Is bot traffic the number-one cause your campaign is not bringing any profits?
Almost always, the answer is: no.
Does it eat a portion of your earnings, turning your highly profitable campaigns into just ok ones?
Very often, the answer is: yes.
Bots are like a virus. They don’t try to kill their hosts (your campaigns) but they feed on them instead. If bots ate all profits, no one would run any campaigns at all and the bots (or rather, people who run them) would be out of business.
There is no one magic solution to get rid of all bots. They will be here, along with advertisers they feed on. Every traffic source has some amount of bot traffic. We are all destined to participate in the ongoing arms race.
With this article, I want to give you proper tools for such a race.
Bot traffic in 2022
The most recent report indicates that bot traffic is a threat that grew by 25% since Q1 2021. More sophisticated fraud tech is available for a lower overall cost, which makes advertisers an easier target.
Bad bots more often than not introduce themselves as mobile users, following the overall shift in how people browse the Internet in 2022.
Can I fight bots on my own?
There are many things you can do to fight bot traffic on your own, without any special software, and I describe them below. This includes setting up bot traps, whitelisting good sources, blocking suspicious IPs, and so on.
Besides that, I also present you a Voluum solution dedicated to dealing with bots. It is called the Anti-Fraud Kit and was designed to work on many levels.
- Want to detect bot-like behavior? Voluum has metrics for that.
- Want to file a claim in your traffic source platform? Voluum has the most granular report that may help you with that.
- Want to block certain IP ranges or user agents? There is a simple UI for that in Voluum.
- Afraid that known and non-malicious bots may skew your stats? Voluum filters them out automatically.
There is so much you can do to fight back!
Who is this article aimed for?
Whenever I write ‘you’ in this article, I mean everyone who has problems with bot traffic or is unfamiliar with the topic but wants to learn more. This includes:
- Affiliate marketers
- Advertising agencies
- Marketing departments
The problem with bots affects these parties in different ways and to a different degree. Nevertheless, we will cover the topic of ad fraud in a way that will allow all of them to find something useful.
Part 1: Know Your Enemy
Let’s start with something simple, yet very important: understanding what bot traffic really is.
What is bot traffic?
As we have discussed extensively in our introductory article on bot traffic, bots are small programs or scripts designed to perform simple and repetitive tasks over the Internet.
They do tasks such as:
- Scanning websites
- Loading and refreshing web pages
- Clicking links
This doesn’t sound very omniscient at all. And in some cases, it isn’t. The important thing to remember is that not all bots are bad.
Let me repeat that.
Some bots cause no harm to you and blocking them may even cause problems for your campaigns.
Let’s talk some more about good and bad robots.
Good bots are used mainly by big search engines, such as Google (Googlebot), Microsoft (Bingbot) or Baidu (Baidu Spider), for web crawling purposes.
Such bots scan the content of a given website to let the search engine know what this site is about and how well it fits various search criteria.
Other good bot types include:
- Content aggregator bots that scan pages for interesting content that can be later displayed on an aggregator site
- Price comparison bots that compare prices of products on various retailers’ sites and report it to a price checking site
- Copyright check bots that look for copyrighted material and reports its use to copyright management organizations
- Website monitoring bots that check if a given website is up an running
- Bots that enable functioning of online transactions
If you are worried about your stats thinking that web crawlers would be counted as human visits, know that Voluum allows these bots into campaigns but excludes them from reports. This means that they are not counted towards your pricing plan’s event quota.
Good bots follow some standard rules, so if you still want to block them from your content, the only thing you need to do is to add the “no index” tag to your landing page.
Simple as that.
If only all bots would follow this simple instruction!
What is generally understood under the term ‘bots’ are those programs or scripts that have bad intentions.
You can look at the money you lose on ad fraud as a tax on the bad nature of humans. Good-natured humans don’t create malicious bots.
The fact that you are reading this article is a testimony of human nature.
