Welcome to WebmasterWorld Guest from 126.96.36.199
I've never seen this before. Typically my Google referrals look like [google.com...]
Anyone else see this in the last 36 hours? What could be causing this, and why would it just happen all of a sudden and not one single time in the past 4+ years prior?
Have you checked the IP/Host WHOIS info of the apparent referrers? (dnsstuff-dot-com; whois-dot-sc) Doing so will give you some idea as to whether the iffy visitors appear to be hailing from blacklisted hosts, high-risk countries, etc.
I clicked on the Google references and told him "this is what pages Google searchers found me from"....and YIKES...straight from the search page? What's up? I thought it was some kind of hack or firewall as already mentioned.
Never seen this in 4 yrs.?
Have you checked the IP/Host WHOIS info of the apparent referrers?
Are you talking about the actual visitors IP, or the referring pages? If you are speaking in terms of finding the IP of where the user was referred from, currently all I have setup is a way to track the referring page. I will look into a way to record the IP as well... does anyone do this currently?
So let's see. About suspect referers and such --
Perhaps the following will give you some ideas/options, or even peace of mind if you have the mind-bogglingly wonderful (& just plain mind-boggling) mod_rewrite. (See WW's Apache Web Server Forum)
There are perfectly innocent reasons for a lack of referer headers, from bookmarks to hardware. Also, hiding referer headers is increasingly billed as a 'personal privacy feature' in software because others can't see where you've been (us server-protective log addicts being amongst the untrusted others. Alas.). The current crop of easily obtained software referer hiders includes Norton's "Privacy Control" component and (too) many Firefox extensions.
What to do if visitors are iffy?
Well, I redirect them via mod_rewrite (302) to a plain IP where they're met with a page indicating something's awry and urging them to e-me (address is a graphic) and include all the data on the page. The page captures and shows their UA, and IP/HOST info so it's a quick and easy way for me to troubleshoot.
FWIW, more times than not visitors reply along the lines of: "I'm a computer dummy. My (son, grandson, daughter, nephew, handyman, neighbor) installed everything on this machine for me..." I don't fret about those folks, but it is time-consuming to educate them about what to uncheck or undo.
The visitors I eyeball a lot more closely are those whose referer headers and/or UAs are obviously faked. Like visitors appearing to refer from Google but minus variables. Like the UA I saw yesterday:
Okay, so that was an easy one:) And probably someone just goofing around. But if they know enough to goof around -- to not just 'blank' a referer or UA but go a step further and actually swap in something else -- they may also know enough to be dangerous, either accidentally or on purpose. (Read: Script Kiddies.) Maybes get mod_rewrited (302) straight away and sometimes they end up e-mailing an apology!
3.) NO WAY
This is my YIKES category -- the visitors whose browsing behavior gets me to hang up the phone or set something else aside and hunker down in order to act quickly.
These include visitors with UAs allllmost akin to real ones and they can be tough to spot. But if a visitor has an iffy UA, and no referer info, and a suspect IP/Host, and/or they hit and run (home page; no graphics) or hit too quickly (1-3 pps), and/or trigger various hidden traps, then I immediately rewrite them (403) to yet another special page (where pertinent details are logged via "exec cmd") and see if I ever hear from them again. I don't, probably because real people aren't even at the other end.
(Aside: Notorious UAs, from e-mail suckers to site scrapers, are blocked from the get-go. Also, suspect hosts include a staggering number of Africa- and Asia-based IPs, and lately, the Netherlands. Those get coded into the firewall by the block-full.)
Yikes! That was a lot of unsolicited info:) Hopefully some of it will be helpful to somebody!
Hmm. Like the other comments, in umpteen years I've never seen that. Nor anything like this, which has the same hop-to effect:
But again, good thinking there, Freq:) Do you suppose the short form is a GET and the latter an 'exposed' POST?
news.google.com is one that brings me quite a bit (in the past I just had to guess whether I was getting traffic from there based on the keywords I saw people using to find me)...there is also google[organic], google.com[referral], and images.google.com.
This stuff all started happening in the past few days, and I've been using the google stats for over a month now.