When analyzing your website’s traffic logs, you should check to see which URLs are referring the most visitors. While some visitors may access your website simply by typing the domain into their web browser’s address bar, others will likely access your website through links.

Using an analytics platform like Google Analytics, you can see which URLs are driving the most traffic to your website.

With that said, you can’t always trust a referrer URL just because it’s listed in your website’s Google Analytics account.

In recent years, more and more black-hat marketers have resorted to a tactic known as referrer spam as a way to promote their websites and affiliate products or services.

In this article, we’ll explore what referrer spam is, where it comes from, how it can affect your website, and how you can protect yourself from this annoying marketing tactic.

What Is Referrer Spam?

Also known as referrer bombing, referrer spam is a black-hat marketing tactic that involves flooding a website’s traffic logs with one or more fake referrer URLs, with the goal of getting the webmaster to click the URLs in their analytics dashboard.

Google Analytics tracks referrer URLs, allowing you to see which URLs drive the most traffic to your website. With referrer spam, some or all of the listed referrer URLs have been spoofed, meaning they didn’t really drive traffic to your website.

If your website is targeted with referral spam, you’ll discover spoofed referrer URLs in its traffic logs.

The referrer URLs might be functional and otherwise legitimate-looking web pages, but they didn’t drive any real traffic to your website.

How Referrer Spam Is Performed

Black-hat marketers perform referrer spam by making repeated requests to a website using forged HTTP headers.

When an Internet user navigates from one website to another website, his or her web browser will create and send an HTTP header to the new website. The HTTP header contains the original website listed as the referrer URL.

During a referrer spam attack, a black-hat marketer will visit your website hundreds or even thousands of times—typically using software or scripts—with forged HTTP headers. Each of these visits sends your website a forged HTTP header containing the marketer’s website as the referrer URL:

Referer: http://spamsite.com

The marketer essentially replaces the referrer URL in an HTTP header with his or her website. When Google Analytics reads the forged HTTP header, it will track the marketer’s website as the referrer URL.

What’s the Purpose of Referrer Spam?

Many black-hat marketers use referrer spam to promote their websites.

Most webmasters, especially those familiar with search engine optimization (SEO), will likely analyze their website’s traffic logs regularly. If a listed referrer URL has driven substantially more traffic than all other referrer URLs, the webmaster may visit it to see how his or her website is being presented.

In addition to driving traffic to a marketer’s website, referrer spam can be used to promote affiliate products or services via cookie stuffing.

A black-hat marketer, for instance, may spoof an HTTP header to include his or her affiliate link as the referrer URL. When a webmaster unknowingly visits the affiliate link, it places a cookie in his or her web browser. With the cookie present, the marketer will earn a commission if the webmaster goes on to make a purchase.

Some black-hat marketers use referrer spam to build backlinks.

If a website publishes its traffic logs, it may automatically link to referrer URLs. A marketer can exploit this flaw by repeatedly visiting the website with spoofed HTTP headers. The website will discover the marketer’s website listed as the referrer URL, resulting in the creation of a link.

How Referrer Spam Can Affect Your Website

You might be wondering how referrer spam can affect your website.

Well, depending on the extent of the attack, referrer spam may slow down your website.

Each time a visitor accesses your website, it consumes some of your server’s resources. With referrer spam attacks involving potentially thousands of repeated visits, your server may exhaust its resources to the point where it no longer loads quickly for legitimate visitors.

Even if it doesn’t slow down your website, referrer spam can make it difficult to optimize your website.

If you don’t know which referrer URLs really drove traffic to your website and which ones didn’t, you may struggle to find new backlink opportunities.

Referrer URLs provide insight into how other websites link to your website. If they are spoofed, though, they won’t prove useful when building backlinks or performing other forms of off-page optimization.

How to Protect Your Website from Referral Spam

Assuming you use Google Analytics, you can filter referrer spam from your website’s traffic logs.

From your main account dashboard, click “Admin” in the sidebar (gear icon), then click “All Filters” in the first column:

From here, click the “Add Filter” button.

Set the type to “Custom,” choose the “Exclude” option, and select “Referral” from the drop-down menu.

You can then specify the referrer spam domains that frequently appear at the top of your website’s traffic logs.

You can create a new filter for each spam domain, or you can add multiple spam domains to your filter pattern by separating them with |.

Once updated, Google Analytics will automatically filter referrer URLs from the specified domains.

Unfortunately, filtering doesn’t actually prevent referrer spam; it only conceals it. Your server will still be bombarded by an excessive number of visits from the black-hat marketer who’s behind the attack.

If your website runs WordPress, you can install a plugin to protect it from referral spam.

Stop Referrer Spam is a free plugin that automatically blocks requests from URLs associated with referral spam. It cross-references requests with a database of over 1,100 referrer spam URLs. If a request contains a listed referrer spam URL, the plugin blocks it.

You can also block referral spam by modifying your website’s .htaccess file. Just add the URLs or domains of the spam referrers to the .htaccess file using “RewriteCond” statements, such as the following:

RewriteCond %HTTP_REFERER example.com [NC,OR]
RewriteCond %HTTP_REFERER example.com/subpage [NC,OR]
RewriteRule .* - [F]

Any requests from the URLs or domains listed in the .htaccess file will be blocked, thereby protecting your website from referrer spam.

Final Thoughts

As a webmaster, you shouldn’t turn a blind eye to referrer spam. It will dilute your website’s traffic logs with false data while simultaneously consuming server resources like bandwidth, CPU and memory.

You can’t always prevent black-hat marketers from targeting your website with referrer spam, but you can block their requests by using either a plugin or a modified .htaccess file.

Have you experienced referral spam on your website? We’d love to hear your thoughts, as well as any questions you have, in the comments below!

>