Anyhow, malicious bots typically do some of the following things:
- Scrape website content
- Impersonate real humans
- Spam you or others with unwanted messages
- Click links and reload a web page
The bots you will encounter the most are the latter ones. The ones that attack publisher websites and artificially pump up the number of visits or impressions to make such pages look more attractive in the eyes of an advertiser.
The more bots go through a publisher’s website, the more an advertiser has to pay for traffic. Traffic that will bring no conversions and consequently, no revenue. But this is only one thing.
Let’s dive into all the ways bot traffic can harm you.
How Bots Eat up Your Money
In most cases, bot traffic traffic is not targeted at you. It’s nothing personal. Bots have goals they need to achieve and you, your campaigns, stats, and money you earn, are just collateral damage.
Their prime goal is to bring their creators some money. And there are two main ways, and following them, two types of ad fraud that try to achieve just that. I describe them briefly below, but if you want to learn more, check out the first part of our Digital Ad Fraud Guide.
This type of ad fraud consists of simple bots designed to artificially inflate visit or click numbers for some ads or websites.
It is estimated that over three quarters of bot traffic belongs to this category. This is good news in the sea of bad news, because such simple bots demonstrate certain behaviour patterns which makes them easy to identify. General fraud bots are easy to build and easy to catch. They use the following techniques to achieve their goals:
- Ad stacking – putting several ads on top of each other to make only the top ads visible but get view stats for all ads in the stack
- Bundling – putting several networks under one site ID
- Data centers – generating a lot of artificial traffic originating from servers in data centers.
- Simple bots – Pinging or activating links from one single IP
Nothing fancy here. You will learn how to defend yourself from such bots in the second part of this guide.
You don’t need to make a breakthrough in computer science to fly below a typical bot-detecting radar. You just need something more fancy than a bot consisting of five lines of code.
Sophisticated fraud is a minority problem in terms of the volume of traffic but can generate even more headaches for advertisers than general fraud.
This type of fraud mimics human behaviour to the point that it can generate fake conversions. It is very dangerous, especially for CPA campaigns. Because there is no real money behind these fake conversions, sending bot-infested traffic toward an offer will finally be discovered and can cause problems for you.
Affiliate networks don’t particularly care if you have sent such traffic intentionally or not, they just want to protect their offer owners. This means that your reputation in a given affiliate network may plummet, your account may be banned and your funds withheld.
There are several ways in which sophisticated bots can score conversions:
- Hijacked devices or botnets. These networks of devices can replicate standard behaviour patterns, including legit CTRs, various user agents, or even mouse movements.
- Click injection. This type of fraud hits mainly mobile devices and it works by using a low-effort app (for example, a flashlight app) that a user installs unaware that its sole purpose is to intercept credit for installation of another app.
- Malware. In this type of fraud, a user is tricked to install a malicious code on its web browser. From now on, this web browser will display ads regardless of the site a user is currently viewing.
- Click & bot farms. This is a whole enterprise that employs both bots and human workers to artificially pump-up their client’s conversion metrics.
Let me be brutally frank:
It is very hard to protect yourself from this type of bots.
Things that can help users fall under the standard rules of ‘digital hygiene’, such as using an antivirus software or not clicking suspicious ‘Download’ buttons. Operation on the biggest scale has to be fought by local law enforcement.
So, why exactly are bots dangerous?
Your optimization efforts are only as good as data you base your decisions on. If data is corrupted, flawed or tampered with, you won’t be able to do your job correctly.
You will cut down sources with real human traffic and bid on those that are artificially pumped.
You will ditch good landers in favor of those visited by bots.
You will blame your offers that don’t bring enough conversions with so many artificial visits to them.
Finally, you will pay for traffic but won’t get much profit.
How Many Bots Are There?
Ok, we’ve talked about various types of bots and ways they can influence your campaigns. Now it’s time to answer the question: how widespread is this type of fraud?
If you are asking yourself if you have already been a victim of ad fraud, the simple answer is: yes.
Its prevalence makes it almost impossible to avoid without taking some actions or using anti-fraud tools.
