (.htaccess Method)

Code to add in .htaccess file:

SetEnvIfNoCase Referer darodar.com spambot=yes
Order allow,deny
Allow from all
Deny from env=spambot

Absolutely bugger all useless. And NO, BPS wont work as well for this darodar.com referrer spam.

Crunching logs

My next step is obviously checking logs for

  1. Darodar Referral
  2. IP Address
  3. or similar

First I checked my Apache logs assuming I might see something.

root@someserver [/logs]# grep -r -H darodar *

I got nothing.

Similarly, lets check their IP address in logs

root@someserver [/logs]# grep -r -H 78.110.60.230 *

Still nothing

Next, check my WordPress logs

root@someserver [/wordpress/access-logs]# grep darodar wordpress-logs.log

Still nothing.

Let’s just check with their IP (by this point I know fully I wont see anything – cause Apache Access log would’ve showed it anyway). But I did it anyway.

root@someserver [/wordpress/access-logs]# grep 78.110.60.230 wordpress-logs.log

Well?? Nothing of course.

I also got ModSec running and I got separate logs for that. I checked and still nothing.

So, what does it all mean? It just means that no one ever visited my website from darodar.com Referral but interestingly Google Analytics is still reporting it as legit traffic.

Explanation of darodar.com referrer spam

The following explains it well and I couldn’t have done better:

 

  • Samuel Wood (Otto)
    Tech Ninja
    Posted 14 hours ago #

    You sure about that

    Pretty sure, yes.

    This isn’t a WordPress specific thing. This isn’t even specific to individual WordPress plugins. Like you said, your “personal website is CodeIgniter” and you can see it there.

    Here’s a quick primer on how Google Analytics works.

    So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.

    That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.

    Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.

    I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.

    So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.

    You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.

    That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.

    This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.

I agree with Samuel Wood (Otto) a.k.a Tech Ninja. Why?

Because I found no evidence of anyone from darodar or similar sites ever accessing my website, my vps, my entire server. The website in question darodar.com redirect to some shopping website and if you read the LONG discussion here then you will see many people had similar experience but no one could prove that anyone ever visited your website.

Who owns darodar.com?

Easy to find as it seems the person was either careless or used someone elses name.

root@omeserver [~]# dig darodar.com SOA

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> darodar.com SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5978
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;darodar.com.                   IN      SOA

;; ANSWER SECTION:
darodar.com.            21599   IN      SOA     ns1.nameself.com. support.regtime.net. 1385014908 10800 900 604800 10800

;; Query time: 152 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Dec 19 01:54:36 2014
;; MSG SIZE  rcvd: 97

We can find his name, address, phone number using who.is

 % Regtime Ltd. WHOIS server

Domain name: darodar.com

Name servers:
    ns2.ht-systems.ru
    ns1.ht-systems.ru

Registrar: Regtime Ltd.
Creation date: 2007-11-15
Expiration date: 2010-12-05
Status: active

Registrant:
    Vitaly A Popov
    Email: povitaly@mail.ru
    Organization: Private person
    Address: Aurory str. 70-141
    City: Samara
    State: Samara
    ZIP: 443070
    Country: RU
    Phone: +7.8462791590 
SOA Record – darodar.com
Name Server     ns1.nameself.com
Email     Email Masking support@regtime.net
Serial Number     1385014908
Refresh     3 hours
Retry     15 minutes
Expiry     7 days
Minimum     3 hours

Does this person really owns this domain? We don’t know and this can easily be faked. The domain details were changed on December 17, 2014.

See details in the link above.

Why am I seeing darodar.com in GA?

If you haven’t read the informative post by Samuel I copy/pasted already, here’s the summary

  1. darodar.com is using your Google Analytics Code to recreate fake information and sending that directly to Google Analytics.
  2. They are not visiting your website.
  3. In this case, they are possibly using a script to randomly create Google Analytics code UA-xXxXxXxX-1. Some would work, some wont.

Why use this referral spam?

Not sure it benefits them. Yes, it redirects to a shopping website (and previously it used to redirect to Amazon Affiliate page) but Google and Amazon will demote those links very soon. Those website will never show up in Google search or any search engines… This is possibly just a testing tool for something bigger to come …

Is my server, website, wordpress, VPS hacked?

No, as far the discussion goes,there was no hacking, it’s just referrar spam. Read more here. This spam is exploiting how Google Analytics works, possibly to promote some website (duh! Google will find it and demote it … ).

Can I block darodar.com and their IP?

Knock yourself out. You can block their IP in .htaccess or in your Firewall. Add the following to your .htaccess in the root of webdocs or wordpress or site folder.

Order Deny,Allow
Deny from 78.110.60.230

Will it work? Well it will definitely block all access from 78.110.60.230, but it takes few seconds to change IP. So no, it wont work. But again, they are not visiting you and this Referral domain only appears in Google Analytics.

Can I block darodar.com as a referrer?

Mate, you’re reading the post, but not really paying attention. They never visited you. But if it makes you feel any better, the following code would work nicely to block any referrer spam:

## SITE REFERRER BANNING
RewriteEngine on
# Options +FollowSymlinks

RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} badsite\. [NC,OR]
RewriteCond %{HTTP_REFERER} sub\.badsite\.com [NC]
RewriteRule .* - [F]

I found this nice website .HTACCESS Banning Generator. You can generate a nice and proper .htaccess block using their online tool.

Again, in this case, it wont work because the referrar was done directly using Google Analytics code and completely bypassed your website. You cannot block sopmething on your server, where your server was not involved at all.

