Over the past couple of days, we have seen an uplift in bot traffic across a number of our clients, so when we saw Marie Haynes tweeted about this
it was a great heads up, meaning what we spotted it in our own accounts was a wider issue than just one or two of our clients. Weāve investigated and it is referral spam but coming from a range of browser types and countries.
Bot traffic from spammers can be frustrating when it is polluting KPIs, so hereās how we dealt with it:
If you want to become data driven or data informed you will first need to be able to trust your data. With the way GA universal analytics works spamming is a feature rather than a bug, be aware of this so you can take measures. Arnout Hellemans (Analytics Consultant)
What is Google Analytics Spam?
It is relatively simple to insert fake data into Google Analytics. All you need is to push fake headers into the pages dom, and using this you can push fake messages into their analytics. This will also mess up site wide numbers such as bounce rate and conversion rate. This isnāt a new thing – itās been around for a long time, hitting a high in 2014, but on a positive note it has been dropping since 2016.

“One of the big security and data integrity problems with Google Analytics (and with most JavaScript powered tracking solutions) is that people can easily insert any data they want, into any account they can find, without any special permissions, at scale. By their very nature, these systems are open APIs, designed to receive large volumes of varied, unauthenticated hits from myriad devices, locations, and systems. Oh, and once the spam’s in, it can be hard to detect and remove – that’s even assuming that you know to go looking for it.. Frankly, we’re all lucky that there’s not more widespread data abuse; there’s very little you can do to protect yourself from this kind of thing” Jono Alderson –
How do I find Spam in my Google Analytics account?
If you are reviewing your analytics data regularly, you will probably spot it either in referrals from odd places or unusual very high bounce rate traffic sources.
- Look at overall website traffic for unusual spikes
- Compare these spikes to the previous period to see which traffic sources have seen the greatest uplift
- Look out for traffic sources similar to these examples
- Filter them out at view level


The solution is quick to implement, but it will take some time to review all of your clientsā accounts to identify which ones have been hit by it.
Sadly itās not always that easy. The problem is that this can reoccur with a different referral – the most infamous of this was āsemaltā which infected hundreds of accounts over a longer period. Interestingly it turns out that they had built a bot network by hijacking bots across the world – https://www.imperva.com/blog/semalt-botnet-spam/
This largely feels similar, which means we canāt just block a single IP address and we canāt just block one referrer. This, sadly, is something that Google ultimately needs to be able to fix. They need to make sure they can identify this at scale and clean up users accounts.
āItās absolutely vital that you have accurate figures when you are reporting on traffic and conversions to your board each month. Bot traffic can skew these figures and have you thinking that your content and core pages are now picking up more traffic than they actually are, in turn conversion rates will be down and itāll lead to confusion all round. Itās important to be able to identify and anomalies in traffic caused by bots early on so you can account for them in your reportingā
Luke Cope Head of Digital Strategy at Rise at Seven
Long term solutions
We canāt simply say this is someone else’s problem so our recommendations are:
- Create an unfiltered account, not to use for reporting but to make sure you get the complete picture if there are any filter issues
- On your main profile, enable the bot filtering at a view level in your Google Analytics accounts (this will help clean up some)
- Clean common bots like the one mentioned above
- Block countries that you definitely donāt want/get traffic from such as Russia and China with view level filter
- Create an additional filter that ONLY includes targeted countries (such as the UK or UK Plus US)
- Filter to only include the hostname(s) your analytics is installed on
We are still working on ideas for our clients, but some things we are keen to investigate further include this idea of using recaptcha information –
Of course, if you need help auditing your analytics account, reach out to us.We might be able to fit you in!