I want to stop invalid referral traffic to my site coming from malicious subdomain

Hi all actually from yesterday I am continuously receiving bot traffic from subdomain of a malicious site the subdomain is news.grets.store the country shows Poland and city shows Warsaw in Google Analytics 4. Please can anyone guide me to create powerful WAF rule to block invalid traffic from the aforementioned malicious subdomain. I tried myself but traffic is not stopping, any help will be appreciated.

1 Like

What is it that you tried?

And how exactly do you know where this traffic is coming from?

I tried WAF rules to stop referral traffic and I know the this site as It is showing on Google Analytics 4

That’s pretty much your only option to block that, but you didn’t describe your rule configuration(s).

yeah here it is

It certainly appears that those requests aren’t including the referrer. Which makes me suspect that Google is figuring it out some other way. If that’s the case, then there’s no way to block those, unless you can find some other common element. You mentioned Poland, so if most of the unwanted requests coming from Poland, that may be an option.

1 Like

I have also applied the rule below to block traffic from Poland as well but the traffic is not stopping either
here is rule screenshot

The current redirect target of news.grets.store for me is to a site that’s not using Cloudflare’s nameservers. I guess it could be changing the target over time or requests, but can you give your domain? Are your DNS records proxied?

2 Likes

My domain is on cloudflare and dns records are proxied

Any solution?

not found anything yet

I have the same thing across a couple of sites. I haven’t had success stopping it, but this is what I have found so far:

The traffic is not hitting the website directly. So Cloudflare WAF rules/blocking and web server filtering won’t work. I found this out looking at a low-traffic site and seeing hits in Google Analytics Realtime and had 0 traffic on the webserver access logs in the same corresponding times.

It appears to be some kind of “Referral Spam” going directly into my GA4 tags.

I just tried this: https://support.google.com/analytics/answer/10327750?hl=en … but I still see the traffic. Going to let it be for a bit - maybe there’s a delay in ignoring this unwanted referral?

I sent a help request to Google Analytics, but I assume that will go unanswered, sadly.

Interested if anyone else finds a way to clean this up.

1 Like

Okay I think this is some kind of loophole of Google Analytics. Thank you for providing that info @tim96 I’m also waiting for a proper solution to clean this messed up spam data.

It’s been almost 4 days and Google hasn’t done anything about it :S

Filter out as referral won’t help that much it seems.

You can define the IP of this referrer as internal traffic to filter that out: Just exclude their IPs in tag settings “Internal Traffic” 77.222.40.224/24 and 45.140.19.173/24 and see how it goes. After 1 hour it should stop.

I’m having the same issue. Very frustrating.

Same issue for me…if you know how to block them…I tried everything already.

As of now this seems to be going on and on filled all garbage data in analytics :unamused:

Finally resolved this on a few of our sites. It was super confusing until digging into it a bit more.

It seems this is a case of “Referral Spam” as the traffic was never hitting the server directly (or Cloudflare). This article has a great graphic that explains it better than I can: https://www.searchenginejournal.com/how-to-filter-referral-spam-google-analytics/388480/.

A lot of the guides for filtering out Referral Spam are outdated. This is how I set it up via Google Analytics:

  1. In your GA dashboard, click Admin (bottom left in my view - with the Gear icon)
  2. Go to Data Streams (in the Data collection and modification section)
  3. Click your site
  4. At the bottom, under ‘Google Tag’, click Configure Tag Settings
  5. At the bottom, click “Show More”
  6. Click “List Unwanted Referrals”
  7. Click Add Condition and enter news.grets . store (without spaces)
  8. Click save

NOTE - this change will not be immediate. For me, it took about 2 days.

There’s going to be a delay for when this takes effect in your property. This is due to GA’s session expiration for a known User/Session/Referrer that has already hit your GA property.

Since there’s already bs traffic from this Grets thing in my reports, I just apply a filter in any view to show me results where “Refferer does not contain news.grets . store” (without spaces).

I can certainly give an example on how to apply a vilter, but I figured the more pressing thing was putting in the setting to ignore referral Spam from this host.

I hope this helps someone else.

3 Likes

This method is not working in my case the traffic keeps on coming.