Can I hide or filter darodar.com in Google Analytics?

Of course you can. Use the instructions Google Analytics’s G+ page

Google Analytics: Introducing Bot and Spider Filtering

I’ve done it this way

Analytics
|
—–> Admin
|
—–> Account
|
—–> Property
|
—–> Tracking Info
|
—–> Referral Exclusion List.

Then just added each domains with like this

*.darodar.com
*.iliovevitaly.com
etc.

Related contents and links

Some other useful URL’s regarding Google Analytics posted by Alin Marcu in here

More useful links

What is more scary?

You know what? I am not worried about this darodar.com referral spam / referrer spam. The worst that can happen is you see some funny links in your Google Analytics. Just don’t browse to those sites.

But the part that’s more disturbing is that anyone with some programming skill can actually create a tool to randomize Google Analytics code and send Fake visiting info back to Google. Followings are the implications:

  1. You can target a legit website and spam others using them as referrer. The result? Google demotes a perfetly good website because someone else spammed forged their GA code to spam others.
  2. You can target a website and spam using their GA code. The result? That website appears in millions of GA users and if even 5% of them visit that website, it might just overload their server and create a DDoS situation for them. I tested a tool named GoldenEye which was able to create 100’s of legit connections from same IP and GA thought they were real users. There’s obviously some more fine tuning required on Google’s behalf.
  3. Someone exploits your GA code and Google can just BAN your GA account, no explanations will be given. Your AdSense account can be exploited and banned in similar ways.

What do you do in the meantime?

Few options, some are just to make you sleep well!

  1. You can block their IP – pointless, IP’s are dime a dozen.
  2. You can block them as a referrer – maybe good for your GA. See links above for the guides.
  3. You can filter them in your GA Account – Possibly a good idea.

Just wait a few days and Google will take care of it in Google Analytics. It will not hurt your Analytics account or your website standings in anyway. Lastly, if it makes you happier and you’re a WordPress user who enabled JetPack, just check JetPack statistics. JetPack didn’t see this referrer.

You know what? Someone is having a lot of fun and laughing at us all!!!

Update 20141219:1340: I just saw make-money-online.7makemoneyonline.com popping up in my referrers list. Use Google Analytics Filter to remove them from your reports. You can also apply the filter above to ban them if you feel like.

Check Also

Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - domaincorp whois - blackMORE Ops - 1

Shortest spam run ever – domaincop.org Domain Abuse Notice Spam

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malware recently. Subject line contained “Domain Abuse Notice” which looked serious! I decided to carefully examine the email and it's contents in an attempt to find out more information. But before I even opened the actual email, I checked it's header and Domain Whois. I always do this; specially Whois because you are unlikely to receive an abuse notice emails from any domain that was just registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 5

Three effective solutions for Google Analytics Referral spam

I opened my Analytics account yesterday cause I saw 25% traffic increase from Facebook, Twitter and many random sources and 83% increase on the root ("/") of the server. Well, 25% is nothing, it can happen due to a post going viral. But this wasn't the case this time as 83% increase was specific to the root ("/") of the server It seems, our 'beloved' 'Vitaly Popov' has started a new stream of referral spam. He's got more crafty as I predicted in my original post. He's now actually using Facebook, Twitter as referrals including some new domains.

111 comments

  1. I was receiving visits from this site every other day until I contacted the owner of the domain with an address in the South Bay. Then I instantly started getting 20 visits a day. Want his number?

  2. Hey thanks for the detailed breakdown, hadn’t been aware of this issue. And yeah, sounds like the Whois is faked on that .ru site, lame spammers. Going to pop into analytics and see if any wonky data shows up on any of the sites I’ve got rigged up. Personally though, I hate filtering out any IPs on GA but my own (data greedy, that’s me). Thanks again! (PS “Mate, you’re reading the post, but not really paying attention.” Lol!)

  3. hummm intersting a russian in love with italy! Any script hacking facebook chats and personating google search pages?

  4. You guys know the diference between a verigign and a symantec digital certificate for a on line bank page? Is it normal to have 2 diferent certificates for the same page on diferent cliks?

  5. Thanks for The details!
    Found The same referal in My GA account and could not figure it out.

    I hope Google Will solve this soon

  6. Did anyone notice that the XYZ in forum.topicXYZ.darodar.com is the exact GA account number you are using? Dont get me wrong, but it could be a bigger plot to obtain all active GA accounts. This information could be worth a lot more than just some SEO stuff…If people click the link, most commonly would be for them to know this account number is “active” (or at least being watched actively)…

    Just my thought

    • You’re right.

      In the “referrals” page shows forum.topicXxxxXxxx.darodar.com, and XxxxXxxx is my exact GA account number.

      The hidden plots sounds scary :(

  7. Very Very helpful. I just witnessed this site across a dozen accounts for several clients on several servers and at first thought I had a security issue till I found this. I also noticed a visit or two from iloveitaly.com which you mentioned above too. Same for buttons-for-website.com. And of course, Semalt. Fun times. It seems to be getting more frequent. What are the best ways to prevent all this garbage?

  8. hello admin..good job could you give me full tutorial about kali linux hecking….

  9. Good job! Vitaly Popov is my real name. http://shopping.iLoveVitaly.ru in http://darodar.com redirect http://shopping.iLoveVitaly.com and http://iLoveVitaly.com is my real sites.
    I don’t need to hide my personality, because what I’m doing it isn’t a crime as minimum in Russia. It is just creative marketing.

    And yes, I’m having a lot of fun and laughing at you all!

