Today was the first time I haven't received a (trappable) semalt hit for ages. At times I've been getting a hundred or more a day across a couple of dozen sites. I no longer know - or even check - what the referer actually is; I just block it and, if it's a Brasil IP (90%+ chance), I permanently ban the /22 or whatever. Brasil is of no use to me nor my clients and until they sort out their abysmal virus situation I'm not interested in them.

Has anyone else noticed Brasil has something like one /22 per street? Or so it seems to me. :( Hundreds of the things, many with gmail or hotmail registration addresses.

Following on from my previous posting: I have begun investigating WHY no semalt types and conclude that as of the 10th July they changed to a new method and new browser. I'm checking out possibilities now.

Oddly, all hits I can currently attribute to the new method are to a single domain and the referer is without the obligatory www of my domain and is http - the domain is actually SSL.

They are still predominantly from Brasil (10) with a sprinkling of other countries (7). These numbers are for unblocked IP ranges: I do not record data for blocked ranges.

sem~alt(Search Engine Marketing Alternative)

Well, I'm impressed. I never knew it stood for anything, let alone something specific. (Other than "Infected Brazilian Browser", which is akin to trying to render "Francophone robot" as something with the initials OVH.)

Has anyone else noticed Brasil has something like one /22 per street?

I think it's just sloppy reporting. I used to keep records by country, but in the specific case of Brazil I had to give up and say Once Brazil, always Brazil, unless I see hard evidence that it has been reassigned to some other country.

:: detour to check logs for last 2½ years ::

:: further detour to check old referer-block list (it's shorter now) ::

The string "semalt" disappeared pretty abruptly in March 2015 except for a couple of isolated "semaltmedia" in June. By 2016, all I see is seo-blahblah, buttons-for-blahblah and one or two others.

:: general check for blocked LACNIC ^(1(7[79]|8[1679]|9[01])|20[01]) constrained to 2016 ::

Their current favorite seems to be "keywords-monitoring-your-success.com/try.php?u=http://example.com". But I guess it's unfair to assume that all referer spam from Latin America has something to do with semalt.

The overwhelming majority are infected browsers rather than pure robots. That's interesting--but more in a demographic, sociological or anthropological sense than a computer-programming sense. It means it's simpler and cheaper to find a vulnerable machine than to pay for hosting.

Whatever, bot-running via infected machines is a criminal activity. Unless you are FBI, when according to one of there high-ups it's not, 'cause they're the good guys. :(

If the infected machine is located in another country, I don't think they're going to give the FBI (or any other foreign-to-them governmental entity) a free pass ;) But it's obviously more about what you can de facto get away with.

it's not, 'cause they're the good guys.

By the usual utterly predictable coincidence, only yesterday I was puttering around tvtropes. They've got a whole cluster of pages on this theme-- protagonist-based morality and so on.

Just had a spam email from "adam [at] semalt [.] expert" offering to help me promote a site which is, basically, a testbed and an incidental listing of a few of my customers. They got the URL wrong (no www) and used HTTP instead of HTTPS.

It begins (obfuscations by me)...

"Dear, Dave Stiles We have checked Google rankings of the following
website: [[mywebsite]...] [.] com | http:// [semalt] [.] com/email/welcome_all.php?h=lUfcvqrTOk7zqCfwJ4zHgeFhhXsV2%2FBHNOBRov63FIsbyhuqVTrkv5t%2B9Uz088Y35ucmSdRxl77Krskcj2cfWjWgT6PJHh4B%2BC%2B7Ifb54WJmG5vVU3tJra2GJoi8EpMph3xBTD9iaANjzdlKQks35g%3D%3D
And we have found 13 errors that negatively affect your website's growth
in Google, your client flow and sales. So we have prepared a report for you
to kick-start your growth! Check my FREE report ..."

The syntax (Dear,) suggests the sender is not a native English speaker (as we suspect we already knew).

I trap most semalt-type accesses but I suppose a few may have got through but I do not believe they actually read the sites anyway.

Obvious smap traps there are "semalt" and the TLD "expert", which should never have been spawned.

At least it doesn't start with "Attn: Sir/ Madam", and end with "Mr. Peter Amangbo, Chief Executive Officer Zenith Bank Plc"

Dear, Dave Stiles We have checked
{snip}
The syntax (Dear,) suggests the sender is not a native English speaker

Nah, it just suggests they're a sloppy programmer: The script says

Dear, {{insert name here}}

where it ought to say

Dear {{insert name here}},

;)

From a spam point of view, I LIKE sloppy. It makes it easier to block. But I stand by my comment, although it could still be Dear(if name known add space then name then comma). :)

@dstiles

right, just what we need:

Dear Mr. sloppy spam,

etc....

...the TLD "expert", which should never have been spawned

Agreed!