Home / How to / Three effective solutions for Google Analytics Referral spam

Three effective solutions for Google Analytics Referral spam

I published this post darodar.com referrer spam and should you be worried? back in December and I am still seeing a constant influx of frustrated website owners and concerned netizens getting worried about similar spams. I happen to be one of the first to detect this spam and post about it. I didn’t pay much attention to it as referral spam or web analytics is not my primary concern when it comes to computing. Working in IT field for over a decade and specifically IT security, I have a different view on spam and how they can be stopped. I opened my Analytics account yesterday cause I saw 25% traffic increase from Facebook, Twitter and many random sources and 83% increase on the root (“/”) of the server. Well, 25% is nothing, it can happen due to a post going viral. But this wasn’t the case this time as 83% increase was specific to the root (“/”) of the server It seems, our ‘beloved’ ‘Vitaly Popov’ has started a new stream of referral spam. He’s got more crafty as I predicted in my original post. He’s now actually using Facebook, Twitter as referrals including some new domains. In this post I will show three effective solutions for Google Analytics Referral spam.

Some facts about Google Analytics Referral spam:Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 5

  1. By this time you know that Ghost Google Analytics Referrals spam cannot be blocked by .htaccess or web configuration.
  2. Ghost Google Analytics Referrals spam bots doesn’t really visit your website, so no trace of IP address be found in server logs.
  3. Ghost Google Analytics Referrals spam only abuse Google Analytics.
  4. Google Analytics hasn’t done anything about it, yet (officially).
  5. Google implemented encryption for all of their AdSense traffic.
  6. Ghost Google Analytics Referrals spam only affects Google Analytics.
  7. *** Ghost Referrals spam also affecting Yandex and few other search engines.
  8. As these bots doesn’t visit your website, they have no idea what your page title is. So Analytics will show (“/”) as the page title.
  9. These Ghost Google Analytics referral spam bots only targets your primary Tracking ID i.e. ‘UA-XXXX-1’

List of known Google Analytics Referral spam domains

Click to open list containing known Google Analytics Referral spam domains:

Click to open list containing known Google Analytics Referral spam domains:

  1. semalt.com
  2. semalt.semalt.com
  3. buttons-for-website.com
  4. blackhatworth.com
  5. makemoneyonline.com
  6. ilovevitaly.com
  7. ilovevitaly.co
  8. ilovevitaly.ru
  9. iloveitaly.ro
  10. priceg.com
  11. prodvigator.ua
  12. resellerclub.com
  13. savetubevideo.com
  14. screentoolkit.com
  15. kambasoft.com
  16. socialseet.ru
  17. superiends.org
  18. vodkoved.ru
  19. o-o-8-o-o.ru
  20. iskalko.ru
  21. luxup.ru
  22. myftpupload.com
  23. websocial.me
  24. ykecwqlixx.ru
  25. slftsdybbg.ru
  26. seoexperimenty.ru
  27. darodar.com
  28. econom.co
  29. edakgfvwql.ru
  30. adcash.com
  31. adviceforum.info
  32. hulfingtonpost.com
  33. europages.com.ru
  34. gobongo.info
  35. cenoval.ru
  36. cityadspix.com
  37. cenokos.ru
  38. ranksonic.info
  39. lomb.co
  40. lumb.co
  41. econom.co
  42. srecorder.com
  43. see-your-website-here.com
  44. brighton.co.uk
  45. paparazzistudios.com.au
  46. powitania.pl
  47. sharebutton.net
  48. tasteidea.com
  49. descargar-musica-gratis.net
  50. torontoplumbinggroup.com
  51. cyprusbuyproperties.com

List of 194 new Google Analytics Referral spam domains

I now have a list of another 194 spammer domains that started yesterday.

