Scripted Referrer Spam Update
It's been a frustrating few weeks at Scripted's marketing department as someone has impersonated Scripted.com and sent fake referral traffic to hundreds of websites.
If your website has been getting an usually high amount of visits from scripted.com and the referring domain is scripted.com/yourdomain.com, then you are probably looking for answers. This post will address all concerns about what is happening, how this works, and what we're doing about it. As much as I'd like to not bring attention to this, I hope this post serves as a resource for other websites that have been affected by referrer spam and realize how easy it is for someone to impersonate fake referral traffic to websites.
Report Your Website
If you'd like to report your website, we're sending this information to the hosting company that is sending the spam traffic and requesting they stop immediately. I will also personally get back to you if you have any questions. Please email your website info and the referring traffic logs (IP address of the referrer) to at jake@scripted.com.
Answers to Your Most Common Questions
1. I've never signed up for your service or visited your website, why am I getting traffic from your website?
Someone has been sending referrer spam traffic to websites by pretending to send it from the scripted.com domain. Scripted hasn't been hacked and there are no webpages on Scripted that have anything to do with your website. This is fake traffic from a spam bot.
2. Can you please remove the link from scripted.com to my website?
The scripted.com link, which is most likely something like scripted.com/yourwebsite.com, does not exist and therefore can't be removed. My initial concern was that someone hacked our website and created hundreds of new pages. After working closely with our hosting company, resetting passwords, and running scans, we rested assured that there was nothing hacked and no one had access to our website. What this means is that the referring link that your analytics thinks is real traffic, is actually fake and coming from a bot. There is no content on the site and URL is non-existent. You will most likely get a 404 error when you try to access the page or another error. So, considering that anyone can send a fake visit to another website and make up the referring domain info, we can't remove the link.
3. Are you trying to steal my website?
Definitely not! We have no interest in your website, your content, or your services. Scripted has no idea what websites have been getting traffic from this spam bot. We're not sure what benefit this spammer has in sending fake traffic to your website from the scripted.com domain. I don't have any reason to believe that your website is vulnerable or impacted by this. To reiterate, the referring URL does not exist and there is no content those pages.
4. I'm concerned that you are using my company even though we have copyrighted content. What about my trademark?
Again, there is no content of yours being used on scripted.com's site. The referring domain is completely made up by the spammer. We have no interest in your content or website. This referrer spam is 'ghost spam' and "this technique does not harm the affected websites, just pollutes their web statistics."
5. Why would someone else try to pretend they are scripted.com?
As ohow.com put it when writing about referrer spam, "Although the name says in the referral: scripted, it does not necessarily means that the company is behind the spam. The spammer uses a bot to leave a mark on your reports and can use any name as a referral, in some occasions, it is used to damage the image of the company." Anyone can do this to us to try to damage our domain authority or brand - competitor, writer, disgruntled customer, etc.
6. Should I block scripted.com?
I imagine how frustrating it must be to get referrer spam. As the webmaster and SEO specialist at Scripted, I'm in Google Analytics daily and rely heavily on the data to help me make business decisions. Given that we're currently trying to solve this, you should filter out scripted.com referral traffic to your site so you can have more accurate data. We believe this is a temporary issue and it will be solved. Scripted.com has been building it's trust and brand for over 4 years and has never participated in black hat SEO tactics or spam.
So, what's the latest?
Here's a breakdown of what we have done and where our investigation stands:
12/1/2015: Started to get inquiries about referrer spam through Twitter, but have very little information on what they're referencing.
12/3/2015: Noticed an article on Botcrawl on how to block scripted.com referrer traffic. Update (1/25) The author has responded to my emails and provided advice as well as suggested I get information from Linode on this user.
12/6/2015: Get information on the referring links (scripted.com/domain.com). Realize that it's coming from URLs that we don't have access to.
12/7/2015: Did a security scan on our own website, updated plugins, changed passwords. Contacted our hosting company, WPEngine.
12/10/2015: WPEngine confirms that there has been no security breach on our website and our website is completely clean.
12/13/2015: Ohow.com writes an article on how to block scripted.com in your Google Analytics. They make it clear that although the referring url is scripted.com, Scripted is not necessarily behind the spam traffic. The author of the article gets back to me when I tell him about our issue.
12/14/2015: Continuing to get more inquiries about what we have links to websites that don't exist. Get our first inquiry that gives us the referring IP address. Looking into the IP address, we realize it's hosted on a Linode server.
12/15/2015: Submit a ticket on Linode to report abuse. We gave them the referring domains and the IP addresses.
12/16/2015: Linode writes "We have opened a ticket with our customer regarding this matter. We will be pursuing this investigation until we are satisfied this issue has been resolved."
12/19/2015: Continue to send Linode more information on the referring IP addresses.
12/21/2015: Linode gets back to me telling us that their customer is "a security researcher." We are alarmed and not sure what that means. They let us know the head of security is looking into it more and will get back to us tomorrow as they find it unusual behavior.
12/22/2015: Find scripted.eu writing an article on referrer spam. First time hearing of this domain and am concerned about copyright infringement on them using the scripted domain name.
- Linode is continuing to get in touch with the client.
12/28/2015: Linode provides an update: "At this time it appears that our customer has discontinued this activity."
I inquired further and they responded: "We understand the importance and the severity this issue has caused your business. At this time we have received an explanation from our customer which we believe is sufficient for us to consider this resolved. If this issue reoccurs, please let us know and we will immediately take action to cease this activity."
Had a call with their security team and we believe that this issue is now resolved. Here is Linode's summary of what happened:
- Their customer has a service or intended to scrape other websites. The customer just picked a random URL for the placeholder value, happened to pick scripted.com.
- The customer has since said that he will stop using the Scripted.com domain.
- If there are any other inquiries of this happening, please let me know Linode will stop this customer immediately.
- Linode doesn't believe the customer had malicious intent and just happened to randomly use scripted.com for the referring domain.
I'm going to continue to try to get more information about this customer as we continue to work with Linode. I'd encourage anyone to continue to send me info if you see any strange referring domains.
I'll be keeping you updated with any developments on this issue. Please let me know (eric@scripted.com) if you see more referrer spam come from the scripted.com domain and I'll make sure we resolve it. Comment below with any insights or questions on this issue!