  10. got the point, just wondering why then .htaccess blocking works, i’m using piwik

    • Fu**** Mother Russia

      I agree with the analysis above.
      I can wipe out the 78.110.60.230 IP from the surface of earth and give this Vitaly Popov a lesson in coding he will never forget.
      Let me know…

    • I don’t think so. How can you block something that never made an active connection to your server? Did you block it on Google too?

      • GA lets you “Exclude all hits from known bots and spiders” but how do I get GA to exclude specific sites that may not be known to them?

        • Here is what’s worked for me (no referrals in stats since Dec 18). Apply a custom filter in GA at the Account Level. Go to All Filters >> Add New Filter and give it a name, then choose Custom. In the Filter Field drop-down, select “Referral” and add this filter:

          ^((.*)\.|darodar\.)com

          Apply it to the appropriate view(s).

          Rinse, wash, repeat for other sites such as semalt.com.

          • Thank Wendy that worked for me as well so far so good. The other way using predefined didn’t work. Take care be well

          • You are welcome Andre. Don’t forget to create a few views in GA. I have 3. One unfiltered view for raw data. One “active” view for reports. One test view. Apply the filters in the test view before applying it to the active view. Once the output looks like it is working for you, then apply the filters to the active view. This is easily switched at the Account level in GA.

          • Hi Wendy,
            I’ve added your comment to my post. Thanks and enjoy. Cheers,
            -BMO

          • If I read that regex expression ^((.*)\.|darodar\.)com correctly, it should remove all .com website referrals????

            ^ =from start of string
            (
            (.*)\. =zero or more of any characters followed by a dot
            | =OR
            darodar\. =darodar.
            )
            com

            which to me would interpret as *.com OR darodar.com

            I think there should not be a vertical bar in the expression.

            Wendy??

          • Hi Mike,
            You can verify Wendy’s regex here:
            http://www.regexr.com/ or http://regexpal.com/
            I checked, seems OK.

            If someone is uncomfortable with regex, they can always add *.darodar.com (or any site) instead. Thanks for looking into it though. Cheers,
            -BMO

          • Nice utility…yup – it matches gskinner.com in the first line. It will eliminate all .com referrals. Not a good thing….

          • Not sure what you’re testing. It worked just fine for darodar.com.
            ^((.*)\.|darodar\.)com blocks darodar.com
            Used http://www.regexr.com/ to test and screengrab:
            darodar.com referrer spam - Wendys code - blackMORE Ops -11

            If you want a simpler one, this would work just fine for any darodar.com (or www . darodar . com) links
            darodar\.com
            darodar.com referrer spam - blackMOREs code - blackMORE Ops -12

          • The problem is that the expression start with a caret, so it only finds the first match. If you list darodar.com second, it clearly shows it will match ANY domain.com. Change the first line to blackmoreops.com…

            I can’t post an image…

          • Niceee, you’re correct. I;ll update my post.

            However, for referrer spam it wont be a problem as you get 1 referrer per line only (I guess that’s why Wendy’s regex worked). The other regex I posted would work better I think.
            darodar\.com

          • Found your update (darodar\.com). Thank you! So it need only look for the domain, not the rest of the URL? It doesn’t match on http://www.forum.topic31043644.darodar.com.

          • Hello Mike,

            Yes! You are correct. That expression matches for google.com using the RegEx tool though I am not familiar with the tool so not sure what I am looking for. Like a lot of folks, I was suddenly finding a bunch of referrer spam in my analytics from semalt.com. I scoured the forums looking for a good solution without much success. Then someone provided the expression and it is the only fix that I found so far that seemed to work. I can tell you that I am no longer getting referrals from semalt.com, darodar.com, buttonsforwebsite.com or 7makemoneyonline.com, but I AM getting referrals from .coms, which is confusing given this new info.

            So, what’s a better solution?

            BMO, can you repost your regex? And have you had a chance to test it against different GA views?

            Thanks!

          • For semalt, I actually asked them to stop crawling my site and they did about 3-4 days later. I used to have a filter that was just

            semalt\.com

            For the result, I use an filter on the hostname (as discussed in my article). It looks something like this (a few domains removed for clarity):

            .*analyticsedge.com|.*analyticsedge.ca

            Purists will note that the filters may match things I didn’t want, like http://www.notanalyticsedge.com, but I watch my website daily, so if that becomes a problem, I will change them.

            Each entry is one of my domains. If you need the stricter version, it would be something like this (note, regex can usually solve the same problem with multiple solutions):

            .+\.analyticsedge\.com|analyticsedge\.com|.+\.analyticsedge\.ca|analyticsedge\.ca

            where .+ means 1 or more characters
            \. means the dot

            so .+\.mydomain\.com would match http://www.mydomain.com and www2.mydomain.com

            The second entry matches the base domain itself: mydomain\.com

          • Thank you Mike! Based on other user experience, I will not request anything from semalt. I’ve heard that by doing so, you’ll wind up with even more. ;) I will do more testing with your filters. I want filters to cover all variations and levels.

      • You are right black ops, I have experienced the same, and tried well before searching over google, checked all possible logs in my ubuntu server but there were no records regarding the ipv4 or even ip6 of darodar.com. I believe google should have some way to at least don’t show this to us in analytics.

  11. Had the same issue installed piwik to see what was going on, now highly recommend using piwik instead of GA given how it seems to be gamed these days..

