I've started seeing what appears to be another version of this: 100dollars-seo.com

Ugh, thanks for the tip. My existing format

SetEnvIf Referer seo- keep_out

wouldn't catch that one. I guess "seo\b" would, though.

Anyone got a crossword dictionary? I can't think of any word-- at least not in any language that appears on my site-- that would use the letter sequence s,e,o. I happen to have an in-preparation ebook open in another window; text search heroically comes through with "Tōmaseolauktok", "Sātanaseovok" and "Sātanaseonerarpā". If you are not a Moravian missionary working in southern Labrador, these are probably not cause for concern.

Yup, this variant has shown up on my site too.

<sub>$ grep seo /usr/dict/words | wc
67 67 890
$
So 67 words, including for examples: gaseous, museology, phraseological, houseowner
osseocartilaginous(!)

oh and my favourite: nauseous :)</sub>

This one got caught yesterday in a filter .php?u=http:// , as I mentioned before.....

79.22.241.85
host85-241-dynamic.22-79-r.retail.telecomitalia.it

190.160.254.76
pc-76-254-160-190.cm.vtr.net

Ref redirects to semalt

New variation:

htp://nnnnnnnn.videos-for-your-business.com where nnnnnnnn is a numerical id maybe of the site they are trying to spam, I guess?..

Redirects to semaltmedia, as expected.

They're gambling-- probably correctly-- that most sites use too many anchors and so nothing involving {random-element-here} will ever get blocked. Much like the junk mail that gets past your filters by intentionally misspelling a word or saying "p0rn" and similar.

Are there any legitimate sites whose names include the element

-for-

with hyphens? (As in "buttons-for-your-etcetera".)

-for- domains - I used to manage sites such as treats-for-women so it's possibly valid.

More details about the newest usual suspects:

.semaltmedia.com (93.190.142.201) [myip.ms...]

.videos-for-your-business.com
EG:
342419.videos-for-your-business.com (217.23.7.180)
=> '20 live websites using this IP now': [myip.ms...]

:: detour to look up 217.23.7.180 ::

Dutch server farm WorldStream, so that's safe to block. It's the ones from infected human computers that are more vexatious. My referer lockout has long since been reduced to unanchored "semalt", but I guess neither \bfor\b nor \byour\b is 100% safe..

including for examples: gaseous, museology, phraseological, houseowner
osseocartilaginous(!)

oh and my favourite: nauseous

Well, there you go. I wouldn't have thought of the word element "-seous", nor yet "osseo-" ... and I wouldn't be surprised if my own site contains the word "phraseology" somewhere. (I was disappointed to find that phraseology dot com is simply parked. I was hoping to find good stuff.)

Can you get banned from search engines for being known to do referrer spamming on such level, I mean all the related semalt domains in question? Is it really the semalt staff that is responsible for all this nonsense or will sematl & co will later try to wiggle their sorry e`sses out of it?

This is all over the NET. It's been a while too...

How one could go to work, well I am pretty sure just a room over, in AM knowing that the rest of the profession looks at "the" like a bunch of loosers?

just saying....

Can you get banned from search engines for being known to do referrer spamming on such level

You'd think so, wouldn't you, but a site: search came up with "About 5,870 results" for semalt.com. (I know you can do a null search, but I searched for "e". Disappointingly, there were no ads offering best prices on "e". I've seen those in the past when experimenting.)

Then again-- wouldn't that be a textbook case of something somebody else's disreputable site would do to get the competition into trouble? I'm sure there have been threads about it. Several hundred, probably.

My lockout now says

(videos|buttons)-for

Edit: I yielded to temptation and asked the computer to find "phraseology" on my site. The word does in fact occur-- but only in ebooks, darn it.

"Hello semalt, my old friend" sounds like a Neil Diamond song.

Huh. I thought it was Paul Simon.

We have a winnah! [en.wikipedia.org...]

Has anyone seen success-seo.com

Not very original in the new-names department, are they? Haven't seen it, but it's the same gang o' pests. [myip.ms...]

(I'm *this* close to dropping the annoying CIDR lot via iptables.)

Has anyone seen success-seo.com

Yep, just showed up on 2 sites

ref: success-seo.com/try.php?u=http://domain.com

Do any legitimate sites have pages called try.php? Seems like that would be a pretty safe referer block. Just don't forget the anchor; if someone over at example.co.uk/hotels/coventry.php is talking about you, they're probably legit.