Click to open list of new 194 new Google Analytics Referral spam domains

Click to open list of new 194 new Google Analytics Referral spam domains

  1. users.skynet.be
  2. users.pandora.be
  3. users.telenet.be
  4. go.i4s.be
  5. search-belgium.com
  6. activecompany.be
  7. aubeletage.be
  8. bizweb.be
  9. dvcevas-tienen.be
  10. hermans-motorhomes.be
  11. kookclubaldente.be
  12. nicolejanssen.be
  13. nvdemarie.be
  14. seraing-athletique.be
  15. users.belgacom.net
  16. vandewiele-m.be
  17. vanhoofdameskleding.be
  18. wegen-routes.be
  19. wingsandwheels.be
  20. zlaz.be
  21. 2link.be
  22. acvtje.be
  23. aquaheaven.be
  24. aroma-atelier.be
  25. bellissima-massage.be
  26. camroysplace.be
  27. celluforma.be
  28. couturecharlotte.be
  29. cryptogrammen.be
  30. deverborgenschat.be
  31. fcdekempen.be
  32. fckerksken.be
  33. go2.be
  34. hofterduinen.be
  35. i-belgie.be
  36. ivobrugge.be
  37. jack-russell-terrier.be
  38. juventusschoonaarde.be
  39. kaa.vgc.be
  40. kfchamont99.be
  41. kranten.2link.be
  42. lifeleuven.be
  43. massagetuktuk.be
  44. mhg.be
  45. molossideburon.be
  46. moortelshoeve.be
  47. nowedo.be
  48. patrickdamiaens.be
  49. ruantarathaimassage.be
  50. rubiosalsaclub.be
  51. scott2run-wvl.be
  52. skystef.be
  53. stan.be
  54. tallyimmobilien.be
  55. tievolley.be
  56. tistaertvrienden.be
  57. topwedstrijden.be
  58. tractorsteven.be
  59. trekkings.be
  60. tuktathaimassage.be
  61. vandeneeremaethe.be
  62. vlerickfietsen.be
  63. w-v-s.be
  64. wonderful-massage.be
  65. zonneschijntjes.skynetblogs.be
  66. 2news.be
  67. ahc.be
  68. andreabrewee.be
  69. asanti.be
  70. bansuksom.be
  71. basileus.ugent.be
  72. basketknokkeheist.be
  73. bbcokido.be
  74. bcpieterman.be
  75. bikesandpartsrobertpaul.be
  76. bunkergordel.be
  77. calorietabel.portalsbay.com
  78. camionverhuring.be
  79. csbouw.be
  80. cuy.be
  81. cvohz.be
  82. cyberspace.cz
  83. defilmblog.be
  84. demechelsekoekoek.be
  85. deravotter.be
  86. desva.be
  87. deuzie.be
  88. dichterbij.digitown.be
  89. drafkoersen.2link.be
  90. eendrachtzele.be
  91. erbinspictjers.be
  92. eritrea.be
  93. fetishfestival.be
  94. fietsenvandeputte.be
  95. fietsstages-baguet.be
  96. firstclassclubbing.be
  97. flashygolf.be
  98. geschenkwensen.be
  99. gevaarlijke-stoffen.be
  100. gigabike.be
  101. goedkoopopreis.be
  102. goedkope-hoeren.be
  103. goldiesradio.be
  104. grote-maten-mode.be
  105. heidbuchelmeg.be
  106. hobbycreatief.be
  107. hobbystart.be
  108. hofvanoranje.be
  109. home.base.be
  110. home.euphonynet.be
  111. home.tiscali.be
  112. huurdersbond.be
  113. ikwilwijn.be
  114. jeugdwerker.be
  115. jockey-club.be
  116. johevri.be
  117. kabage.be
  118. kermethe.be
  119. klassedame.be
  120. kortenaken.be
  121. krachtbal.be
  122. kristallenpoort.be
  123. kruidengeneeskunde.be
  124. ksaterstraeten.be
  125. kvcjonglede.be
  126. kwsoudenburg.be
  127. kwvbv.mavari.be
  128. luc-de-pompier.skynetblogs.be
  129. lvzm.be
  130. malaithaimassage.be
  131. maruay.be
  132. massimodo.be
  133. mayasecret.be
  134. members.lycos.nl
  135. menisq.be
  136. merlyn.be
  137. midgaard.be
  138. mijn-vakantiewoning.be
  139. mingl.be
  140. mondocane.be
  141. nailzandthingz.be
  142. newagewebwinkel.be
  143. nieuwjaarsbrieven.be
  144. nieuwpoortappartement.be
  145. nobeldesign.be
  146. nokerekoerse.be
  147. oever.be
  148. owk.be
  149. paalonline.be
  150. palomanv.be
  151. parkfc.be
  152. parkings-hasselt.be
  153. peking-wok.be
  154. pixiedust.be
  155. pro-ana.be
  156. pzhfamilie.be
  157. quizarchief.be
  158. rallycrossfreaks.be
  159. roeselaresport.be
  160. sans-soleil.be
  161. sennake.be
  162. seppeensienfashion.be
  163. serendib.be
  164. sesfashion.be
  165. shopping-nivelles.be
  166. shopping1.be
  167. showtimethai.be
  168. thaisetulp.be
  169. thompson.be
  170. tollers.be
  171. topproducts.be
  172. tuurke’s%20vissite.skynetblogs.be
  173. vas.be
  174. vckvw.be
  175. vclangdorp.be
  176. vcr.be
  177. velotour.be
  178. verkeerweb.be
  179. vlmbrugge.be
  180. voordeelspeelgoed.be
  181. vrijelagereschoollede.be
  182. vrouwenvoetbaloostvlaanderen.be
  183. waaihof.be
  184. waterski.be
  185. weerstationmechelen.be
  186. wensen-gedichten.be
  187. wielerbondvlaanderen-vlaams-brabant.be
  188. www2.vlaanderen.be
  189. zalikathaimassages.be
  190. zeldaskywardsword.be
  191. zeldatwilightprincess.be
  192. zoekertjes.2link.be
  193. zonnehart2012haikujozlebruyn.skynetblogs.be
  194. zonstraal.be

