Semalt, Kambasoft, Ranksonic, Buttons-for-website – Referer Spammers, Referer Phishing

[bill]

Hello, AITpro.

Had a question: Under referrers in my site stats (for multiple sites), I’ve been noticing a “semalt.com crawler” link on average at lease once a day. I read a little bit about it here: http://en.forums.wordpress.com/topic/semaltcom-2. Because of BPS, I know my sites are secure, but would you consider this daily crawl to be an attempt against my respective sites?

Just wanted to know your thoughts because the referrer is actually a link and I’ve been tempted to click on it once or twice to see what it was.

Thanks.

[AITpro Admin]

semalt.com is a known domain used in a Referer stats phishing scam.  The goal is to get you click on the referer link in your stats for probably 2 reasons.  Increased traffic to semalt.com and the possibility that you will buy their SEO services.

http://wordpress.org/support/topic/advise-1/page/2#post-5129764

If you have a stat counter plugin that is still logging the semalt.com domain in your stats you can wrap your stats counter code in this conditional wrap so that the semalt.com Referer will no longer be logged in your stats.

<?php if ( !preg_match('/semalt\.com/', $_SERVER['HTTP_REFERER']) ) { ?>
// your statcounter code goes here
<?php } ?>

[bill]

Thank you for the history on these guys. I’m actually using Jetpack/Wordpress.Com for stats. Could the same code (you’ve graciously provided) be used?

[AITpro Admin]

Jetpack is aware of this issue, but does not have a working solution yet:  http://wordpress.org/support/topic/block-semaltcom-from-jetpack-stats#post-5835489  This is a nuisance issue and not a security issue and it is not really that important.

[bill]

Ok, thank you.

[AITpro Admin]

UPDATE 3-5-2015: Added a couple more Referer Spammer domains to the code below: ranksonic.info and buttons-for-website.com.  Also see Additional Notes below.  Added to the Bonus Custom Code tag/list:  https://forum.ait-pro.com/forums/topic/block-referer-spammers-semalt-kambasoft-ranksonic-buttons-for-website/

1.  Copy the code below to this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here 
2.  Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

I did some testing with this code below to block/forbid semalt.com and a sister site kambasoft and I no longer see any semalt.com Referer stats being logged/tracked in Google Analytics.

# Block/Forbid Referer Spam
RewriteCond %{HTTP_REFERER} ^.*(ranksonic\.|semalt\.|kambasoft\.|buttons-for-website\.).*$ [NC]
RewriteRule ^(.*)$ - [F]

Additional Notes: Originally when semalt was the only Referer spammer using this form/method of Referer spamming/phishing it was not such a big deal, but now there are other sites using this same form/method of Referer spamming/phishing so now you have a combined total vs just semalt doing this and of course expect more Referer spamming/phishing sites to spring up and start doing this. On a client site that gets a relatively low amount of traffic I noticed a spike in traffic on one particular day. It was the ranksonic.info Referer spamming site that made 1,473 visits in one day. The client thought this was great until I explained what it really meant and also showed the negative impact to the Google Analytics Bounce Rate and other GA Metrics. You can of course filter out data in Google Analytics to get actual valid GA data/reports, but it is at bare minimum a nuisance.

[bill]

Thanks, AITpro. Very interesting…

Quick question: which section of the custom code would I insert the code you’ve provided?

[AITpro Admin]

The code would go in this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here 
Click the Save Root Custom Code button.
Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

[bill]

Awesome. My sincerest thanks.

[Tom]

[Topic has been merged into this relevant Topic]

In Google Analytics I can see a lot of sessions lasting 00:00:00 and coming from these sites (which have nothing to do with the topic of my web site):

make-money-online.7makemoneyonline.com
search.tb.ask.com
semalt.semalt.com
buttons-for-website.com

I added the offenders to my root htaccess file:

# DENY SPAMMER REFERERS
SetEnvIfNoCase Via evil-spam-proxy spammer=yes
SetEnvIfNoCase Via pinappleproxy spammer=yes
SetEnvIfNoCase Referer adult spammer=yes
SetEnvIfNoCase Referer baixar-musicas-gratis.net spammer=yes
SetEnvIfNoCase Referer blackjack spammer=yes
SetEnvIfNoCase Referer buttons-for-website.com spammer=yes
SetEnvIfNoCase Referer cialis spammer=yes
SetEnvIfNoCase Referer descargar-musica-gratis.net spammer=yes
SetEnvIfNoCase Referer doobu.com spammer=yes
SetEnvIfNoCase Referer poker spammer=yes
SetEnvIfNoCase Referer casino spammer=yes
SetEnvIfNoCase Referer cazino spammer=yes
SetEnvIfNoCase Referer diet-pills spammer=yes
SetEnvIfNoCase Referer evil-spam-domain.com spammer=yes
SetEnvIfNoCase Referer evil-spam-keyword spammer=yes
SetEnvIfNoCase Referer gambling spammer=yes
SetEnvIfNoCase Referer kasino spammer=yes
SetEnvIfNoCase Referer make-money-online.7makemoneyonline.com spammer=yes
SetEnvIfNoCase Referer medici spammer=yes
SetEnvIfNoCase Referer medica spammer=yes
SetEnvIfNoCase Referer insur spammer=yes
SetEnvIfNoCase Referer kambasoft.com spammer=yes
SetEnvIfNoCase Referer levitra spammer=yes
SetEnvIfNoCase Referer poker spammer=yes
SetEnvIfNoCase Referer roulet spammer=yes
SetEnvIfNoCase Referer savetubevideo.com spammer=yes
SetEnvIfNoCase Referer search.tb.ask.comm spammer=yes
SetEnvIfNoCase Referer semalt.com spammer=yes
SetEnvIfNoCase Referer semalt.semalt.com spammer=yes
SetEnvIfNoCase Referer slot-machine spammer=yes
SetEnvIfNoCase Referer srecorder.com spammer=yes
SetEnvIfNoCase Referer texas-hold-em spammer=yes
SetEnvIfNoCase Referer texasholdem spammer=yes
SetEnvIfNoCase Referer viagra spammer=yes
SetEnvIfNoCase Referer virtuel spammer=yes
SetEnvIfNoCase Referer pharma spammer=yes
Order allow,deny
allow from all
deny from env=spammer

Is this traffic doing any harm to my web site? Is it a virus redirecting to my site?

My web site significantly dropped in Google search results and I am wondering if these semalt and makemoney sessions have anything to do with this.

[AITpro Admin]

@ Tom – This is known as Referer Phishing or Referer Spamming.  I believe the only impact these Referer phishing/spamming sites can cause is to affect your Alexa rankings or skew your Google Analytics info.  They cannot harm or affect your Google ranking.

[Tom]

Thank you AITpro! I think my htaccess generated with BPS Pro blocks Semalt.com et al. (they did not appear in my recent stats). Now that I understand referrer phishing I am not worried any more.

[AbZu2]

Just installed BPS and would like confirmation that spammers can be added at the end of the root htaccess file. In my fresh install the last line is :

# Use BPS Custom Code to add custom code and save it permanently here.
would like to add a SetEnvIfNoCase Referer list after inserting the following after the above mentioned line:

# DENY SPAMMER REFERERS

TIA

[AITpro Admin]

Yes. That is correct.

The code would go in this BPS Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here 
Click the Save Root Custom Code button.
Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

[AbZu2]

Great. Thank you very much. Excellent and much needed plugin. Was trying to block buttons-for-website.com and consider this plugin to have been the easiest solution. Kudos.

[Author]

Posts