The Problem
Yesterday I started noticing that one of my websites (not this site) was getting hit with a spike of traffic about once every two weeks for a few days at a time. I determined that the traffic was coming from Portland Oregon. I also determined that the traffic was from a machine on Peak Web Hosting’s network.
One of the problems with this traffic is that it is throwing off my web stats. The traffic had a 100% bounce rate so it makes it look like my visitors are not engaged. Not only that, but the most likely reason they are hitting my website is for a nefarious reason. They could be looking for security holes to hack the site and insert links or malware into my content.
*UPDATE: Read the comments below for an explanation from Peak Web Hosting’s customer service and from the owner of the IP’s that are causing the bounce traffic.
This bounce traffic lead me to notice another issue. I was also getting referrer traffic from forex-ninjas but there are no links to my website from their website. After I did a little digging, I found that this is what is called referrer spam.
This further throws off web statistics since these visitors also have a 100% bounce rate. Most likely the referrer spam is there to try and get me to go to the spammers website and buy their product or click their ads. Either way I don’t want that garbage in my stats.
The Fix
First, to get rid of the bigger problem of the Peak Web Hosting bounce traffic. The solution for this came from a Google Groups posting. For WordPress sites download and install the wp-ban plugin. Once this is set up, go to the settings page for wp-ban and enter 204.11.219.* in the banned IPs section. This is the block of IPs that the hit-and-run traffic is coming from. Now instead of getting your website, they will get a page telling them that they are banned.
Alternately, you can use htaccess to ban an IP range by adding these lines into your htaccess file:
order allow,deny deny from 204.11.219 allow from all
*Update* – I’ve stopped using the wp-ban plugin and started using the htaccess solution instead. For some reason the plugin was banning anyone who visited the non-www version of the website. This may not happen for everyone but it was happening for me.
To get rid of the referrer spam form forex-ninjas, I added a couple of filters in my Google Analytics account. Before you add these filters in you may want to create a duplicate profile that does not include any filters in case there are problems and you need to see the raw information that Google is providing.
To add the two filters do the following…
Click the gear in the upper right hand corner of your Google Analytics account:
Click on the Filter tab. As you can see I have 3 filters showing:
Next you will want to create an Include filter for your domain name. This is to so that if someone grabs your GA code and puts it on their website, only your domain stats will show up in your analytics profile.
- Add a Filter Name. (Include My Domain Only)
- Choose Custom filter type.
- Check Include.
- Choose Hostname for the Filter Field.
- For the Filter Pattern, enter your domain name. You have to escape special characters (periods, slashes etc.) because this is a regex field. By ‘escape’ I mean add a \ in front of special characters. So what goes into the field should look like this: yourdomainname\.com
- Set Case Sensitive to No.
- Click Save.
Now you need to add the two Exclude filters.
- Add a new filter
- Fill in the Filter Name. (Spam Referrers I)
- The Filter Type will be Custom Filter
- Choose Exclude
- In the Filter Field you want Campaign Source
- Put the following in the Filter Pattern:
golbnet|forexmarket|ForexTradingStrategies|acessa\.me|is\.gd\/UnlimitedWebHosting|is\.gd\/ForexTrading|tinyurl\.com\/ForexTradingSystems|tinyurl\.com\/MakeMoneyWithYourWebsite|br4\.in\/ForexMarket|toma\.ai\/6pf
- Set Case Sensitive to No.
- Click Save.
For the second Exclude Filter you will do everything the same as the first except in the Filter Pattern you will add this instead:
bct\.im\/ForexMarket|ibexalerts\.com\/craigslist\-email\.aspx|clubXstream\.net|slowfoodottawagatineau\.org|forex\-ninjas\.com|rock\.to
The two Filter Patters above are for common referrer spam sources. You can find the list I used on Business Hut‘s website. There are two Filter Patters instead of one is because the Filter Pattern field only accepts 255 characters so I had to split it up and add two separate filters. The | character in two filter patterns is an OR operator and does not need to be escaped.
Also, the filters are NOT retroactive. So if you already have referrer spam in your analytics, it will still show up. All new referrer spam will not show up though.
If anyone has a better way to stop the spam feel free to leave a comment below!
{ 25 comments… read them below or add one }
Hello Jhet,
Looks like you have way too much time on your hands, and you are too quick to make accusations and wrong assumptions, as well as look for complicated solutions to non existing “problems”.
Let me correct you, and explain what I am doing.
I am trying to create a database that will classify websites based on some 60 different categories, this database will be used to allow safe browsing by blocking / allowing access to different sites based on a self defined policy. it will block all access to sites known for malware distribution, virus and other malicious sites.
If my crawling of your site skewed you analytics , or bothered you in any way, all you had to do was send me a short Email message, and I would have excluded you domain from further crawling, without the need for you to make any changes on your website configuration…
As a side note, I stopped completely crawling google analytics sites, as well as some 50 other analytics sites.
Rest assured no malicious intentions were present, and what you were seeing is only a result of trying to make the internet a safer place for all of us.
Thanks,
Gal.
When you run websites, checking your logs is part of the job. And inaccurate statistics are a problem. What’s the point of analytics if the numbers are incorrect? It’s not a matter of too much time on my hands, it’s a matter of doing my job.