I mean seriously? users.skynet.be? It’s good to see they have some sense of humour.

So it seems very soon filters wont be enough. Actually it’s already not enough. Despite what the Analytics experts says, you can’t go around every day to filter hundreds of domains. Yes, you could filter for .be (i.e. Belgium) domains, but that’s a whole country we are talking about. So what is the best fix?

Solution 1: Create a new Tracking ID for your website

 

The simplest solution is often a good place to start
– William of Ockham’s Occam’s Razor

When I started looking around for a good solution, I was surprised the amount of information’s that became available since my last post about Referral spam in December. Some were well written, some were just rubbish.

Some spammers like Semalt actually visit your website, so you can block them using usual .htaccess or web configuration. They are an easy fix:

SetEnvIfNoCase Referer semalt.com spambot=yes
Order allow,deny
Allow from all
Deny from env=spambot

But Ghost referral is a Google Analytics problem. So I found a solution using Google Analytics rather the wasting time on adding filters.

Using Google Analytics to solve it’s own problem:

Google Analytics is very limited but their help document is very clear on how to use Analytics code. According to Advanced Configuration – Web Tracking (analytics.js) you can use multiple trackers on same website (old news!). But here’s the loophole in their coding that I found:

All the spammy bots are using only the first Tracking ID i.e. 'UA-XXXX-1'. So subsequent properties under your Analytics accounts are unaffected. i.e. 'UA-XXXX-2', 'UA-XXXX-3' and so on.

I just created another property in my Analytics account, configured it same as my primary one and added that to my website.

Instruction on how to setup a property in Google Analytics

Instruction on how to setup a property in Google Analytics

Set up a property

Properties are where you send data and set up reporting views.

You can add up to 25 properties to each Google Analytics account. To raise this limit, please reach out to your account manager.