  12. Thanks for this. Had them come up on my GA just before Christmas and the “hits” have been getting more numerous. It all seems quite fresh so I imagine your right and Google will jump on this

  13. The Bot filtering you suggested in GA is not enough for this type of referral spam. There are three types, and three approaches that can be taken:

    http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/

    • I forgot to reply to this one …

      For this particular spam, blocking it in GA is only option. For other types, I’ve shown one example .. Referrer blocking

      BTW, I updated my post requesting more info regarding Alexa/Bing/Yandex etc. search engine/SEO abuse. Do you or AnalyticsEdge got a take on that?

      I don’t see anyone talking about anything other than GA and GA is just one part of the equation.

  14. That clearly explains it, but I still don’t understand why is he doing this? what’s the benefit for him?

    • My guess? He sells SEO services and guaranteed an increase in “quality” site visits, where “quality” means they don’t all bounce (and hence must be interested in your products). Since webmasters would look around for the link to their site, there is a good chance that people trying to find out who linked to them would create a large number of non-bounce visits.

      • NOT being an expert on GA or on .htaccess coding, I tested a variety of semalt/darodar deterence methods on my 70+ WordPress sites.

        What works for me on every installation is this: .htaccess Rewrites that are generalized to parse the domain name string without extensions such as .com, .co, .org etc. By being less specific, the rewrite condition can apply to multiple sub-domains and multiple extensions – deceptive techniques that Semalt has used in a variety of ways.

        Writing the Rewrite conditions in this more general way is much more efficient, and easier for less experienced webmasters to copy/amend/update for their own circumstances.

        Implementing htaccess code as I have done below prevents these referers from reaching my servers, AND, it blocks them from appearing in my Analytics reports.

        Yes I’ve read all the comments above about this being GA spam, not actual website visits, that the GA spam can’t be blocked, etc, etc. As I am not an expert I can only relate what I see as a result of my trial and error – the method shown below handles the problem comprehensively on my sites. I have GA reports and raw web logs that prove it.

        NOTE: I seen that using the – F coding to 403 Forbid Access to the semalt crawler greatly increases the number of domains and subsequent frequency of ‘visits’ to my sites. Apparently the crawler responds angrily when Forbidden. Ergo I use a redirection on the last line of the code segment instead. You can use any domain you would like to redirect to; I choose to redirect to the sites that Semalt is directing their links to, such as the computer ecommerce section of aliexpress(dot)com.

        ## BEGIN DETER semalt.com ##
        RewriteEngine on
        RewriteCond %{HTTP_REFERER} .*7makemoneyonline.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*backgroundpictures.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*baixar-musicas-gratis.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*blackhatworth.com.*$ [NC]
        RewriteCond %{HTTP_REFERER} .*buttons-for-website.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*buyerpricer.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*darodar.com.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*descargar-musica-gratis.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*econom.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*embedle.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*extener.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*fbdownloader.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*fbfreegifts.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*feedouble.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*iloveitaly.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*joinandplay.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*joingames.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*kambasoft.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*musicprojectfoundation.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*myprintscreen.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*openfrost.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*openmediasoft.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*pageg.com.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*savetubevideo.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*semalt.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*softomix.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*soundfrost.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*vapmedia.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*videofrost.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*youtubedownload.*$ [NC,OR]
        RewriteCond %{HTTP_REFERER} .*zazagames.*$ [NC]
        RewriteRule ^(.*)$ http://activities.aliexpress.com/computers_channel.php [L]
        ## END ##

        • Sweet, I will try that. Many thanks.

          • I would strongly recommend AGAINST this approach for two reasons:

            First, the wildcard matches may at some point block valid traffic that happens to share part of the REFERER. (BTW it’s ilovevitaly, NOT iloveitaly). You are better to make each match a bit more specific so they don’t have unintended side effects.

            Second, you are being a bad Netizen, redirecting traffic to someone that maybe didn’t play any part in the initial spam situation. AliExpress had nothing to do with Semalt or most of the domains on your list, and probably had nothing to do with the Vitaly mess.

            And as a side note: can you actually prove that this blocks darodar, econom, ilovevitaly, priceg and blackhatworth from appearing in GA? Or are you just assumign since it works for semalt, it would work for all the rest?

  15. How about a technique by which you encrypt Anayltics codes…Ideally Analytics tools like Google should stop giving Numbered GAs & should use some encryption algo.

  16. Vitaly is getting better… Today I received a new innovative attack. I just checked my organic results and found this query:

    “google -officially -recommends ilovevitaly.com search shell”

    If you read it, it says: google officially recommends ***.com search shell. So he wants you to go and visit ***.com to make some money from you.

    The full referrer of that visit points to google. And the hostname is apple.com (which is obviously not my domain name).

    So… I had to apply a new filter on GA to filter Search Terms. I included darodar.com and other domains since I know I’ll get traffic from there eventually. I’m really tempted to block all Russia and forget about the issue.

    • …and add hulfingtonpost [.com] to the list as well. By the way, the Include filter on valid hostnames is effective against this and the organic search terms pointed out by JL:
      http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/

      • Yes, I also got visits from “hulfingtonpost.com”. And I have to admit I clicked on hulfingtonpost.com. Didn’t see that was coming :-) I really thought it was the news Site. ha ha. The problem is there are always new ways and new domains. This is something google should fix for everybody. I don’t understand why they didn’t do anything yet.

    • That’s an idea… not much real traffic coming from there anyway. I’ll try a region block and see if that works. Thanks for bringing it up.

