Portland Spam 100% Bounce Rate Peak Web Hosting Fix

by Jhet Bhlak on January 24, 2012

The Problem

Yesterday I started noticing that one of my websites (not this site) was getting hit with a spike of traffic about once every two weeks for a few days at a time. I determined that the traffic was coming from Portland Oregon. I also determined that the traffic was from a machine on Peak Web Hosting’s network.

One of the problems with this traffic is that it is throwing off my web stats. The traffic had a 100% bounce rate so it makes it look like my visitors are not engaged. Not only that, but the most likely reason they are hitting my website is for a nefarious reason. They could be looking for security holes to hack the site and insert links or malware into my content.

*UPDATE: Read the comments below for an explanation from Peak Web Hosting’s customer service and from the owner of the IP’s that are causing the bounce traffic.

This bounce traffic lead me to notice another issue. I was also getting referrer traffic from forex-ninjas but there are no links to my website from their website. After I did a little digging, I found that this is what is called referrer spam.

This further throws off web statistics since these visitors also have a 100% bounce rate. Most likely the referrer spam is there to try and get me to go to the spammers website and buy their product or click their ads. Either way I don’t want that garbage in my stats.

The Fix

First, to get rid of the bigger problem of the Peak Web Hosting bounce traffic. The solution for this came from a Google Groups posting. For WordPress sites download and install the wp-ban plugin. Once this is set up, go to the settings page for wp-ban and enter 204.11.219.* in the banned IPs section. This is the block of IPs that the hit-and-run traffic is coming from. Now instead of getting your website, they will get a page telling them that they are banned.

Alternately, you can use htaccess to ban an IP range by adding these lines into your htaccess file:

order allow,deny
deny from 204.11.219
allow from all

*Update* – I’ve stopped using the wp-ban plugin and started using the htaccess solution instead. For some reason the plugin was banning anyone who visited the non-www version of the website. This may not happen for everyone but it was happening for me.

More information on blocking Peak Web Hosting and Palo Alto Networks can be found here.

To get rid of the referrer spam form forex-ninjas, I added a couple of filters in my Google Analytics account. Before you add these filters in you may want to create a duplicate profile that does not include any filters in case there are problems and you need to see the raw information that Google is providing.

To add the two filters do the following…

Click the gear in the upper right hand corner of your Google Analytics account:

Click on the Filter tab. As you can see I have 3 filters showing:

Next you will want to create an Include filter for your domain name. This is to so that if someone grabs your GA code and puts it on their website, only your domain stats will show up in your analytics profile.

  • Add a Filter Name. (Include My Domain Only)
  • Choose Custom filter type.
  • Check Include.
  • Choose Hostname for the Filter Field.
  • For the Filter Pattern, enter your domain name. You have to escape special characters (periods, slashes etc.) because this is a regex field. By ‘escape’ I mean add a \ in front of special characters. So what goes into the field should look like this: yourdomainname\.com
  • Set Case Sensitive to No.
  • Click Save.

Now you need to add the two Exclude filters.

  • Add a new filter
  • Fill in the Filter Name. (Spam Referrers I)
  • The Filter Type will be Custom Filter
  • Choose Exclude
  • In the Filter Field you want Campaign Source
  • Put the following in the Filter Pattern:

golbnet|forexmarket|ForexTradingStrategies|acessa\.me|is\.gd\/UnlimitedWebHosting|is\.gd\/ForexTrading|tinyurl\.com\/ForexTradingSystems|tinyurl\.com\/MakeMoneyWithYourWebsite|br4\.in\/ForexMarket|toma\.ai\/6pf

  • Set Case Sensitive to No.
  • Click Save.

For the second Exclude Filter you will do everything the same as the first except in the Filter Pattern you will add this instead:

bct\.im\/ForexMarket|ibexalerts\.com\/craigslist\-email\.aspx|clubXstream\.net|slowfoodottawagatineau\.org|forex\-ninjas\.com|rock\.to|nigerianstockexchange

The two Filter Patters above are for common referrer spam sources. You can find the list I used on Business Hut‘s website. There are two Filter Patters instead of one is because the Filter Pattern field only accepts 255 characters so I had to split it up and add two separate filters. The | character in two filter patterns is an OR operator and does not need to be escaped.

