I've been seeing that one too, coming from various countries around the world. I didn't know about the connection with Semalt. Anyway, I'm going to add best-seo to my referer snippet block list.

For quite a while I didn't have to think about these, because a header-based lockout took care of 'em all. But lately they may have gotten wise-- or maybe some browsers send the same headers whether their robotic masters* ask them to or not-- because I'm again seeing the occasional buttons-for-website, another perennial referer-spam favorite. Darn it all.


* Inescapable mental picture of Roger Delgado and/or Anthony Ainley here.

I found the seo one a few days ago and re-blocked using new criteria. I had previously turned off checking for them because of a conflict with real browsers.

I've noticed over the past several months that many browsers now omit or adversely modify some critical headers. Browsers - actually I think it may be firewalls and AV tools doing it to avoid time-consuming data conversions. Whatever, the reasonably setup HTTP/1.1 is being reverted to look and act more like HTTP/1.0 in several cases now.

I block "seo" in UA string

I've noticed over the past several months that many browsers now omit or adversely modify some critical headers.

I've noticed over the past several months that the primary purpose of Android devices is to play havoc with all rules and patterns I have formulated for all purposes everywhere.

Android loves to play havoc with Apple users.

The visits this one makes to my sites don't have "seo" in the UA string:

Host: 189.107.25.133
/
Http Code: 403 Date: Apr 09 14:49:35 Http Version: HTTP/1.1 Size in Bytes: 13
Referer: http:// best-seo-solution.com/try.php?u=http://example.com
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

I blocked it by adding "best-seo" to my list of referer snippets to block.

[they] don't have "seo" in the UA string

The "seo" is always in the fake REF, not the UA. But like keyplyr, I block "seo" anywhere and everywhere. Ditto "buttons," courtesy of the semalt-similar fake REF that lucy mentioned:

http://buttons-for-website.com

More about both: [specializeddigitalmarketing.com...]

You're right. There are some for which blocking with referer snippets seems to be the best approach. But I usually only block the worst offenders -- my current list of snippets includes: chimiver|poker|trustcombat|escort|semalt|airport|buttons|best-seo|prostitutki and a dozen or so others.

But it's not worth the trouble to block most of them. And most of them will stop coming eventually anyway.

Any hit that drags a parameter including my domain gets blocked, so the above examples get blocked for several reasons.

Just a FYI - semalt.com hosts at:
WorldStream
217.23.0.0/20
217.23.0.0 - 217.23.15.255

However, I'm aware these hits come from many compromised IPs.

Any hit that drags a parameter including my domain gets blocked

That seems risky to me. Because sometimes a person will type your domain into the Google or Bing search box, specifically looking to find your site. It's true that Google usually doesn't send the search term, but sometimes it does. And in that case you would be blocking a real person, in fact a real person who is specifically looking for your site.

Any hit that drags a parameter including my domain

I had to add an anchor to one referer in a RewriteCond after realizing that all search-engine hits include the full page URL in the referer. Well, not so much now that The World's Leading Search Engine has taken to sending only the barebones https, but it used to be standard.

otoh, I think the chances are approximately zero that someone in Russia would be looking for my domain by name, so I have a particular lockout* for one pattern of yandex referers.

Edit:

More about both

I fed the linked site into three different accessibility checkers. (Well, you knew I would do this, didn't you?) Results were not happy; aside from the obvious issue of contrast, two of the three also cited a risk of seizure-inducing flashes.


*Technically a redirect, allowing for the remote possibility that there is a human at the other end.

@aristotle - obviously I poke holes :)

keyplyr -- Sorry for the confusion. Originally, I just took your statement strictly literally. Then after i made my post, I began to think that you probably do something to account for exceptions and special cases. I only know the simple basic techniques, not the advanced sophisticated methods that you and the other regulars here use.

A companion has appeared: best-seo-offer.com

Huh. That may be a be a new/replacement name/scheme. As keyplyr mentioned, WorldStream, the same ISP hosting semalt and scores of other pestilences --

customer.worldstream.nl
217.23.7.144

-- also has this current data:

Websites on this IP Now:
2 are live websites using this IP (217.23.7.144) NOW -
buttons-for-your-website.com
best-seo-offer.com

Not Working Websites on IP:
1 not working website. This IP 217.23.7.144 is the last known IP address for -
best-seo-solution.com

Source: [myip.ms...]

More on the same IP: website-errors-scanner.com ; baixar-musicas-gratis.com

Someone's actually monetizing this junk? Go figure.

189.105.21.255 (Brasil)
UA: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
RF: buttons-for-your-website.com

Not just a website, for YOUR website now..

What's interesting that "best-seo-solution" ones all pull the images from 403 page in a subsequent request.

There is a clear pattern that simple log spamming going on. I did some digging around and it seems that having .php?u=http://yourdomain.tld in referrer would pretty much cover them all at this point, not just semalt related junk. Or even .php?u=http:// for that matter.

baixar-musicas-gratis.com

Oh, hey, I remember them. Don't know if I still have an unconditional block on "musicas" in the referer, but I know at one time I did.

But honestly now, baixar musicas gratis? I don't even know what "baixar" means and it still smells like a pirate site.

Not long ago a friend spoke of downloading music from the Internet "back when it was legal". Er, no. It was never legal. It just used to be easier.

blend - I tried that code block but it stopped input from (eg) facebook, twitter, ...

Nothing about this one is easy from a headers/referers stance. And as noted above, the situation is not helped by ordinary browsers, firewalls and AV tools changing their headers. Proxies - they have always been a thorn in the lion's paw. :(

Seems like a lot of futile effort toward log spam :)

Definitely not futile if the sole object is to get people talking about you-- in a reputable, indexed venue, at that.

Well they better spell my name correct on the royalty check!

@dstiles
Not sure about twitter, but I think the only ref that comes with .php?u= from Facebook is
.php?u=http%3A%2F%2F , where as the spammers in question are using .php?u=http:// in the ref.

It wasn't only those two. I forget the others but it was not a good thing to block.

What are the numbers folks are seeing? I've been hit 8 times this month (since the first) and 12 times last month. There's some referer spam just not worth chasing, particularly since my logs are not visible to anyone.

From the best-seo folks, hits average twice a day on my main site. (Similar to semalt, etc.) Granted, not enough to get exercised about on their own. But I've no clue what they're up to, plus the hits are usually from cesspool'esque ISPs/countries so prevention's worth a ton of protection over time.

the hits are usually from cesspool'esque ISPs/countries

For me the vexatious thing about semalt and similar is that they largely come from human IPs in selected regions. ("If you can't drink the water, is your browser safe?") Now granted I don't have any Portuguese-language content, but if any human in Brazil has highly unusual interests, I would hate to slam the door in their faces.

My main concerns are...

1. what information are they collecting from my sites?

2. my clients sometimes view their stats (not often - lazy lot!) and may click on one of these criminal sites - criminal because they could easily be homes for launching viruses but in any case are stealing my bandwidth and time (ok, minimal, but actionable).