      • @ Mike Sullivan

        “…You are better to make each match a bit more specific so they don’t have unintended side effects…”

        When I began this journey there was only semalt.com to consider, and my blocking was more specific. Then Vitaly began using sub-domains, and later, added variants of the TLD extensions of some domains. The amount of work needed to add these numerous variations, coupled with the likelihood of my typos in the dense regex coding, caused me to become less specific in my htaccess conditions. As to blocking legitimate traffic, I see that as a very minor (indeed unlikely) problem given the domain names Vitaly chooses and the niches my clients inhabit.

        “…you are being a bad Netizen, redirecting traffic to someone that maybe didn’t play any part in the initial spam situation. AliExpress had nothing to do with Semalt or most of the domains on your list, and probably had nothing to do with the Vitaly mess.”

        Aliexpress.com is one of the largest ecommerce sites in the world with organic search traffic in excess of $2.5 Million PPC-equivalent per month. Aliexpress also buys $30,000 per month of PPC. Their computer category page is the linked-object for several of the domains I have blocked. Do you think that Vitaly chose that specific page by accident? Built out this botnet for amusement? Or is it more likely that aliexpress.com is paying him for a rankings/traffic/sales improvement?

        “…And as a side note: can you actually prove that this blocks darodar, econom, ilovevitaly, priceg and blackhatworth from appearing in GA? Or are you just assumign since it works for semalt, it would work for all the rest?…”

        Michael I respect you for your depth of understanding of analytics and your desire to be helpful. Because I don’t share your specific skills I have based my referer spam deterence approach entirely upon empirical results reflected in my Google Analytics and raw log files.

        No, I did not generalize from semalt.com results to a wider case. Yes, I can prove it.

        I expect that Vitaly will provide ever more varied ways of earning money at our expense. I look forward to reading more about countermeasures on your blog.

        Dennis

        • @Dennis an excellent response. Thank you for the confirmation: it seems Vitaly uses multiple attack vectors and that adds to the confusion on removing the undesired traffic — what works for one person does not work for another, leading to a lot of confusion and slows down everyone’s response. I must say I am impressed with the ways in which he has managed to circumvent Google’s ability to limit his efforts….so far.

          Regarding the specifics of the filter, I caution everyone to be careful. In the haste to make the crap stop, I have seen filters that ended with long-list-of-domains|.* which essentially filtered everything. Read every line, and if you don’t understand it, do not use it.

          • Mike,

            I looked at Vitaly’s referer-spam sites differently today. Using a reverse-domain-lookup-tool I queried all the spammy referrals i’ve received, and I noted the sites that shared the server with them. The result was surprising and helpful in equal measures.

            My study showed a surprisingly small source for causing so much trouble. The helpful part is that new spam-referral domains are easier to predict than I imagined, and the list of IPs hosting them is smaller and easier to block.

            What follows is a list of domain names that share a server with known semalt-darodar-makemoneyonline spam originating sites. These sites number about 100, and, are based on only six IP addresses.

            If you worry about excluding potentially “clean” traffic you should note that there are only a small number of sites on each server; this seems to me to indicate the use of a “reseller” account for convenience of administration. (BTW, a number of them are acknowledged porn sites which you should exclude for that reason alone.)

            This list won’t be all of Vitaly’s potential attack domains and IPs, but it is a very good start at deterrence for someone just now beginning:

            Semalt server-sharing websites on IP 78.110.60.230
            blackhatworth.com
            darodar.com
            econom.co
            forum.topic33796817.darodar.com
            forum.topic37285705.darodar.com
            forum.topic40191161.darodar.com
            forum.topic40382289.darodar.com
            forum.topic41650426.darodar.com
            forum.topic42962903.darodar.com
            forum.topic54115854.darodar.com
            forum.topic55056702.darodar.com
            forum.topic55890570.darodar.com
            forum.topic56518556.darodar.com
            forum.topic56554895.darodar.com
            forum.topic56695718.darodar.com
            forum.topic57111597.darodar.com
            forum.topic57275800.darodar.com
            forum.topic58172886.darodar.com
            healthtools.aarp.org
            hulfingtonpost.com
            icalc.ilovevitaly.com
            iedit.ilovevitaly.com
            ilovevitaly.co
            ilovevitaly.com
            ilovevitaly.ru
            iskalko.ru
            likevitaly.com
            lumb.co
            mailru.ilovevitaly.com
            maps.ilovevitaly.com
            o-o-0-o-o.com
            o-o-6-o-o.com
            priceg.com
            shopping.ilovevitaly.com
            startup.ilovevitaly.com
            travel.ilovevitaly.com
            http://www.o-o-0-o-o.co

            Semalt server-sharing websites on IP 217.23.11.15
            blog.semalt.com
            semalt.com
            semalt.net
            semalt.semalt.com
            http://www.createandcraft.tv

            Semalt server-sharing websites on IP 217.23.8.124
            buttons-for-website.com
            livefixer.com
            porn9.org
            sharebutton.net
            videotiki.com
            wmasterlead.com
            http://www.buttons-for-website.com
            http://www.gomtv.com
            http://www.kurtyildiz.com
            http://www.matrixsynth.com

            Semalt server-sharing websites on IP 217.23.2.19
            kambasoft.com
            myprintscreen.com
            soundfrost.org
            http://www.openmediasoft.com
            http://www.savetubevideo.com

            Semalt server-sharing websites on IP 104.28.20.82
            2020eyesite.com
            alsaat.com
            amateurhotty.xxxbs.com
            colorcuboid.com
            love4lifechat.com
            marlinmaniac.com
            nogreatercause.org
            noticiasmb.cl
            recruitmentform.in
            richmenferomon.com
            http://www.2020eyesite.com
            http://www.dariovignali.net
            http://www.spectrumpropertiesofmaine.com
            yarisanalizi.com
            youtubedownload.com