You may or may not be able to lock out requests whose referer includes your own domain name. That is: it's obviously possible, but you have to be careful to exclude legitimate search engines.

:: detour to own htaccess ::

I've got a bunch of rules that mention the sitename in a RewriteCond, but most of them are site-specific (like requests for inner pages claiming to give the root as referer). There are also some fake Yandex referers that use "text=example.com", where "text=" means the original search string, not the result. My sites are simply not that well-known ;).

Do any legitimate sites have pages called try.php? Seems like that would be a pretty safe referer block.

I block "seo" in refer, request and UA.

Do any legitimate sites have pages called try.php? Seems like that would be a pretty safe referer block.

the ref rule that blocked this request was .php?u=http://, it passed a headers test and the country IP for these sites.

I don't know about just try.php? though.

IMO blocking .php?u=http:// is not a wise move. I get legitimate referrers daily, YMMV.

Also, depending on your server config, blocking parameters doesn't always work.

blocking .php?u=http:// is not a wise move

What would be some legitimate users of this configuration? Is "u" a widely used parameter name?

blocking parameters doesn't always work

I think all of these are in the referer, at which point it isn't really a parameter at all; it's just one long string that happens to contain a question mark. Or even a percent-encoded nest of them, like %252525253F. If you were blocking a literal question mark it would probably have to be expressed as \?

Is "u" a widely used parameter name?

I don't know about "widely used" but I see it. Parameters can vary widely, often the result of DB queries, so blocking some of them is a gamble - just say'n.

But why add code to your htaccess that only deals with this one bad actor? Wouldn't it be more succinct to control access by IP address or header fields?

worldstream.nl
93.190.136.0/21
93.190.136.0 - 93.190.143.255

I use both .htaccess and preferred programming language. Once I am sure that the rule is ripe for .htaccess it goes there. The ".php?u=http://" rule is actually in application CODE. So far the only thing it has matched was all the semalt crap that we all see.

This is what in HTACCESS:

RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR]
RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC,OR]
RewriteCond %{HTTP_REFERER} buttons-for-your-website\.com [NC,OR]
RewriteCond %{HTTP_REFERER} sharebutton\.net [NC,OR]
RewriteCond %{HTTP_REFERER} best-seo-solution\.com [NC,OR]
RewriteCond %{HTTP_REFERER} best-seo-offer\.com [NC,OR]
RewriteCond %{HTTP_REFERER} 100dollars-seo\.com [NC,OR]
RewriteCond %{HTTP_REFERER} videos-for-your-business\.com [NC,OR]
RewriteCond %{HTTP_REFERER} success-seo\.com
RewriteRule .* - [F]

All ref sites above were caught by this rule:

if referrer string contains ".php?u=http://"
 then
  record IP;
  record headers;
  null response = 403;

note that // in that string are unencoded, from what I have seen so far it works for me.

This does the same:

RewriteCond %{HTTP_REFERER} (button|for-your-|semalt|seo)
RewriteRule .* - [F]

This is what in HTACCESS:

That's way too many lines. An unanchored

buttons-for
-seo

would take care of six of your existing lines right there.

note that // in that string are unencoded

Most things are disencoded before they reach the part of your server that interprets requests. You'll only see percent-encoding if there's nesting, for example if a query string contains an earlier query string (as in an analytics request giving all information at once, or the part of a search-engine referer that gives your URL). Or, of course, if the request came from a stupid robot that's blindly copying-and-pasting without thinking about what it's doing.

> php?u=http

I made a comment on that Apr 12th. Not a good thing.

Ooooopa!

Just caught another one, new one to me:

http:// rankings-analytics.com/try.php?u=http://example.com

which brings it to

#semalt referrer spam
RewriteCond %{HTTP_REFERER} (button|for-your-|semalt|seo|--production|x00_|-anal)
RewriteRule .* - [F]

:), sorry couldn't resist ..

Seems harmless, so long as you don't have an informational site in the proctology field ;)

It must be a new robot; my most recent addition to shared htaccess is the line

SetEnvIf Referer rankings-analytics keep_out

It seems to be popular with infected human browsers, because all the visits I saw (in the, hm, two days' logs before I caught up to it) were fully humanoid.

I used to manage sites such as treats-for-women

The wording on the shingle hanging outside my door.