spoof (ghost) spam

The fix

What you're seeing is "referral spam". They are "ghost hits" sent to GA (or whatever analysis you use) via scrupulous scripts. The majority of those bots are not even visiting your site. The scripts are just/only 'spoofing' them to get the victim to visit the sites they 'say' they're coming from. So, do not visit them.

There is NO cure for this (yet). Google is aware, but haven't developed a fix. The only way to get rid of the spoofs is to set a filter in your analytics.

To see what’s what, follow these instructions…

In left (narrow) column: Acquisition > All Traffic > Referrals

Right larger column: Secondary Dimension > type “hostname” (and go there)

If the host name does not match yours, THAT is a 'ghost' and never went to your site ever. It was sent to GA by a malicious script.

The 'source' on left side is what you want to block in .htaccess of those that match your hostname.

Just copy & paste this into your .htaccess (and add to it at will)


# Block fake traffic

# Blocks all http and https referrals and all subdomains from "badsite.com"

RewriteEngine on

Options +FollowSymlinks

RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*semalt\.com [NC,OR]

RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*free-share-buttons\.com\ [NC,OR]

RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*best-seo-solution\.com\ [NC,OR]

# 5/22/2015 new bleeping bots that just came in (eg. of how I keep track)

RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*buttons-for-your-website\.com\ [NC,OR]

RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*buttons-for-website\.com\ [NC]

RewriteRule ^(.*)$ google.com [L]

(just, make sure everything before the last one has [NC,OR] at the end)

You'll see other ways of typing this on the net, but THIS is the most 'correct way', I have found.

To filter out the 'ghost spam' bots in GA

• Admin > View > Filters > +NEW FILTER (button) >

• Filter Name = Hostname Filter

• Filter type = Custom

• Tick "Include" circle

• Filter Field = Hostname

• Filter Pattern = yoursite\.com|www\.yoursite\.com|translate\.googleusercontent\.com|webcache\.googleusercontent\.com

• Click Filter Verification to see how the results will be (bad on left, clear on right)

• Save


This method will only record yoursite.com & www.yoursite.com (from now-on) and the spoof (ghost) bots should-not-show.

All the corrupt data from before you do this is permanent and nothing you can (really) do.


I just did this yesterday. So, I await the final results and hopefully, there will be no more corrupted data.

However... It is important to block the 'actual' badbots in .htaccess (you can find them by following my prior post)


The 2nd method to block them is as follows... (for .htaccess) This can be included with 1st method as well.

copy exactly this... (and add to it at-will)


# having the pound-sign before this text is like a 'comment' and will not execute

# I put the date (usually) before all my code for referrence, later

# 5/21/2015 from that Thrasher guy

SetEnvIfNoCase Referer buttons-for-website.com spammer=yes

SetEnvIfNoCase Referer buttons-for-your-website.com spammer=yes

SetEnvIfNoCase Referer social-buttons.com spammer=yes

SetEnvIfNoCase Referer semalt.com spammer=yes

# 5/22/2015 new bleeping bots that just came in (eg. of how I keep track)

SetEnvIfNoCase Referer best-seo-offer.com spammer=yes

SetEnvIfNoCase Referer best-seo-solution.com spammer=yes

SetEnvIfNoCase Referer libnet.info spammer=yes

SetEnvIfNoCase Referer o00.in spammer=yes

SetEnvIfNoCase Referer wow.com spammer=yes

SetEnvIfNoCase Referer semalt.com spammer=yes

Order allow,deny

Allow from all

Deny from env=spammer


Just, be sure to not block 'good' bots, unless you don't care about traffic.


Another thing I found (haven't tried yet) is to change the UA-XXXXXXXX-1 to something like UA-XXXXXXXX-32 but...

I haven't really researched this yet. So, don't do it unless you're sure!

See... The evil-people have taken your unique code and send fake hits to your analysis. The analysis people have to make a way to 'validate' the incoming data first! This world is becoming very bad for the Internet! ugh!