Semalt, Semalt, Go Away

Last month I started noticing a lot of referrals coming to this site from

I went to to see what that was about.

semalt home page

I wasn’t about to give them my email address without knowing anything about them. A little more digging around, and nobody seems to know exactly who they are or what they do. None of the 48895 webmasters who trust them seem to write about it. Instead, the broad consensus is that they’re Ukrainian spammers.

They don’t appear to be attempting to hack the site directly. It buggers the site statistics though, since you get a bunch of meaningless referrals, all of which result in bounces (hit the page then leave the site).

I also found out that you can’t block them by their IP because they seem to somehow co-opt IPs from all over the place.

There are a number of suggestions for using your .htaccess file to block them. I tried a few. Here’s what finally worked for me:

RewriteEngine On

#Block Spammers (We hope!)
RewriteCond %{HTTP_REFERER} [NC]
RewriteRule .* - [F,L]

Note, I had to insert this before the WordPress rewrite block. If you put it after the WordPress section, the WordPress redirect processes first and it never gets to the spam block rewrite.

So long, Semalt.

12/7/14 – PostScript: If you’re running behind a dynamic cache like Varnish, blocking referrers via .htaccess won’t work. More on this, and a possible work-around.

5 thoughts on “Semalt, Semalt, Go Away

  1. Hi Caspar,

    Had the exact same issue as you, I blogged a very similar fix here:

    Oddly enough, someone from Semalt contacted me within a few minutes of the post going live. They do actually have a database of sites that don’t want to be visited here.

    I added my site but they are blocked too so I never got to test if this works or not.

    IMHO the visits are all trying to advertise to you. At the end of the day what better way to advertise to webmasters than to show up in the logs of analytics.

    Nice idea, not when it’s your bandwidth they’re wasting with it!

    • Thanks Dale. You’re probably more charitable than I am. If someone is going to spam me on my bandwidth, I’m not going to give them the benefit of the doubt by going to their website to put my site in their database. I’m going to block them and be done with them.

      • Probably the best thing to do.

        Had a few run-ins with them on Twitter recently, they even reported me to Twitter for “Spam” Lmao!

        Overall a pretty unprofessional lot, best to block and stay well away!

    • Brad, thanks for a really useful article. You go into much more background than I had the patience to do here, and I learned a lot from it. I especially recommend it for anyone who wants to fix the way these spammers screw up your Google Analytics.

      That said, I do still recommend blocking these spammers at the .htaccess level. The extra hits on your server are simply dead weight. It’s not a problem if you’re only getting a few hits a day from them, but I’ve read of cases where they start ramping up to thousands of hits. If you’re using a CMS like WordPress, Joomla or Drupal every one of those hits has to be processed in some way by your scripts, and that could eat server resources you’d rather have going toward real customers or clients. If you’re uncomfortable messing with your .htaccess file yourself, it may be worth contacting someone who can make the (very simple) changes for you.

      Again, thanks for your thoughtful write-up.

Comments are closed.