            Semalt server-sharing websites on IP 217.23.7.180
            217.23.7.180
            7makemoneyonline.com
            a2.extener.org
            baixar-musicas-gratis.com
            darcshare.com
            descargar-musica-gratis.net
            developers.softomix.com
            download.soundfrost.org
            s.zazagames.org
            softomix.com
            srecorder.com
            wrztalk.com
            http://www.tech-spot.org
            http://www.the-vault.org
            http://www.vapmedia.org
            zazagames.org

            My own preference for deterranceis to use .htaccess rewrite conditions that match the “domain-name-string” only plus any number of preceeding characters or following TLDs. Like this:

            RewriteCond %{HTTP_REFERER} .*semalt.*$ [NC,OR]

            I also prefer to rewrite the refer for redirection rather than use the “-F’ command to generate a 403 Fordidden response. Like this:

            RewriteRule ^(.*)$ http://ilovevitaly.com [L]

            Doubtless there will be more rubbish from Vitaly so I’ll be updated my response for those interested.

            Dennis

  17. This is a strange set-up. Thre are so many sites being targeted that you would assume that it was an automatic set-up. Yet some of the visits that show up in Ga (1/3) come from a mobile, and some open more than 1 page….

  18. Thank you so much for looking into this. Very interesting read! Those weird referrers also showed up in my analytics. Those scammers/spammers are so inventive. And annoying, too.

  19. Hi everyone !
    Can we juste add on GA these : and the problem will be fixed ??? for now I have just ilovevitality.com

    Analytics
    |
    —–> Admin
    |
    —–> Account
    |
    —–> Property
    |
    —–> Tracking Info
    |
    —–> Referral Exclusion List.

    Then just added each domains with like this

    *.darodar.com
    *.iliovevitaly.com
    etc.

  20. Ok form its appear on Top keywords not on top refferal on my GA, I added the domain on Refferal exclusion site but it still appear ! do you think I have to put it on Search Term Exclusion List instead ???

  21. 1) You rock for this. (2) I would like GA to add something where when you’re looking at your referral links, there’s an option to exclude that source.

  22. So my MozRank and MozTrust have taken a massive hit in the last month. I can’t think of any other reason than this referrer spam issue.

    I have multiple sites on the same Analytics account, and it is only the site with the UA account number -01 that is affected, -02, -03, -04 etc. are all fine.

    Surely Google should be aware that “traffic” from these sites are not the fault of the site, but really a fault in their own analytics code being so easy to exploit?

    Removing the “traffic” from appearing in Analytics surely won’t fix the fact the hits are being registered by Analytics, it is just hidden from our view? Therefore Google will still count this as spammy traffic and adjust (downwards) your rankings accordingly?

    • Google Analytics data is NOT used in Google Search ranking in any way: https://www.youtube.com/watch?v=CgBw9tbAQhU

      MozRank and MozTrust? Do they use Google Analytics data from their customers as a signal in their ranking schemes? You need to ask them.

      • @Mike Sullivan
        January 29, 2015 at 10:00 pm
        Google Analytics data is NOT used in Google Search ranking in any way: https://www.youtube.com/watch?v=CgBw9tbAQhU

        I respectfully disagree Mike. The video/statement by Matt Cutts that you put forward as proof is over four years old.

        Pre-Latent Semantic Indexing, pre-Panda, pre-Penguin, pre-numerous cautions about content quality, site speed, position of on-page advertising… if Matt’s statement were true then, it may well NOT be operative now.

        My belief is that bounce rate, time-on-site, goal conversion ratios and similar metrics do indeed factor into Google’s algorithms for organic rankings. This would be consistent with their evaluation of landing pages (Quality Scores) which determine CPC rates for individual advertisers.

        Even if GOOG are not, strictly speaking, reading GA results to inform their ranking decisions, those responsible for lead generation, conversion optimization, and successful e-commerce results (as I am) – would do well to BEHAVE AS IF THEY DID.

        After all, Google’s oft expressed goal is the best possible answer to their searcher’s queries. What better user satisfaction metrics can you find than bounce rate, time-on-site, goal conversions, and so forth?

        Dennis

        • Here is the latest update of my .htaccess file as I promised. It is currently reducing Semalt-related referer spam to zero on my sites and in my GA reports.

          The latest changes were the additions of “lumb” and “cenoval” domains. Note also that to exclude “darodar” fully requires a second, slightly different form of the Rewrite Condition:

          RewriteCond %{HTTP_REFERER} .*topicXXXXXXXX\.darodar.*$ [OR]

          where XXXXXXXX is your unique Google Analytics UA number, and,
          the “full stop” between topicXXXXXXXX and darodar is preceeded by a backward slash “\”.

