Welcome to WebmasterWorld Guest from 34.238.192.150

Forum Moderators: Ocean10000

Message Too Old, No Replies

best-seo-solution

Hello semalt, my old friend

     
2:52 am on Apr 7, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Previously, about semalt, the relentless fake referrer:

Semalt | Referrer spamming gone mad.
[webmasterworld.com...]

sub-semalt
[webmasterworld.com...]

And now, its new cloak:

http://best-seo-solution.com/try.php?u=http://example.com


(The one I just saw came from, where else? Brazil.)

More details here: "How to stop best-seo-solution.com Referral Spam?" [ohow.co...]
8:46 pm on Apr 7, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


I've been seeing that one too, coming from various countries around the world. I didn't know about the connection with Semalt. Anyway, I'm going to add best-seo to my referer snippet block list.
11:43 pm on Apr 7, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


For quite a while I didn't have to think about these, because a header-based lockout took care of 'em all. But lately they may have gotten wise-- or maybe some browsers send the same headers whether their robotic masters* ask them to or not-- because I'm again seeing the occasional buttons-for-website, another perennial referer-spam favorite. Darn it all.


* Inescapable mental picture of Roger Delgado and/or Anthony Ainley here.
7:38 pm on Apr 8, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3286
votes: 19


I found the seo one a few days ago and re-blocked using new criteria. I had previously turned off checking for them because of a conflict with real browsers.

I've noticed over the past several months that many browsers now omit or adversely modify some critical headers. Browsers - actually I think it may be firewalls and AV tools doing it to avoid time-consuming data conversions. Whatever, the reasonably setup HTTP/1.1 is being reverted to look and act more like HTTP/1.0 in several cases now.
5:56 am on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I block "seo" in UA string
7:08 am on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


I've noticed over the past several months that many browsers now omit or adversely modify some critical headers.

I've noticed over the past several months that the primary purpose of Android devices is to play havoc with all rules and patterns I have formulated for all purposes everywhere.
7:49 am on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Android loves to play havoc with Apple users.
10:19 am on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


The visits this one makes to my sites don't have "seo" in the UA string:
Host: 189.107.25.133
/
Http Code: 403 Date: Apr 09 14:49:35 Http Version: HTTP/1.1 Size in Bytes: 13
Referer: http:// best-seo-solution.com/try.php?u=http://example.com
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

I blocked it by adding "best-seo" to my list of referer snippets to block.
11:21 am on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


[they] don't have "seo" in the UA string

The "seo" is always in the fake REF, not the UA. But like keyplyr, I block "seo" anywhere and everywhere. Ditto "buttons," courtesy of the semalt-similar fake REF that lucy mentioned:

http://buttons-for-website.com


More about both: [specializeddigitalmarketing.com...]
11:54 am on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


You're right. There are some for which blocking with referer snippets seems to be the best approach. But I usually only block the worst offenders -- my current list of snippets includes: chimiver|poker|trustcombat|escort|semalt|airport|buttons|best-seo|prostitutki and a dozen or so others.

But it's not worth the trouble to block most of them. And most of them will stop coming eventually anyway.
12:07 pm on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Any hit that drags a parameter including my domain gets blocked, so the above examples get blocked for several reasons.

Just a FYI - semalt.com hosts at:
WorldStream
217.23.0.0/20
217.23.0.0 - 217.23.15.255

However, I'm aware these hits come from many compromised IPs.
4:15 pm on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


Any hit that drags a parameter including my domain gets blocked

That seems risky to me. Because sometimes a person will type your domain into the Google or Bing search box, specifically looking to find your site. It's true that Google usually doesn't send the search term, but sometimes it does. And in that case you would be blocking a real person, in fact a real person who is specifically looking for your site.
7:23 pm on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


Any hit that drags a parameter including my domain

I had to add an anchor to one referer in a RewriteCond after realizing that all search-engine hits include the full page URL in the referer. Well, not so much now that The World's Leading Search Engine has taken to sending only the barebones https, but it used to be standard.

otoh, I think the chances are approximately zero that someone in Russia would be looking for my domain by name, so I have a particular lockout* for one pattern of yandex referers.

Edit:
More about both

I fed the linked site into three different accessibility checkers. (Well, you knew I would do this, didn't you?) Results were not happy; aside from the obvious issue of contrast, two of the three also cited a risk of seizure-inducing flashes.