Also, the filters are NOT retroactive. So if you already have referrer spam in your analytics, it will still show up. All new referrer spam will not show up though.

If anyone has a better way to stop the spam feel free to leave a comment below!

{ 56 comments… read them below or add one }

Gal Halevy January 30, 2012 at 1:29 pm

Hello Jhet,
Looks like you have way too much time on your hands, and you are too quick to make accusations and wrong assumptions, as well as look for complicated solutions to non existing “problems”.
Let me correct you, and explain what I am doing.
I am trying to create a database that will classify websites based on some 60 different categories, this database will be used to allow safe browsing by blocking / allowing access to different sites based on a self defined policy. it will block all access to sites known for malware distribution, virus and other malicious sites.
If my crawling of your site skewed you analytics , or bothered you in any way, all you had to do was send me a short Email message, and I would have excluded you domain from further crawling, without the need for you to make any changes on your website configuration…
As a side note, I stopped completely crawling google analytics sites, as well as some 50 other analytics sites.
Rest assured no malicious intentions were present, and what you were seeing is only a result of trying to make the internet a safer place for all of us.

Thanks,
Gal.

Jhet Bhlak January 30, 2012 at 1:57 pm

When you run websites, checking your logs is part of the job. And inaccurate statistics are a problem. What’s the point of analytics if the numbers are incorrect? It’s not a matter of too much time on my hands, it’s a matter of doing my job.

It is good to hear you have corrected the issue, if indeed you have. There are quite a few site owners complaining about this problem. Many are using the solutions provided on this site. As far as being able to send you an email, however, that is not possible from the information gathered in Google Analytics. Google does not provide its users with an IP address let alone an email address. That has to be determined from raw logs.

Jhet Bhlak February 10, 2012 at 11:53 am

Gal,

You are either lying about no longer crawling Google Analytics websites or you configured your crawler completely wrong. Either way the problem still exists for site owners that do not protect themselves from you.

I purposely left JhetBhlak.com open to your crawlers IP addresses. As I said in my post, this issue occurred on another website first. Well on February 8th your crawler spammed JhetBhlak.com with the 100% bounce traffic. See the picture below.

Jhet

Gal Halevy Bounce Spam

Stuart Jones May 13, 2012 at 7:20 pm

To Gal Halevy:

I’m investigating an outage our site had Last Friday (11th May) – our server got hit with 211 requests almost instanteously from one IP address – 67.221.59.116. Whois reports that this IP address is owned by Palo Alto Networks (range 67.221.59.0 – 67.221.59.255) and/or Peak Web Hosting (67.221.32.0 – 67.221.63.255) (I found this blog post by searching for Peak Web Hosting).

I consider this to be no less than a Denial of Service Attack – and will be taking it to authorities to see what they have to say about it.

I notice the comments about filtering sites that use Google analytics – I don’t think it really matters if the site is using analytics or not, spamming a server with so many requests at once is at the very least unethical.

In addition, if your crawler is a legitimate bot, you should identify it as such in the user agent string – and not identify as “Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/532.4 (KHTML, like Gecko) Qt/4.6.3 Safari/532.4”

I can only conclude from your bot’s actions, and your responses here, that you are either acting incompetently or maliciously, or possibly even both.

Jhet Bhlak May 13, 2012 at 8:26 pm

Agreed. Google Analytics shouldn’t have anything to do with anything. Let us know how it goes!

Dianah January 31, 2012 at 3:07 pm

Thanks, Jhet! I was trying to show a client how to use Google Analytics and I had to keep saying “I’ll help you make a filter so it won’t look like that” and “don’t worry about that number”. I don’t think Gal realizes all the problems and aggravations he caused!

Jhet Bhlak January 31, 2012 at 3:11 pm

No problem. I’m just glad to get the word out on how to fix these issues.

mohammed February 1, 2012 at 1:41 pm

That Gal spammer mo fie is soon going to find himself in deep trouble. What nerve!

JB February 2, 2012 at 10:01 am

I just had the same experience today with exactly 100 visits and 100% bounce coming from peakwebhosting.com. My website has Google Analytics tracking.

Jhet Bhlak February 2, 2012 at 10:04 am

That sounds exactly like what I was seeing. You will probably want to block the IP range like I did or it is going to throw off your Analytics information and make it look like more people are not interested in your content.