It is good to hear you have corrected the issue, if indeed you have. There are quite a few site owners complaining about this problem. Many are using the solutions provided on this site. As far as being able to send you an email, however, that is not possible from the information gathered in Google Analytics. Google does not provide its users with an IP address let alone an email address. That has to be determined from raw logs.
Gal,
You are either lying about no longer crawling Google Analytics websites or you configured your crawler completely wrong. Either way the problem still exists for site owners that do not protect themselves from you.
I purposely left JhetBhlak.com open to your crawlers IP addresses. As I said in my post, this issue occurred on another website first. Well on February 8th your crawler spammed JhetBhlak.com with the 100% bounce traffic. See the picture below.
Jhet
Gal Halevy Bounce Spam
Thanks, Jhet! I was trying to show a client how to use Google Analytics and I had to keep saying “I’ll help you make a filter so it won’t look like that” and “don’t worry about that number”. I don’t think Gal realizes all the problems and aggravations he caused!
No problem. I’m just glad to get the word out on how to fix these issues.
That Gal spammer mo fie is soon going to find himself in deep trouble. What nerve!
I just had the same experience today with exactly 100 visits and 100% bounce coming from peakwebhosting.com. My website has Google Analytics tracking.
That sounds exactly like what I was seeing. You will probably want to block the IP range like I did or it is going to throw off your Analytics information and make it look like more people are not interested in your content.
Jhet,
I just found my Analytics all skewed today as well, by the same peakwebhosting.com. Unreal. Thanks so much for the information on how to block this idiotic nuisance.
And to GAL HELAVY – just keep it up, mate. Consider yourself reported.
Happy to help!
Gal Halevy – You are reported!
Gal, what a load of steaming lies. You claim to have stopped and desisted Jan,30, but complaints are still rolling in. You, Ian Duggan and the rest will get your payback. I would post a link to thee 98 comment thread full of hate for you at Google Analytics but this comments program will assume it to be spam. To view it just go to G Analytics and Search for “eric fleischman,”
You are the worst kind of people.
Are you talking about this thread?
https://groups.google.com/a/googleproductforums.com/forum/#!search/eric$20fleischman/analytics/zTsV3NK802Q/StwKStICmFQJ
Jhet…That’s the one. I also recieved an email from Mr. Eric Fleischman urging me to take it up with support@peakwebhosting.com.
just got this from Peak Custy Ssrvice-
Thank you for reaching out to Peak Hosting. We can assure you, this is not an attack. The IP space is owned by Palo Alto Networks, the firewall vendor who’s contact in such matters is Gal Halevy, ghalevy@paloaltonetworks.com
Gal Halevy wrote,
“Palo Alto Network receives a report from our customers’ FW devices about visited URLs from clients behind those firewalls, and we try to classify the sites by downloading those URLs and running them through a series of classifiers.
We are not doing any funky things, all we do is fast crawl of existing URLs, we do not scan ports, and we do not scan for vulnerabilities of any kind.
We have setup local DNS server which acts as a primary name server the most common domains we know are used for analytics, so Palo Alto Networks never crawls them.
I assume that smaller sites that do not get a lot of traffic, and use analytic services get an alert about unusual activity , which triggers a “complaint”. Please in the future refer these people to me and I will gladly explain to them what is going on.”
If you email Gal, he will ensure your analytic tool is not receiving traffic from their customer tracking classification software.
Additionally, there is a blog post which explains how to have your analytics ignore these requests available here.
http://blog.jhetbhlak.com/2012/01/24/portland-spam-100-bounce-rate-peak-web-hosting-fix/
If there is anything else we can do, please let us know. Rest assured, your site is safe and these URL requests are only so that Palo Alto Network customers know where their customers’ employees are visiting.
Regards,
Peak Hosting Operations
Regards,
Justin Cucciare
Peak Web Hosting Support
888.476.PEAK ( 24×7 Support )
support@peakwebhosting.com
Sweet they mentioned my post!
I got here from the peakwebhosting email too. What a freakin’ punk! Gal, if you are reading this, stop polluting the web with your half-baked crawler. Intentional or not, you are making a lot of work for a lot of people. If I ever meet you in person, it will not be good for you!
Jhet, thanks man. Nice post!
This kind of thing annoys me too so I’m glad to of helped you!
Thanks for the easy explanation. Got the same exact things from this guy, only its not from Portland, mine were from San Francisco. So if anybody else sees a surge from there, this is the issue!
My client’s site was hit yesterday. 94% Bounce Rate and 0:16 second average time on site. These numbers do skew my monthly reporting. All out of Portland from the “gal halevy” network. I now have to change the htaccess file for this client and 16 others. An explanation from Gal Halevy just doesn’t work for me.
Thanks for the post Jhet!
I’m glad the post has helped. Thanks for the comment!
I have spent at least 3 hours figuring this thing out and implementing fixes. I wish I were a hacker so I could bring those servers down. Or, at least send the guy a bill.
Yeowch…Well I’m glad you got it fixed at least.
His little crawler hit every page of every one of my sites. Considering each site has hundreds of pages, it was a pretty big hit. I can’t imagine that his clients’ employees happened to visit every site – looks like a server sweep to me.
Gal should consider learning how to make his crawler identifiable so that analytics programs will know to filter his trash out with the rest of the bugs.
Well since Gal lied about having his crawler no longer crawl Google Analytics enabled sites, I’d say he does not care enough to build in filtering