You need Edit permission on the account to add properties. To set up a property:

  1. Sign in to your Google Analytics account.
  2. Select the Admin tab.
  3. In the ACCOUNT column, use the dropdown menu to select the account to which you want to add the property.
    If you have a lot of accounts, use the search box to help you find the right one.
  4. In the PROPERTY column, select Create new property from the dropdown menu.
    If you don’t have Edit permission on the account, you won’t see the Create new property option. Check that you’ve selected the correct account in the ACCOUNT column.
  5. Select Website or Mobile app.
  6. Enter the Website or App Name.
    If you plan on tracking more than one app in your account, use a very specific and descriptive name that includes the edition or version number. This will help you keep your app properties organized.
  7. (Web only) Enter the Web Site URL.
    • You cannot create a property if your URL isn’t formatted correctly.
      Select the protocol standard (http:// or https://). Enter the domain name, without any characters following the name, including a trailing slash (www.example.com, not www.example.com/).
    • Most domain hosts only support UTF-8 characters in the URL. It’s a good idea to use either UTF-8 characters or punycode for symbols and any non-UTF-8 characters (including Cyrillic characters) in your domain name. Try a punycode converter for help with this.
  8. Select an Industry Category.
  9. Select the Reporting Time Zone.
    This will be used as the day boundary for your reports, regardless of where the data originates.

    • The time zone setting affects how data appears in your reports. For example, if you choose United States, Pacific Time, then the beginning and end of each day is calculated based on Pacific Time, regardless of whether the sessions are detected from New York, London, or Moscow.
    • If your Analytics account is linked to a Google AdWords account, the time zone is automatically set to your AdWords preference and you will not see this option. This ensures accurate reporting on your AdWords campaigns.
    • Changing your time zone affects data going forward, and is not applied retroactively. You may notice a flat spot or a spike in your report data around if you update your time setting after you’ve already been using this property. Your reports might also refer to the old time zone for a short period after you update this setting.
  10. Click Get Tracking ID.
    Your property is created after you click this button, but you must set up the tracking code to collect data.

In general, you just pretty much copy paste and enable any config you had in your primary Analytics account. Creating a second property for the same website/URL doesn’t hurt anything or affects anything. It’s just another container where data is stored.

My sample original Google Analytics tracking ID

<script>
<--function-removed-->

  ga('create', 'UA-XXXX-1', 'auto');
  ga('send', 'pageview');

</script>

My new sample Google Analytics tracking ID

<script>
<--function-removed-->

  ga('create', 'UA-XXXX-2', 'auto');
  ga('send', 'pageview');

</script>

Create new combined Google Analytics Tracking ID

Google Analytics Advanced configuration, Working with Multiple Tracking Objects, shows how to create a new combined Google Analytics tracking ID and put them in your website.

In some cases you might want to send data to multiple web properties from a single page. This is useful for sites that have multiple owners overseeing sections of a site; each owner could view their own web property.
To solve this, you must create a tracking object for each web property to which you want to send data:

ga('create', 'UA-XXXX-Y', 'auto');
ga('create', 'UA-12345-6', 'auto', {'name': 'newTracker'});  // New tracker.

Once run, two tracker objects will be created. The first tracker will be the default tracking object, and not have a name. The second tracker will have the name of newTracker.
To send a pageview using both trackers, you prepend the name of the tracker to the beginning of the command, followed by a dot. So for example:

ga('send', 'pageview');
ga('newTracker.send', 'pageview'); // Send page view for new tracker.

Would send a pageview to both default and new trackers.
This explanation might be slightly convoluted for many users. Here’s mine:

My sample combined new Google Analytics Tracking ID

<script>
<--function-removed-->
  ga('create', 'UA-XXXX-1', 'auto');
  ga('create', 'UA-XXXX-4', 'auto', {'name': 'newTracker'});  // New tracker.
  ga('set', 'forceSSL', true);        // Send all data using SSL, even from insecure (HTTP) pages.
  ga('send', 'pageview');
  ga('newTracker.send', 'pageview');
</script>

I’ve also forced SSL on my Google Analytics tracking ID. This wont do any good for this particular spam, but having some encryption is always good in the long run.

Click here to open Google's Instruction on Forcing SSL (HTTPS) on GA

Click here to open Google's Instruction on Forcing SSL (HTTPS) on GA

Forcing SSL (HTTPS) on GA

By default, Google Analytics will match the protocol of the host page when sending outbound requests. To force Google Analytics to always send data using SSL, even from insecure pages (HTTP), set the forceSSL field to true:

ga('create', 'UA-XXXX-Y', 'auto');
ga('set', 'forceSSL', true);        // Send all data using SSL, even from insecure (HTTP) pages.
ga('send', 'pageview');

This fixed everything for me. This is the best solution out there and it will continue to work until the spammers changes their code to include subsequent GA Tracking ID’s.