Do you think you were lucky enough to work with a good part only?
The only way is taking actions. More on that in the second part.
Part 2: Conquer Your Enemy
Once you have learnt about the size and type of bot threat, it is time to start fighting it. The typical procedure consists of three steps:
- Identify bots
- Block or reroute them
- Mitigate losses
Patterns of bot behaviour
Bots aren’t normal humans with purchase intent. However clever they may be, there are often some faint signals or hints that may give away the fact that there are machines behind this traffic.
The second part of our digital fraud guide lists all these signals in detail but let me tell you about the most important ones:
- Data center IPs. Bots or click farms need to have IP addresses. Very often they come from data centers – aggregations of servers that operate using assigned ranges of IP addresses. Some of these ranges are publicly available. You can analyze your traffic for clickers that originate from known data centers.
- Unknown referrers. A referrer is a page that a visitor comes from. Sometimes it cannot be identified but usually an unknown referrer constitutes only a marginal portion of the traffic. If you notice a spike in traffic from an unknown referral, this may mean it’s fake.
- Suspicious placements. Typical human visitors come from recognizable sites of known publishers. Bots tend to come from suspiciously-looking long-tail site names. Look into the reports to see if you can pinpoint the potentially untrustworthy placements.
- Uneven traffic. There are no miracles. Any legitimate spike in traffic is usually connected with something you have done: launched a new campaign or reworked the old one. People just don’t suddenly discover and fall in love with your campaign on their own. So if you notice any unusual traffic increase, it may be a sign of ad fraud.
- Low time spent on site. If you measure the time spent on your web page, you may detect a behaviour that occurs quicker than a reaction of a typical human. No real person clicks the CTA button in 0.1 of a second. If you detect such unreasonably high behavior, it may indicate bot activity, as bots are typically programmed to perform as fast as possible.
You can look for signals of suspicious activity in almost any tracking or analytical tool. By being thorough, you can limit the common types of ad fraud.
When it comes to sophisticated fraud, you can mitigate the risks of having your campaigns infested with bots by following some safety protocols in the first place.
- Vet ad networks. Legitimate ad networks hate bots as much as you do. Cooperating with bots is a short-legged crime. These ad networks that aim for good reputation and sustainable profits will take care of bots on their own. They will vet their publishers and remove those that show signs of bot activity. They will also compensate for money lost on bot clicks.
- Check potential partners. Look into each site your ads will be on. Be vigilant for high volumes of traffic coming from newly registered domains.
- Examine your traffic. Go over the list of domains your ads are associated with. Look for the ones you don’t want your ads to appear on. It may sound tedious but this process is vital for maintaining good health of your campaigns.
- Keep an eye on advanced metrics. There are several measurements that detect bot-like behaviour, even of the sophisticated kind. Chief among these metrics are time-to-convert, user retention or various traffic distribution metrics. Every program follows a set path that may be possible to spot using these metrics.
- Report each fraud. A bigger number of claims regarding the same site, placement or publisher makes your claim more valid. Don’t hesitate to report even potential fraud.
- Invest in third-party solutions. There are numerous platforms that are designed to detect bots using various techniques. Calculate if such a thing has financial merits in your case.
Strategies for fighting bot traffic
No matter which traffic source or tracking solution you use, there are some things you can actively do to push bots back.
1. Use IP/UA blocking
Most trackers have this feature. You can use it to block traffic coming from given:
- Ranges of IP addresses or single IPs
- User agents
You can analyze your reports to discover if a certain IP generates a lot of visits with no conversions. With user agents, many bots don’t emulate user agents well and they tend to be listed as an unknown or unrecognized device type.
Sometimes bots introduce themselves as really old devices or browser versions. For example, if you observe a lot of traffic coming from Windows Phone devices, you should be suspicious.
2. Set up bot traps
From the early days of Internet marketing people were trying to catch bots by putting invisible links on their websites that no humans could click. You wouldn’t be able to see such a link but it will remain present in the landing page’s HTML code.
