Blocking site?

Yes, semalt.com is a known domain used in a Referer stats phishing scam.

https://www.ads-software.com/support/topic/advise-1/page/2?replies=74#post-5129735
https://forum.ait-pro.com/forums/topic/security-log-issue/#post-15224

I guess you could also block the semalt.com Referer domain name by doing this….
https://www.ads-software.com/support/topic/advise-1?replies=74#post-5128748

Did this answer all of your questions? If so, please resolve this thread. If not, please post any additional questions you may have about this specific issue. Thank you.

Thanks for your reply.
I looked at the links you gave me, but I must say I’m rather lost about what to write. I don’t know anything about codes. So it’s probably a silly question but do I have to add the code exactly as it is to CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here:

# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
# Good sites such as W3C use it for their W3C-LinkChecker.
# Add or remove user agents temporarily or permanently from the first User Agent filter below.
# If you want a list of bad bots / User Agents to block then scroll to the end of this file.
RewriteCond %{HTTP_REFERER} ^.*(\.opendirviewer\.|users\.skynet\.be|dummy1\.com|dummy2\.com).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|python|nikto|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=https://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
# END BPSQSE BPS QUERY STRING EXPLOITS

or do I have to replace with or add semalt.com or semalt.semalt.com somewhere?

Also would I still need to add to Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here:

# Block/Forbid dummies based on Referer
RewriteCond %{HTTP_REFERER} ^.*(dummy1.com|dummy2.com).*$ [NC]
RewriteRule ^(.*)$ - [F,L]

And same silly question do I replace dummy with semalt?
Thanks

I believe WP allows you to edit previous comments up to 1 hour so delete all the code you posted above. I don’t think it is relevant to the point. will post an additional reply in a minute.

Back on topic. semalt.com is a know Referer phishing scam. The way this scam works is that in your “stats” application results you will see links to the semalt.com domain. The goal is to get you to click on those Referer stats phishing links. Yeah pathetic… I don’t think this particular scam manipulates folks in any other way that i am aware of.

@modlook – please delete the massive block of code above or tag it. sorry and thanks.

…anyway maybe what I need to do is explain some basic things here that will put everything into perspective. To be honest I would have to say this form of manipulation falls under the general category of “spammer” due to the intended result, which is to get you to click on a stats link to the semalt.com domain. This is a really pathetic thing that does not really fit into any category other than “pathetic spammer” that i can think of. Maybe this would fit into “link troll” or other similar pathetic categories. So the links above have info on how to do something about this, but to be honest with you…this is just pathetic stuff…best ignored. ??

It has been a very effective spammer campaign though if you look at Alexa results: 2,553 world ranking. I guess that means that a lot of folks fall for this type of manipulation…

Is this issue/problem resolved? If so, please resolve this thread. If not, please post a status update. Thank you.

Sorry, I am trying to understand what I need to do. Are you saying that it’s better to just ignore it and do nothing? Thanks

The way this Referer phishing scam works is that by clicking on a Referer link in your stats you are visiting the semalt.com website. So if you never click on a semalt.com link then nothing would happen. I think the only goal is to get you to click on a semalt.com link. Whether you want to block this is entirely up to you. You can use the methods above or just ignore this scam. Totally up to you.

Thanks

Yep, no problem. This link says pretty much the same thing. And if you look around on the Internet there is nothing malicious going on. It is more of a nuisance thing.
https://en.forums.wordpress.com/topic/do-you-have-information-about-semalt-dot-com