*Technically a redirect, allowing for the remote possibility that there is a human at the other end.
8:27 pm on Apr 10, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@aristotle - obviously I poke holes :)
8:38 pm on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


keyplyr -- Sorry for the confusion. Originally, I just took your statement strictly literally. Then after i made my post, I began to think that you probably do something to account for exceptions and special cases. I only know the simple basic techniques, not the advanced sophisticated methods that you and the other regulars here use.
11:04 pm on Apr 10, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3672
votes: 374


A companion has appeared: best-seo-offer.com
1:34 am on Apr 11, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


Huh. That may be a be a new/replacement name/scheme. As keyplyr mentioned, WorldStream, the same ISP hosting semalt and scores of other pestilences --

customer.worldstream.nl
217.23.7.144

-- also has this current data:

Websites on this IP Now:
2 are live websites using this IP (217.23.7.144) NOW -
buttons-for-your-website.com
best-seo-offer.com


Not Working Websites on IP:
1 not working website. This IP 217.23.7.144 is the last known IP address for -
best-seo-solution.com

Source: [myip.ms...]

More on the same IP: website-errors-scanner.com ; baixar-musicas-gratis.com

Someone's actually monetizing this junk? Go figure.
2:38 pm on Apr 12, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1997
votes: 75


189.105.21.255 (Brasil)
UA: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
RF: buttons-for-your-website.com

Not just a website, for YOUR website now..

What's interesting that "best-seo-solution" ones all pull the images from 403 page in a subsequent request.
3:03 pm on Apr 12, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1997
votes: 75


There is a clear pattern that simple log spamming going on. I did some digging around and it seems that having .php?u=http://yourdomain.tld in referrer would pretty much cover them all at this point, not just semalt related junk. Or even .php?u=http:// for that matter.
7:55 pm on Apr 12, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


baixar-musicas-gratis.com

Oh, hey, I remember them. Don't know if I still have an unconditional block on "musicas" in the referer, but I know at one time I did.

But honestly now, baixar musicas gratis? I don't even know what "baixar" means and it still smells like a pirate site.

Not long ago a friend spoke of downloading music from the Internet "back when it was legal". Er, no. It was never legal. It just used to be easier.
8:08 pm on Apr 12, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3286
votes: 19


blend - I tried that code block but it stopped input from (eg) facebook, twitter, ...

Nothing about this one is easy from a headers/referers stance. And as noted above, the situation is not helped by ordinary browsers, firewalls and AV tools changing their headers. Proxies - they have always been a thorn in the lion's paw. :(
8:31 pm on Apr 12, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Seems like a lot of futile effort toward log spam :)
11:00 pm on Apr 12, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


Definitely not futile if the sole object is to get people talking about you-- in a reputable, indexed venue, at that.
11:08 pm on Apr 12, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Well they better spell my name correct on the royalty check!
9:50 am on Apr 13, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1997
votes: 75


@dstiles
Not sure about twitter, but I think the only ref that comes with .php?u= from Facebook is
.php?u=http%3A%2F%2F , where as the spammers in question are using .php?u=http:// in the ref.
6:57 pm on Apr 13, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3286
votes: 19


It wasn't only those two. I forget the others but it was not a good thing to block.
4:34 am on Apr 14, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10569
votes: 1124


What are the numbers folks are seeing? I've been hit 8 times this month (since the first) and 12 times last month. There's some referer spam just not worth chasing, particularly since my logs are not visible to anyone.
2:16 pm on Apr 14, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2067
votes: 2


From the best-seo folks, hits average twice a day on my main site. (Similar to semalt, etc.) Granted, not enough to get exercised about on their own. But I've no clue what they're up to, plus the hits are usually from cesspool'esque ISPs/countries so prevention's worth a ton of protection over time.
8:22 pm on Apr 14, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 888


the hits are usually from cesspool'esque ISPs/countries

For me the vexatious thing about semalt and similar is that they largely come from human IPs in selected regions. ("If you can't drink the water, is your browser safe?") Now granted I don't have any Portuguese-language content, but if any human in Brazil has highly unusual interests, I would hate to slam the door in their faces.
9:29 pm on Apr 14, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 14, 2008
posts:3286
votes: 19


My main concerns are...

1. what information are they collecting from my sites?

2. my clients sometimes view their stats (not often - lazy lot!) and may click on one of these criminal sites - criminal because they could easily be homes for launching viruses but in any case are stealing my bandwidth and time (ok, minimal, but actionable).
This 61 message thread spans 3 pages: 61