Skip to main content

It can be very exciting to see a spike in traffic on your website; relief that you are finally doing something right. However, it is becoming increasingly more common to have spikes in traffic due to a fraudulent source known as bad bots.Recent findings by CIO Insight below illustrate how bad bots are on the rise.

Fake Websites traffic

Diagramming showing how fake bot

What are bots and how do you stop them from skewing your reporting? Read on. I’m going to help you understand.

What is a Bot?
A bot, short for robot, is a software application which has the primary mission of completing automated tasks online. These tasks are typically repetitive in nature, and are performed with more efficiency and speed than is possible by a human.

Good vs. Harmful Bots
Bots are used for beneficial purposes such as indexing internet sources and search engines. However, their uses have also gone over to the dark side. Harmful bots are designed for malicious purposes, such as spreading malware, collecting email addresses, committing click fraud and artificially inflating website traffic. Let’s take a look at the different types of bad bots you need to be aware of.

Spambots
Spambots are bots used to collect or “harvest” as many email addresses as possible so that they can be targeted for unsolicited commercial email (UCE). This is why more sophisticated Internet users tend to not link their email addresses the natural HTML way, but encrypt it in JavaScript, an image or text clues like johndoe at gmail dot com. Some bots even fill out forms and thwart CAPTCHA protections.

Other bots spam without even collecting email addresses. They attack the servers directly by going to to hundreds of thousands of websites each day, and sending HTTP requests with a fake referrer header. They design and distribute these fake headers in order to avoid being discovered as bots. The phony header typically displays the website that the spammer wishes to endorse, and which they want to get clicks or even links from in the case that server logs have been made public.

Smart Spambots
Some spambots are designed to send artificial traffic without even visiting a website. This happens when the bots produce HTTP requests from a Google Analytics tracking code. Your website ID is used as well. Not only can smart spambots send fake traffic to a website, they can also send fake referrers. Since the referrer website often looks like a legitimate one, you may think that the referring website is real, though it’s not. The GM Block Bots plugin filters out these types of bots with a 403 Forbidden message and prevents them from showing up in your Google Analytics.

Botnet
Botnet stands for a robot network, and it is a network of computers. The botnet is in communication with each other in order to perform tasks. It can be located locally, or it can be spread out across the globe. When a spambot accesses botnet, it can gain access to the whole network of IP-addresses and launch attacks including DDoS, Adware, Spyware, E-mail spam, click fraud, fast flux, and scareware. This further confuses website owners as fraudulent traffic can be coming from a wide range of IP addresses.

How to Detect Spam Sources
Start by going to your Referrals report located in your Google Analytics account and sort the report by the bounce rate in descending order. Then, locate any referrers with a 100% or 0% bounce rate, and who also have 10 or more sessions. If you suspect that a website is a spam referrer, try googling information about it. Once you have confirmed these bad bots, you may want block them from visiting your website. Of course, you could always just ignore them.

How to Protect a Website from Spambots
If you are finding spambots in your Google Analytics frequently, you can block them with .htaccess. While, it is the most effective method, any small .htaccess mistake can bring your site down, so do so with caution.

You can also hide spambots directly in Google Analytics, as is explained in this link. While it does hide traffic, without spending endless hours setting up filter, junk traffic is still logged.

Thirdly, if you’re a WordPress user, you can use the GM Block Bots plugin to defeat spambots. It’s compact, requires no set up, and has shown some pretty neat results.

Don’t lose hope. Spambots can be thwarted. While dealing with spambots can be frustrating, it’s important to stay on top of the threat. Doing so will give you a clearer view of how your website is performing.

This article was originally published in 15 September 2016. It was most recently updated in November 28, 2022 by

Leave a Reply