[fiatjaf]

I'm developing a simple web analytics also (it's strange to see Mirrorshades here since I started developing something like it some weeks ago) and I want to know about referral spam: Mirrorshades per se doesn't have any better spam filtering than Google Analytics, right? The gain from switching to it is just because spammers still don't know how to spam Mirrorshades, or am I wrong?

[aparks517]

Spammers are already doing what they do. I have rudimentary measures in place, but additional data will enable a more sophisticated response. I use the service myself and find spam to be crazy-making. So... ;)

[fiatjaf]

How are they doing what they do? How could a spammer get to know Mirrorshades protocol to send a false referrer report (which is not the Referer header) in an AJAX request?

[aparks517]

At least some of them appear to use a more general-purpose method than that. They actually load pages and execute scripts with document.referrer and the Referrer header faked-up. Though it's presumably more resource-intensive, it has the benefit of working for a wide variety of analytics setups, both hosted and server-side.

[fiatjaf]

Oh, right, they just got document.referrer, I had forgotten about that.

What if the analytics server actually parsed the referring page to see if there's a real link there and only confirm the referrer after that? Isn't there a third party service that checks these things?