How to fight off Google Analytics referrer spammers?

Okay. Without knowing the sites in question, I will try and explain a bit of what is going on and I will provide just a few links.

From: http://www.cradlecloud.com/ban-block-blackhatworth-com-spam-referrals/

I get the following domain names associated with the new method of referrer spam that people are seeing of late.

  • BlackHatWorth.com
  • Iskalko.ru
  • Lomb.co
  • Lombia.co
  • Econom.co
  • Darodar.com
  • ILoveVitaly.Com
  • Priceg.com
  • Hulfingtonpost.com (New- added Jan 16 2015)
  • Bestwebsitesawards.com (New- added Feb 3 2015)
  • Ranksonic.info (New- added Feb 3 2015)
  • Cenoval.ru (New- added Feb 6 2015)
  • o-o-6-o-o.com (New- added Feb 25 2015)
  • Humanorightswatch.org (New- added Mar 4 2015)
  • S.click.aliexpress.com (New- added Mar 17 2015 - Suspected)
  • www1.social-buttons.com (New- added Mar 23 2015 - Suspected)
  • 4webmasters.org (New- added Mar 26 2015 - Suspected)
  • Googlsucks.com (New- added Apr 07 2015)
  • Addons.mozilla.org (New- added Apr 07 2015 - Suspected)
  • Smallseotools.com (New- added Apr 13 2015 - Suspected)
  • Theguardlan.com (New- added Apr 14 2015)
  • Buy-cheap-online.info (New- added Apr 16 2015 - Suspected)
  • Site1.free-share-buttons.com (New- added Apr 29 2015 - Suspected)
  • Sanjosestartups.com (New- added May 25 2015)
  • Trafficmonetize.org (New- added June 03 2015 - Suspected)
  • Howtostopreferralspam.eu (New- added June 09 2015 - Suspected)
  • Www10.free-social-buttons.com (New- added June 16 2015 - Suspected)
  • Getitfree.us (New - added June 18 2015 Ownership cannot be determined. Thank You - Trey Copeland)
  • Www6.free-social-buttons.com (New- added June 18 2015 - Suspected)
  • Erot.co (New- added June 26 2015 - Suspected)
  • 3g2upl4pq6kufc4m.onion (New- added July 04 2015 - Suspected)
  • Traffic2money.com (New- added July 28 2015 - Suspected)

Note: Suspected items- do appear to follow the same pattern of ownership, and may not be tied to the same offender.

A rather exhaustive list of spam referrers maintained by Piwik can be found here: https://github.com/piwik/referrer-spam-blacklist/blob/master/spammers.txt (Thank You - user2428118)

To Quote:

BlackHatWorth.com is a relatively new domain created only on January 7th, 2015 which is now being used for referrer spam. As a matter of fact, this referral spam website is being hidden behind the name of shopping search engine and beautiful scenery images.

...the IP address of BlackHatWorth.com which is 78.110.60.230 is the same one associated with other referral spam websites...

In fact, the domain BlackHatWorth.com is owned by the same Russian who owns the other referral spam domains such as ILoveVitaly.com, Econom.co, and Darodar.com. The domain owner’s name is supposedly Vitaly A Popov of Samara (city), Samaraskaya Oblast (state), Russia.

You cannot block this!

From: http://www.blackmoreops.com/2014/12/19/darodar-com-referrer-spam/

To Quote:

Here’s a quick primer on how Google Analytics works.

So, you get setup on GA and get a code from them. The code looks like UA-number-1 or some such thing. That number is your “account number” on GA. Now, this code and a bit of javascript go onto your webpage. Now, somebody visits your page, and their browser runs that javascript code.

That javascript code is what “records” their visit. It makes their browser talk to Google Analytics. Specifically, it makes certain types of HTTP requests that Google records information about, and then GA displays summaries of that information to you.

Pretty basic, right? Still with me? Okay, now, if all it is is this Javascript sending the “visit” to them, then anybody can fake that. Anybody at all. All I have to do to make your GA show false information is to send my fake information directly to GA.

I don’t need to visit your site at all. I don’t need to run javascript at all. I just need to reproduce those HTTP requests, which are public and so anybody can see them and how they work. They’re even fairly well documented, publicly, by Google themselves.

So, now, let’s say I’m a spammer jerk. I want to get people to see my spammy site. So, what do I do? I write a small bit of code to send thousands upon thousands of these fake requests to GA, and I simply cycle through all the UA numbers, in order, at random, whatever. I send a fake visit, with a fake referrer, and my spammy domain name. And guess what? It shows up in your Google Analytics screens.

You see this spam like any other normal visit. Because as far as GA is concerned, it was a normal visit. All they’re recording are those HTTP requests, which normally come from the GA javascript code. But a request is a request, and making a fake one is very, very easy.

That is what is going on. All I need is your UA number and with only a minor bit of effort I can fake a visit to your site without ever actually connecting to your site at all. That fake visit can have any domain name and any referrer in it that I choose.

This is an attack on Google Analytics, to promote whatever site is showing up. You cannot block it on your server, because your server is not involved at all.

You can do two things: one, set-up a filter as John Conde suggests; and two, see if there is a way to inform Google. For that I do not have an answer, but I have an idea.

[Update]

This is beginning to reach outrageous proportions from hundreds of spam hits a day to full out advertising such as this one:

enter image description here


The Spam is getting out of control. The list it's growing and it's time-consuming and not even efficient to add a filter for each of the spammers since most of them shows up for a few days and then disappear and a new one comes.

There is a lot of misinformation, the most common mistake is recommending to use the .htaccess, this file blocks the access to the Website, although there are a few crawlers(5 or 6) than can be block, the vast majority of the spam never access your site is Ghost Spam.

The best way to stop this type of spam (Ghosts) is by creating a valid hostname filter, the ghost spam use either a fake or not set hostname, so with this filter you don't have to add endless filters, one filter will take care of the old and new spam.. Been using this solution successfully for 3 months

More information about this method here:

https://stackoverflow.com/a/28354319/3197362


You can exclude them by creating a filter. You need to find something specific enough so you don't accidentally block good visitors and it is tedious as you have to manually add each spammer but this will do the trick.