Fiddlegrrl February 5, 2012 at 3:47 am

Jhet,
I just found my Analytics all skewed today as well, by the same peakwebhosting.com. Unreal. Thanks so much for the information on how to block this idiotic nuisance.
And to GAL HELAVY – just keep it up, mate. Consider yourself reported.

Jhet Bhlak February 6, 2012 at 9:01 am

Happy to help! πŸ™‚

tops February 6, 2012 at 1:43 pm

Gal Halevy – You are reported!

dicktracylords February 7, 2012 at 4:22 pm

Gal, what a load of steaming lies. You claim to have stopped and desisted Jan,30, but complaints are still rolling in. You, Ian Duggan and the rest will get your payback. I would post a link to thee 98 comment thread full of hate for you at Google Analytics but this comments program will assume it to be spam. To view it just go to G Analytics and Search for “eric fleischman,”
You are the worst kind of people.

Jhet Bhlak February 7, 2012 at 4:27 pm
dicktracylords February 7, 2012 at 4:36 pm

Jhet…That’s the one. I also recieved an email from Mr. Eric Fleischman urging me to take it up with support@peakwebhosting.com.

dicktracylords February 7, 2012 at 4:40 pm

just got this from Peak Custy Ssrvice-
Thank you for reaching out to Peak Hosting. We can assure you, this is not an attack. The IP space is owned by Palo Alto Networks, the firewall vendor who’s contact in such matters is Gal Halevy, ghalevy@paloaltonetworks.com

Gal Halevy wrote,

“Palo Alto Network receives a report from our customers’ FW devices about visited URLs from clients behind those firewalls, and we try to classify the sites by downloading those URLs and running them through a series of classifiers.

We are not doing any funky things, all we do is fast crawl of existing URLs, we do not scan ports, and we do not scan for vulnerabilities of any kind.

We have setup local DNS server which acts as a primary name server the most common domains we know are used for analytics, so Palo Alto Networks never crawls them.

I assume that smaller sites that do not get a lot of traffic, and use analytic services get an alert about unusual activity , which triggers a β€œcomplaint”. Please in the future refer these people to me and I will gladly explain to them what is going on.”

If you email Gal, he will ensure your analytic tool is not receiving traffic from their customer tracking classification software.

Additionally, there is a blog post which explains how to have your analytics ignore these requests available here.

http://blog.jhetbhlak.com/2012/01/24/portland-spam-100-bounce-rate-peak-web-hosting-fix/

If there is anything else we can do, please let us know. Rest assured, your site is safe and these URL requests are only so that Palo Alto Network customers know where their customers’ employees are visiting.

Regards,
Peak Hosting Operations

Regards,
Justin Cucciare
Peak Web Hosting Support
888.476.PEAK ( 24×7 Support )
support@peakwebhosting.com

Jhet Bhlak February 7, 2012 at 4:49 pm

Sweet they mentioned my post! πŸ™‚

nekcih February 8, 2012 at 10:29 am

I got here from the peakwebhosting email too. What a freakin’ punk! Gal, if you are reading this, stop polluting the web with your half-baked crawler. Intentional or not, you are making a lot of work for a lot of people. If I ever meet you in person, it will not be good for you!

Jhet, thanks man. Nice post!

Jhet Bhlak February 8, 2012 at 11:33 am

This kind of thing annoys me too so I’m glad to of helped you!

Brandon February 8, 2012 at 6:01 pm

Thanks for the easy explanation. Got the same exact things from this guy, only its not from Portland, mine were from San Francisco. So if anybody else sees a surge from there, this is the issue!

Dave February 9, 2012 at 8:47 am

My client’s site was hit yesterday. 94% Bounce Rate and 0:16 second average time on site. These numbers do skew my monthly reporting. All out of Portland from the “gal halevy” network. I now have to change the htaccess file for this client and 16 others. An explanation from Gal Halevy just doesn’t work for me.

Thanks for the post Jhet!

Jhet Bhlak February 9, 2012 at 8:49 am

I’m glad the post has helped. Thanks for the comment!

dicktracylords February 9, 2012 at 11:19 am

I have spent at least 3 hours figuring this thing out and implementing fixes. I wish I were a hacker so I could bring those servers down. Or, at least send the guy a bill.

Jhet Bhlak February 9, 2012 at 11:25 am

Yeowch…Well I’m glad you got it fixed at least.