          ## BEGIN DETER SEMALT ##
          RewriteEngine on
          RewriteCond %{HTTP_REFERER} .*2020eyesite.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*7makemoneyonline.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*adviceforum.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*alsaat.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*anticrawler.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*backgroundpictures.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*baixar-musicas-gratis.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*blackhatworth.com.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*buttons-for-website.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*buttonsspace.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*buyerpricer.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*cenoval.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*colorcuboid.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*createandcraft.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*dariovignali.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*darodar.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*topicYOURGAUA\.darodar.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*descargar-musica-gratis.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*econom.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*embedle.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*extener.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*fbdownloader.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*fbfreegifts.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*feedouble.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*gomtv.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*hulfingtonpost.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*ilovevitaly.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*iskalko.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*joinandplay.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*joingames.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*kambasoft.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*kurtyildiz.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*likevitaly.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*livefixer.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*love4lifechat.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*lumb.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*marlinmaniac.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*matrixsynth.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*musicprojectfoundation.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*myprintscreen.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*nogreatercause.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*noticiasmb.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*o-o-0-o-o.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*openfrost.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*openmediasoft.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*pageg.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*porn9.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*priceg.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*recruitmentform.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*richmenferomon.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*savetubevideo.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*semalt.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*sharebutton.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*softomix.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*soundfrost.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*spectrumpropertiesofmaine.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*tech-spot.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*the-vault.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*vapmedia.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*videofrost.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*videotiki.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*wmasterlead.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*wrztalk.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*xxxbs.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*yarisanalizi.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*youtubedownload.*$ [OR]
          RewriteCond %{HTTP_REFERER} .*zazagames.*$
          RewriteRule ^(.*)$ http://activities.aliexpress.com/computers_channel.php [L]
          ## END DETER SEMALT

          • Add to that list: https://addons.mozilla.org/en-US/firefox/addon/ilovevitaly/

            Apparently they have created several browser add-on and are using it for redirects. I noticed it come up on GA a few days ago. Seems they all are attached to http://iskalko.ru/ –some kind of faux search engine.

          • Actually it’s a legit and pretty good search Engine. But against Google, Bing and Yandex they just couldn’t make it far enough. They should’ve just gone like DuckDuckGo rather than just concentrating on making profit. I tested their search engine and it’s fair. But just too much bogus results trying to promote product sales … I guess working on search engines gave them the idea and hopefully when it’s all done, we will have more secured search engines.

        • In general, I agree with you, but in context, with respect to “traffic” that does not exist and only appears in Google Analytics data (darodar), it will have absolutely no impact on search since it will not be picked up as signals for the search algorithms. There is no such referral and there never was a visit. The Google Search people (Webmaster Tools) would not know it exists.

          Arron asked why his Moz rankings took a hit. Does Moz (or others) use their access to customer’s GA data to assist with their ranking? That, I do no know. Something to ask the Moz community.

          • I think it is likely you are correct about darodar. As I have not looked specifically at the site logs regarding that domain, I don’t have the facts at hand. I will say this however, some of the visits from these semalt-related domains are, in fact, real; they do appear as entries in my raw logs.

            What spurred me to research Vitaly’s server-related-domains was a drop in Google organic rank at a client site. This young site was on Google’s first page in a very expensive and competitive keyword market. Semalt and darodar spam “visits” ( as indicated in GA ) EXCEEDED real traffic to the site.

            The site was previously attracting organic search traffic equivalent to $7,000 (seven thousand dollars) per month on PPC. It was converting surfers to phone calls and form fills at over 10 percent of traffic. Having it drop a few positions was therefore noticeable and PAINFUL as Google organic search was the client’s primary marketing thrust.

            Less than a week after substantially deterring Semalt the site’s ranking moved back up to their previous mid-page positions.

            Is this one instance of organic-rank-drop-and-recovery-after-semalt-deterrance absolute proof that Google uses GA as a ranking signal?

            Certainly not!

            But I don’t need absolute proof to justify the small effort needed to eliminate semalt’s potentially negative effects on my clients results.

            Best regards,

            Denis

  23. I used your article to make a post for my blog :) very nice article.

  24. Thanks for posting such a thorough insight into those spamf*ckers and how they screw up your GA. I guess it wouldn’t matter so much except that my baby sites only have a few visitors, so it wonks the results enormously.

  25. Thanks for your detailed analysis and solutions…It had worried me for days.

    Plus, Ronald and I noticed that XxxxXxxx in forum.topicXxxxXxxx.darodar.com is the exact GA account number. And he worried that maybe someone is using this to collect effective GA account numbers…

    Another thing is that the report showed he was using Firefox 33.0, though not sure if this is also fake.

  26. forum.topic59489388.darodar.com
    this is mine. my domain is a .com and godaddy is the registrar but as I’ve seen it doesn’t matter. they take somewhere the google analytics ID

  27. Google Analytics should just allow users to set ut authorized domains (or applications) where their code can be loaded.
    They already do the same with Google Adsense; you can set domains where your code is authorized. On any other domain, it won’t show up.
    If my Analytics code can be loaded only on domains I authorize, I guess that specific problem is over ?

  28. I have seen Semalt, Buttons For Websites, Daroder etc. all arriving on our and our clients websites.

    The question I can’t get to the bottom of is SEO related….i.e. will the 100% bounce rate these referrals create impact on ranking factors? Surely a high bounce impact like these cant be good? Does anyone have a definitive source or answer to this point please?

    Ideally I’d prefer to find a rock solid way to block the referrals all together. For now I just tend to filter as described by Wendy & others here.

  29. I understand why everyone is choked up about Semalt. Not everyone wanna pay for web analytics. Then accept it that your free counter distorts statistics. And don’t you lash out at those who are a gun at SEO. Well, if you have a blog with kitties with two visitors per day, you don’t need professional tools like Semalt.

    • Lars,
      That’s another way to look at it. Google will just put these in their ignore list, so these wont affect anything. At the end of the day, content rules search results. If you got something unique (a kitty singing Opera!), your site will rank 1st in Google Analytics and no matter what happens, you stay in top. Just my 2cents.
      -BMO

  30. Since I don’t get too much traffic from Russia my solution was create a new segment that filter Russia. Hope that helps!

