How to Stop Spam Referrals from Ruining Your Web Analytics

Seeing a big jump in the Google Analytics for your website is usually a good thing. More people are looking at your site, which should mean more business, support, or interest. Sometimes, though, that’s not what it means. A bot on the web may have connected to your site and made it look as if a human did it. This creates a meaningless bump in your hits that can through your analysis off.

These bots generate a connection with a “referer” link in its header, which is supposed to indicate the page where the viewer clicked a link to get to your site. If you’ve set up Google Analytics, information goes into Google’s log of accesses to your site.

Why do they do this? They’re trying to attract people to their site in one of two ways. They may hope that you’ll be curious when you see that so many people have come to your site from the same place, and you’ll follow the link back to their site. They may also hope that you’ll make your access log public or send it to clients, so that someone else will see the link and click on it. These are called spam referrals.

The site that the bot wants to draw you into might be trying to sell you something or snag your credit card information. It might try to impersonate a legitimate website by misspelling its name (e.g., It might even try to plant malware on your computer.

A related trick is to find your Google Analytics tracking ID on your site and then send the spammer’s own packets to Google, using it to look like your site. You’ll see this called ghost referral spam. The spammer only has to access your site once and pick up a piece of public information, and they never have to touch your site again. Some of them just try all possible tracking IDs, so they can generate fake traffic to sites that don’t even exist yet. The effect is the same as direct spam referrals, but it’s harder to stop.

Spam referrals are a problem especially for low-traffic websites. A site that gets tens of thousands of hits a day or more won’t even notice a few hundred extra. If your normal hit count is around a hundred a day and a spammer delivers four times as many, the fake hits dwarf the real ones. If the number of hits is really large and your server isn’t rated for heavy traffic, they can act as a denial-of-service attack and slow down legitimate access to your site.

If you have enough technical knowledge to edit a .htaccess file, you can block connections that use known spam referrals. If you aren’t comfortable doing it, there’s a variety of software that can do the job.

You can limit the effect of spam on your analytics by setting a filter for your account. This approach excludes ghost referrals, which you can’t stop on your own site.

Both approaches can stop only referrals from known problem domains. There’s no way in general to tell whether a hit comes from a real website or a bot. A small number of domains are currently responsible for a large part of the traffic, though, so keeping them out will help.

When viewing back links in logs, treat them with the same caution you should apply to links in email. If you don’t know who they are, think about whether you really want to click on them. Some of them use obviously shady domain names like, which you can safely ignore.

We can help you to build a site that will draw real people, not bots and ghosts. Please contact us to learn more.