Solution 2: Create a filter for NULL Page Title

If you’re lazy and don’t want to create a new Analytics code, then Solution 2 is the next best option. Actually, I think this might be even better as it will get rid of any similar future spam referrals as well.

If you look closely into your Google Analytics report, you will see that all these Ghost Google Analytics Referral Spam shows Page Title as (not set).

Actually, this is not really (not set), it’s NULL value. That means these fake or Ghost Google Analytics Referral Spam bots are sending fake data using your tracking ID. But how are they going to set your Page Title?

To get Page title, a bot actually have to visit your website. Without visiting your website it will become very tough to include that bit of information (correct info, they can always use bogus data). So they’ve left that bit of info empty or NULL and when Google Analytics gets these fake data, it sets Page Title as NULL or (not set).

To create a filter for your view, select Admin > Account > Property > View > Filters.

Three effective solutions for Google Analytics Referral spam - blackMORE Ops -1

Fill up the Filter with the following information’s:

  1. Filter Name: Page Title (not set)
  2. Filter Type: Select Custom
  3. Select Exclude
  4. Filter Field: Select Page Title
  5. Filter Pattern: Put ^$ in this field. ^$ means empty or missing or NULL value.
  6. Filter Verification: Click “Verify this filter”.
    • It will show you how your filter would affect the current view’s data, based on traffic from the previous seven days.
    • Note: Verify will only work on an existing view where you have at least 7 days worth of data.
    • Verify will not work if you’ve created a new Tracking ID from Solution 1. (cause it doesn’t have enough data.)
  7. Click Save

Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 2

You will see Ghost Google Analytics referral spam disappearing from your reports within few minutes and within 4 hours, your Google Analytics report will be all clear.

Solution 3: Create a filter for valid Hostnames

To implement this solution, STEP CAREFULLY or you will exclude valid traffic! You MUST identify ALL valid hostnames that may use your website tracking ID, and this could include other websites that you are tracking as part of your web ecosystem — your own domain, PayPal, your ecommerce shopping cart, and all of reserved domains (in case you decide to use them).

Start with a multi-year report showing just hostnames (Audience > Technology > Network > hostname), then identify the valid ones — the servers where I have real pages being tracked.

Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 3

Then create a filter with an expression that captures all of the domains that I consider valid. For example:

www.blackmoreops.com
OR
.*blackmoreops.com|.*youtube.com|.*amazon.com|.*googleusercontent.com

Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 4

This can be used as a supplementary addition to Solution 2. It’s mainly because you would never know where you are getting your traffic from and it’s a lot of work keeping this filter updated. Also as time goes, your filter will become bigger and the chance of making a mistake will increase. But it’s a good solution nevertheless.

Read more details on hostname filter here.

Conclusion

This is entirely Google’s problem and entirely their issue to resolve. I wouldn’t waste a single moment creating filters for Ghost Google Analytics referral spammers. If you want you can block spam bots that actually visit your website using .htaccess or web-server configuration etc.

The above solution works 100% right now, but it’s very easy for the spammers to modify their code to add subsequent Google Analytics Tracking ID’s. If that happens, keep an eye in here, I will come back with another solution. Share and Retweet this guide for those stressed webmasters.

Check Also

How to add RBL check on Zimbra Server - blackMORE Ops - 2

How to add RBL on Zimbra Server?

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop …

Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - domaincorp whois - blackMORE Ops - 1

Shortest spam run ever – domaincop.org Domain Abuse Notice Spam

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malware recently. Subject line contained “Domain Abuse Notice” which looked serious! I decided to carefully examine the email and it's contents in an attempt to find out more information. But before I even opened the actual email, I checked it's header and Domain Whois. I always do this; specially Whois because you are unlikely to receive an abuse notice emails from any domain that was just registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.