Over the past couple of days, we have seen an uplift in bot traffic across a number of our clients. So when we saw Marie Haynes tweeted about this, it was a great heads up, meaning what we spotted it in our own accounts was a wider issue than just one or two of our clients. We’ve investigated and it is referral spam but coming from a range of browser types and countries.

Bot traffic from spammers can be frustrating when it is polluting KPIs, so here’s how we dealt with it:

What is Google Analytics Spam?

It is relatively simple to insert fake data into Google Analytics. All you need is to push fake headers into the pages dom, and using this you can push fake messages into their analytics. This will also mess up site wide numbers such as bounce rate and conversion rate. This isn’t a new thing - it’s been around for a long time, hitting a high in 2014, but on a positive note it has been dropping since 2016.

How do I find Spam in my Google Analytics account?

If you are reviewing your analytics data regularly, you will probably spot it either in referrals from odd places or unusual very high bounce rate traffic sources.

  • Look at overall website traffic for unusual spikes
  • Compare these spikes to the previous period to see which traffic sources have seen the greatest uplift
  • Look out for traffic sources similar to these examples
  • Filter them out at view level

The solution is quick to implement, but it will take some time to review all of your clients’ accounts to identify which ones have been hit by it.

Sadly it’s not always that easy. The problem is that this can reoccur with a different referral - the most infamous of this was ‘semalt’ which infected hundreds of accounts over a longer period. Interestingly it turns out that they had built a bot network by hijacking bots across the world - https://www.imperva.com/blog/semalt-botnet-spam/

This largely feels similar, which means we can’t just block a single IP address and we can’t just block one referrer. This, sadly, is something that Google ultimately needs to be able to fix. They need to make sure they can identify this at scale and clean up users accounts.

Long term solutions

We can’t simply say this is someone else's problem so our recommendations are:

  • Create an unfiltered account, not to use for reporting but to make sure you get the complete picture if there are any filter issues
  • On your main profile, enable the bot filtering at a view level in your Google Analytics accounts (this will help clean up some)
  • Clean common bots like the one mentioned above
  • Block countries that you definitely don’t want/get traffic from such as Russia and China with view level filter
  • Create an additional filter that ONLY includes targeted countries (such as the UK or UK Plus US)
  • Filter to only include the hostname(s) your analytics is installed on

We are still working on ideas for our clients, but some things we are keen to investigate further include this idea of using recaptcha information -

Of course, if you need help auditing your analytics account, reach out to us.We might be able to fit you in!