The idea is that bots don’t consume content with their eyes (they don’t have any) but by scanning the code itself. And they tend to click the first thing they can.
Such links are often referred to as honeypot, as it attracts bots like honey attracts bees. Honeypot is the industry’s standard when it comes to fighting bot traffic.
Such honeypot links should drive bots outside your campaign funnel to any safe page. It is recommended to implement a simple click counter if possible. This way you will be able to measure how many times this link has been activated. You will not only protect your campaign from bot traffic but also measure the scale of bot threat on this particular landing page.
3. Create whitelists/blacklists
This is affiliate marketing basics but creating lists of proven (whitelist) or bad (blacklist) sources is a good practice when it comes to fighting bots.
Sources of proven profitability are bot-free.
Bad, unprofitable sources may be infested by bots.
By using both lists wisely and updating them regularly, you can be sure that you will work with human visitors only.
The problem may arise from the fact that many traffic sources does not support whitelist campaigns. This however can be overriden with the Voluum Automizer.
The newest addition to the Voluum’s basket of useful features is Automizer, a sophisticated task automation module. With it, you can create whitelists or blacklists automatically by creating rules that add placement names to the list if this placement matches the conditions set in the rule.
You can then use rules again to pause unprofitable placements that were on the blacklists or buy traffic only from profitable placements.
To put it shortly, you can use whitelists even if your traffic source doesn’t allow you to.
4. Set frequency filtering
An easy to implement solution is to use a frequency filtering feature that is present in most traffic sources. Frequency filtering allows you to limit the number of times a visitor sees your ad.
In most cases, 3 times per hour is enough. Anything above it is probably an automated script.
5. Refine your traffic targeting
Again, this is one of those things that you normally do during campaign optimization anyway. But this time, it’s a little bit different.
The point of this is to make sure that you actually get the traffic you target. For example, if you target one country, let’s say the US, and you notice in your tracker that you have some traffic coming from South Africa, this may mean that there is some malicious activity behind those visits.
6. Block sources that demonstrate unusual behaviour patterns
As we have said before, bot traffic behaves differently than normal human traffic. An experienced marketer will catch it straight away. Bot traffic can often be characterized by:
- High bounce rates
- Unusual peaks
- Sudden lack of performance
Locate sources of such uneven traffic and block the m in your traffic source.
7. Use automatic solutions
Many trackers or more advanced traffic sources off various kinds of traffic automation. Their prime focus is auto-optimization, however, optimization is a topic closely related to bot traffic.
Part of the optimization effort is removing bots.
These algorithm-based solutions can automatically stop sources that don’t bring you profit because of bots or other reasons.
Similarly, trackers or other platforms often have auto-rule features that launch set actions when conditions are met.
This way you can stop unprofitable sources even when you are away or receive an alert when a sudden influx of visits without a corresponding increase in conversions occurs.
8. Engagement time
If your tracking solution can measure various aspects of engagement, you can detect general bot traffic with ease.
Fast engagement such as low time to install or time on site below 300 ms usually screams ‘bot traffic’.
Voluum occupies a central position in the whole campaign funnel. Because of that, the team behind it is very aware of problems with bots its customers face. After all, bots also flow through Voluum.
That is why Voluum has the Anti-Fraud Kit. We have described this feature in one of our previous articles.
In short, this is not a one-button magic solution. On the contrary, it is a set of features built to address the whole ad fraud issue in its complexity.
No magic in its design, only brilliance in its comprehensiveness.
The prime method of identifying bots are Anti-Fraud metrics. These metrics measure both visits (activations of the campaign URL) and clicks (activations of the click URL on a landing page).
a. Data centers
This metric shows if traffic came from known data centers.
They are collections of servers that have their own batches of IPs assigned to them. Data centers are often used to generate bot traffic but that is not always the case. VPN providers also use data centers ro re-route their users.
If you expect a lot of traffic coming from VPN connections then this metric should not raise concerns. Otherwise it is a red flag.