  31. Google really needs to fix this referral spam and fast! I run several SEO / Adword accounts for my clients and a couple of them spend a reasonable sum of money with Google every month.

    To have referring sites appearing in the traffic when they have not even visited the site is huge oversight imho. I have added the .htaccess filter codes and while that certainly seems to stop most of the more traditional spam-referrals I can confirm it has no effect on some of the latest instances (particularly the social button variations).

    I expect as soon as this starts impacting Google’s Adword revenue in one way or another we’ll see a fix – ie: I might start suggesting to my clients their Adword $$ are better spent elsewhere – such as a targeted traditional snail-mail campaign.

  32. Now there is a referral keyword coming in as: vitaly rules google ☆:.。.゚゚・ヽ(^ᴗ^)丿・゚゚.。.:☆ ¯_(ツ)/¯(•ิ•ิ)(ಠ益ಠ)(ಥ‿ಥ)(ʘ‿ʘ)ლ(ಠ_ಠლ)( ͡° ͜ʖ ͡°)ヽ(゚д゚)ノʕ•̫͡•ʔᶘ ᵒᴥᵒᶅ(=^. .^=)oo

    This guy just doesn’t stop!

  33. Joe seen the spam before it said google loves vitality the new one vilality rules google

    I was reading this post last night for another block i did find most of the blocks but this new one no one has the answer at the moment.

    I don’t know where it is from so cant set a filter to exclude it

  34. I am going to filter out all of the spam visits I’ve been getting as per the conversation on this thread. However I have just discovered porn and torture spam links in my CONTENT list!! I’m a little perturbed and worried about this… please help

    • Cathy, Nothing to worry about. It’s all just spam referrals, not real traffic. You can filter it all out with a single valid hostname filter in Google Analytics. I describe it in my Definitive Guide to Removing Referral Spam (linked above):

      http://www.analyticsedge.com/2014/12/removing-referral-spam-google-analytics/

      I have also started offering a personalized service to install the filters and advanced segments needed to clean up people’s accounts…for those not sure about the whole filter thing.

      • Hi Mike. Thanks so much for the reply and help offer. I am confident re the whole advanced filter set up thing for the referrer data. I’ve created a duplicate view so I can set up the exclude. I might just exclude the whole of Mother Russia for the hell of it.

        It was more the fact that these links are coming into my page content view which made me worried as essentially these are tracking as ‘my pages’ are they not?

        Just want to check this doesn’t mean the site is compromised in any way……

        • Let me say it again, for emphasis:

          If you create a single filter to INCLUDE YOUR hostname only, then ALL of those visits would not have bothered you.

          By adding individual exclude filters for each new spam source, you will be forever chasing the next spam domain.

          This does not work for the likes of semalt and make-money-online, but those crawlers are fewer and do not change as quickly.

          • Creating a single filter for own hostname would hurt ranking though! Not?
            If someone keeps on adding new domains to exclude filters in WebServer/.htaccess, their site will become slow cause there’s just too many things to check. I am yet to see any definitive discussion about how this is hurting search ranking for anyone.
            BTW, recently this attack became more sophisticated. I’ve had 700+ extra visitors from Russia, all referral by Google, to my homepage “/”, random stay. If they’d keep this to say 120% instead of 300%, I’d never suspect that it was a spam referral.
            I believe Google’s recent encryption for all AdSense data was a respond to such attack. And if Google can encrypt AdSense, they surely can encrypt Analytics. I guess they don’t really care as the main business focus is AdSense…

          • The porn and torture spam is ghost referrals — they are fake tarffic injected into Google Analytics tracking servers. Since they don’t actually exist, they will NOT affect rankings.

            Since they are faking the traffic and never visit your site, they do not actually know what your hostname (website) is. They use a fake one, making them really easy to identify. If you filter to INCLUDE only traffic to YOUR hostname, then ALL of the fake traffic is prevented.

  35. Thanks all. Will add the ‘include only’ filter as you’ve advised and see what it does to the results.

  36. Are the visits except for the samara visits from genuine visitors?

  37. So, here’s what is strange to me. I just set up a new Analytics account for a new website and ten minutes later I am getting darodar.com referrer spam. How did they know? Are they simply pinging the highest number Analytics account numbers waiting for the next new one to come online?

    Referrer spam has gotten so bad these days. It’s ruining GA.

    • Hi Tim,
      Not really. You are not supposed to use GA to measure visitor counts, performance etc. cause Google may or may not censor parts of the data displayed to suite their business model. For an accurate measure you should be using Piwik or something similar that’s built and run in-house.
      As for censoring spams, just follow this guide: Three effective solutions for Google Analytics Referral spam.
      And if you are really Analytics-OCD (no pun intended), then setup a second GA code, add to your website (so 2 GA code running at the same time- there’s official guide in Google for that). Use all the filters in one to view censored and clean data and the second one with all the spammy ones. Compare and you get the idea. Enjoy,
      -BMO

  38. Vitaly Popov, Russian idiot first class. i hope they hang you, upside down, in the streets.

  39. Its a real pain when trying to explain to a customer why their traffic is in fact ‘ghost traffic’ and the fact it has no bearing on their website performance. Unless someone is an expert in writing decent RegEx code permanently filtering this kind of reporting ‘noise’ is challenging.

    I wrote an article about it here if anyones interested: http://www.sparks4growth.com/accurate-website-traffic-reporting/

  40. This post is on 17 spot in google’s search results, if you want
    more visitors, you should build more backlinks to your posts,
    there is one trick to get free, hidden backlinks from authority forums, search on youtube: how
    to get hidden backlinks from forums

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.