Pam February 10, 2012 at 9:01 pm

His little crawler hit every page of every one of my sites. Considering each site has hundreds of pages, it was a pretty big hit. I can’t imagine that his clients’ employees happened to visit every site – looks like a server sweep to me.

Gal should consider learning how to make his crawler identifiable so that analytics programs will know to filter his trash out with the rest of the bugs.

Jhet Bhlak February 12, 2012 at 4:53 pm

Well since Gal lied about having his crawler no longer crawl Google Analytics enabled sites, I’d say he does not care enough to build in filtering πŸ™‚

Jhet Bhlak March 14, 2012 at 3:45 pm

I’ve updated the 2nd spam filter to include:

nigerianstockexchange

Jesse March 15, 2012 at 3:33 pm

Are you guys looking at raw logs or do you use a utility to look at the logs?

I have a similar problem with unusually high direct traffic. So I looked at a random sample of 100,000 lines, loaded into Excel, and it’s just overwhelming. But none of the IPs in the 100K records were related to this web hosting company. Many of them are residential ISP users at Verizon and AT&T.

I don’t know if I have a different problem, or the same problem from a different source. But this does show one of the weaknesses in blocking IPs. Now that the problem exists, it’s likely that other hackers will start doing it. Also, they will use their usual methods to evade detection, such as hacking accounts and infecting computers with viruses. At that point blocking IPs becomes useless. Hopefully there will be a solution to this some day, even if that includes legislation to shut down rogue ISPs that cooperate.

Meanwhile, if anyone has tips that will help sort through the logs and easily identify trends like this, please let me know.

Jhet Bhlak March 15, 2012 at 3:40 pm

By the sounds of it you are having a different issue. If your bounce hits are coming from residential ISPs then those are probably legitimate bounces. I first noticed the issue through Google Analytics. All the bounce hits were coming from Portland Oregon and Peak Web Hosting. When I noticed I had an increase of 50% in my bounce rate I investigated further.

Jesse March 15, 2012 at 4:10 pm

Yes it does seem to be something different. I was legitimately receiving about 200 direct visitors a day, but that shot up a couple weeks ago and has leveled out at about 3000 direct visitors a day. According to GA they are coming from all over the world . Many of them have cookies. I don’t get it.

The other symptoms are the same – super high bounce rate, and they only stick around for a few seconds.

So far I’ve been able to get some info from Analytics, but it doesn’t have specific IPs, as mentioned earlier. It’s difficult for me to find patterns in raw logs. I don’t think IP blocking is the ultimate solution but if I could (at least temporarily) stop this problem by blocking a small handful of IP address subnets, then I would do it.

Mat April 8, 2012 at 6:01 pm

Well, my own website just got hit by these as well – I can’t imagine why, not that popular.

One would think that he could solve this whole problem by simply not executing Javascript or including images on downloaded pages, since almost all analytics systems rely on one of these two options.

Jhet Bhlak April 9, 2012 at 6:53 am

Sorry to hear it. At least you’ve found the way to block his attacks though!

Mat April 28, 2012 at 1:17 am

No, unfortunately I really didn’t πŸ™

But I’ve just been hit again. His spider requested virtually every single file on the web server at once, and I’m not happy. Its spamming up my live support system with “New Site Visitors” and everything.

That’s it, I’m adding his server to the IP ban list.

Jhet Bhlak April 28, 2012 at 7:23 am

Ah, I thought you did that when you had found my post. Yes, Gal’s servers will keep hitting you until you block them. He had originally said he was going to stop but kept on hitting peoples websites.

johnny April 11, 2012 at 12:40 am

Why doesn’t he obey robots.txt? Gal? Are you there? Why are you in my bot trap?
deny from 204.11.219.

johnny April 11, 2012 at 12:42 am

BTW lets make a list of his abusive IPs so other people find this thread. Mine was:
204.11.219.91

dms April 14, 2012 at 11:04 am

Please allow me to copy a complaint which I just published on ip-address-lookup-v4.com, into this thread. My experience with this “crawler” is fresh from this afternoon. Here goes:

“This “GAL-HALEVY-NETWORK” is one of the worst nuisances the web has ever seen. Their bot tries to catch every single bit of file (html, scripts, images, no matter what) on my websites, hammering away for a quarter of an hour on end — well, with one exception: “robots.txt” doesn’t interest them in the least!”