This metric shows the reputation of a referrer. A referrer is a web page a visitor came from. Voluum accesses various anti-virus engines, website scanners or URL analysis tools to determine the overall reputation of a referrer.
Fake traffic often comes from bad referrers.
c. Fast clickers
This metric shows visits or clicks that happened below 800 ms. Rarely anyone clicks an ad faster than one second.
d. Frequent events
This metric shows if a single IP has generated more than 60 events per minute. This metric is rather a clear indicator of bot traffic.
e. Frequent campaign events
This metric shows if a single IP has generated more than 60 events per minute aimed at a single campaign which is beyond normal human interaction.
f. Unrecognized device
This shows if a device type hasn’t been recognized what often happens with bot visits.
g. Library robots
This shows if a visit has been recognized as a library robot.
Sometimes a visitor’s user agent can introduce itself as a robot. It doesn’t have to have bad intentions but it should be taken into consideration.
h. Unsupported OS version
This metric flags a click or visit if it came from an unsupported or deprecated operating system.
A visit that comes from an operating system that is old and long out of use is unlikely that there’s a real human behind this visit.
i. Unrecognized user agent
This metric flags a visit or click if a visitor’s user agent has not been recognized. This may indicate bot traffic.
2. Suspicious traffic
In Voluum, traffic flagged by at least one of the above metrics is considered to be ‘suspicious’.
Yet you have to remember that none of the above metrics is a definite indicator of fraudulent activity. Nonetheless, when used wisely and with a general understanding of what these metrics mean, they can help you identify sources of bad traffic.
Sometimes only one flag is enough. In other cases, raising several flags should tell you to investigate. It’s always a matter of probability.
3. Time to convert
All the Anti-Fraud Metrics listed above are connected with either visits or clicks. However, investigating conversions can also bring you important information on potential bot activity.
The logic is the same as behind the fast clickers metric. Time To Convert measures how long it took a user to perform a conversion.
Because conversions can vary in type and action required from the user, there is no one simple ‘human’ or ‘too fast for human’ distinction. You can configure the time-to-convert threshold that you consider to be too low or too high.
For example, if your conversion event requires a user to download an app or fill out a complex form, it is reasonable to assume it will require more than just a few seconds. Set the low time-to-convert threshold to be at least 30 seconds or more, depending on your intuition.
Contrary, simple SOI offers require little effort from a user, so a conversion shouldn’t take long. Set the low time-to-convert threshold to 15 second or other value that you deem probable.
Anything below this value can be of bot origin.
Voluum also provides you with mean time to convert, so an average time it takes a user to make a conversion. You can use it to adjust your low and high time-to-convert metrics.
4. Traffic log
Voluum records meticulously each event but it presents your data in a more convenient, aggregated and easy-to-analyze form. You can see the number of visits, clicks or conversions per campaign, country, device, placement, or per any other 30 + dimensions. However, you can only see the last 100 clicks or visits in Voluum.
In certain cases, usually related to making a claim to your traffic source platform, you need to make a more in-depth analysis. You need to investigate your traffic on the click-by-click basis.
This is where the Traffic log comes in handy.
Traffic log generates a downloadable CSV file that you can import to any spreadsheet editing software, such as Microsoft Excel. This file contains data on each click.
The bot trap that we have discussed previously is available in Voluum in the form of an easy-to-implement script. This script contains a link that is visible only for bots. Once this link is activated, Voluum records it to help you identify sources of bots.
Activations of the Honeypot link are visible in the separate column in Voluum.
Try or buy
You don’t have to take my word on the Anti-Fraud Kit. You can take this feature for a two-week test drive and decide for yourself how it is working for you.
Getting Rid of Bot Traffic with Voluum Anti-Fraud Kit
Now we’ve reached the meat of this article: how to make bad robots go away.
We’ve already covered this topic from A to Z in our step-by-step guide about eliminating bots. But the main points are listed below.
1. Identify traffic targeting options
First, you need to learn what you can do in your traffic source. There is no point in identifying a segment of traffic with a potential bot infestation that you cannot exclude.
Most traffic sources allow you to target per country, device, or OS. Those more advanced ones have more options that include versions of OS or carriers. Go to your traffic source platform and learn what options you have.
2. Identify sources of bot traffic in Voluum
Second, use all the metrics I have described so far to identify parts of traffic with the biggest numbers of bots.
You need to look for places that have the biggest share of suspicious traffic.
Dive into Voluum reports and try to identify carriers, IPs, user agents, ISPs, placements, or other parts of traffic that have a high percentage of:
- Suspicious traffic
- Invisible clicks from the Honeypot
- Low time to convert
Take a look at the following example with simulated data:
You can see that two phone brands, Nokia and Huawei have a high portion of suspicious traffic. And their number of clicks is dwarfed by Apple’s or Samsung’s. You can lose this traffic with no regrets.
That brings us to the third point.
3. Exclude a part of traffic
Go back to your traffic source platform and exclude the two phone brands from your targeting options.
From now on, you don’t have to pay for the traffic that brings no conversions anymore. Your stats are clean. Your reputation in an affiliate network is protected.
The poor person that was running these bots dies of sadness.
If your traffic source platform doesn’t give you the option to exclude a part of traffic you want (let’s say you cannot exclude specific brands), you can redirect this part of traffic outside your campaign funnel using Voluum’s rule-based paths.
Rule-based paths redirect traffic to different landers and offers if they meet set criteria. You can create one that directs traffic coming from Huawei and Nokia devices away from your main offer.
This will protect you from potential affiliate network’s accusations that you send them bad traffic.
4. Mitigate losses
If you still have some bot traffic, you can use traffic log to locate specific time periods or IPs that caused bot traffic. Such detailed analysis can support your claims to the traffic source.
5. Bot traffic prevention
Apart from following general rules about working with trusted networks only, you can also use our Automizer feature to limit potential losses caused by ad fraud.
Automizer gives you the option to create automatic rules for campaigns that use supported traffic sources. Create rules that react to sudden changes in traffic, like drops in profitability or unreasonably high CTRs.
You can create rules that stop this kind of traffic (a placement or a whole campaign) or at least send you a notification on your mobile, so you can sign in to Voluum and see what’s going on.
Another good practice is to create lists of good and bad placements (site IDs, widget names). Again, you can create rules that check if traffic is or is not included on your list and then pause it or create an alert.
Lastly, you can protect your landing page from bots by using various captcha-type solutions.
Employ automation features to fight bots
Voluum comes with built-in automation module called Automizer that allows users to synchronize costs across platforms and launch certain actions using the ‘if / then logic’. The time-saving feature can also work miracles for users that struggle with bot traffic.
We’ve already mentioned the option to use Automizer to create and use whitelists or blacklists, but Automizer can help you with so much more.
As we have mentioned it before, bot traffic usually manifests itself in some unusual traffic patterns. High visits rates combined with low CTR and / or even lower conversion rates is an immediate red light.
For more information about the Automizer I invite you to read our article on this topic. For 5 auto-rules examples, here’s this article. But the bare minimum that we would recommend setting for anyone interested in fighting bot traffic is the rule that we like to call ‘anomaly detector’.
Such a rule would send you an alert whenever there’s an unusual traffic spike that may indicate surge in bot traffic. For example, this rule can alert you when the number of visits is 50% higher that the number of visits from the last hour.
The ongoing struggle with bot traffic
The fight with bots will never be resolved, never won, may be lost, but only if you let your guard down.
Checking your traffic for bots and doing everything that was described in the part 2 of this article should not be a one-time thing. It should be a habit, similar to verifying profitability of ads or offers or testing new angles.
Bots are, and always will be, a part of affiliate life.
You can control the tempo of the bot spread, limit losses, reclaim money spent on bots, switch to new and yet undiscovered segments of traffic that may be free of ad fraud.
You can use Voluum to do all that, to fight a better war and keep fraudulent traffic at bay. Pro or newbie, everyone deserves to have Voluum at their side.