Peter April 19, 2012 at 7:33 am

I got nailed last night! The IP was 204.11.219.104.

I am a business owner, not a programmer. I’m thankful for your blog.

Jinnee April 22, 2012 at 7:42 pm

What utter pests these people are. Hit by IP 204.219.113
Thanks for sharing the fix!

BOfH April 23, 2012 at 6:25 am

This entry into .htaccess prevents their entire server*) range to access one’s page:

# block gal halevy network and peakwebhosting
deny from 204.11.216.0/21

Thanks Jhet for bringing some light onto such web vermin.

*) residential users usually don’t have static IP addresses allocated to server farms

i forsikring June 22, 2012 at 5:37 am

We see the same

100 direct visits from the same from Palo Alto (I run a Danish site) 100% bounce, and seems the service provider is “we license ips” . Where do you find the IP adress in Google Analytics?

Jhet Bhlak June 22, 2012 at 7:18 am

Unfortunately you can’t find IP addresses in Google Analytics. You’ll have to search the actual server logs or use an additional analytics software package.

i forsikring June 22, 2012 at 7:20 am

Hi Jhet

Thanks for the quick reply – I’ll see if I can locate it on the webhotel

Have a great a weekend

Canuck October 23, 2012 at 7:42 am

The idiots are still at it. My system blocks these types of requests but it doesn’t stop them from continually coming back to try again and again and again.

Gal says, “I am trying to create a database that will classify websites”

So in other words you are scrapping our websites to create a database you will sell containing our information with no financial compensation. Gotcha.

Jhet Bhlak October 23, 2012 at 8:35 am

If you block it with htaccess he shouldn’t be able to get anything.

Canuck October 23, 2012 at 1:00 pm

I block them at the firewall – but that doesn’t stop them continually coming back to try again.

Jhet Bhlak October 23, 2012 at 1:03 pm

Ah, ya they will keep trying. Which IS annoying.

julian March 12, 2013 at 7:32 am

Just been hit by “Palo Alto Networks”, cannot see an IP address yet. But shows as Unknown robot (identified by ‘bot*’). Causes so much work trying to filter these morons out. If I can find out exactly who it is I shall be sending them a bill for my time. Thanks for all the advice above.

Jhet Bhlak March 12, 2013 at 7:42 am

Glad to help πŸ™‚

Graham March 14, 2013 at 9:02 am

Also just been hit by “Palo Alto Networks”. 121 visits within minutes. No IP address yet. Will follow up on server stats tomorrow.

Eric March 21, 2013 at 6:27 pm

Was hit by Palo Alto Networks today as well…Not sure if the same thing.

The traffic spike was between 11am and noon (Pacific). We got 149 hits on 121 different pages, all coming from San Jose, using a Safari browser, and bouncing immediately off the pages.

Using Google Analytics right now. How do you find the IP address and block them? Perhaps it was posted above. Please advise. Thanks!

Jhet Bhlak March 22, 2013 at 7:16 am

I added this to the .htaccess file:

order allow,deny
deny from 204.11.219
allow from all

That blocked everything from Palo Alto Networks for me. Basically that blocks all IP addresses from 204.11.219.0 to 204.11.219.255.

Jhet Bhlak March 22, 2013 at 7:20 am

Oh…and there is no way to find IP addresses in Google Analytics. You would have to go to your web hosting company and check the actual server logs if they are on or sometimes there is analytics software active on your hosting account that will tell you.

James March 22, 2013 at 1:08 pm

Another hit yesterday from Palo Alto Networks, IP used was 67.221.59.79 but understand 67.221.32.0 – 67.221.63.255 is all the same group. If like me your htaccess has restricted functionality stopping you using Deny (Thank you Streamline.net) then I added a rewrite instead like:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^67\.221\.59\.
RewriteRule ^(.*)$ http://%{REMOTE_ADDR}/ [F,L]

which just sends the request back to the Palo Alto Networks homepage πŸ™‚

Jhet Bhlak March 22, 2013 at 1:11 pm

Thank you for the info for people who do not have deny capabilities with htaccess and for the new IP ranges! Love the redirect back to their page as well LOL!

{ 1 trackback }

Previous post:

Next post: