|Huge increase in direct traffic only from North America and on Windows Desktop machines, any ideas?||Ben Escape||7/21/14 9:02 AM|
I've seen a sudden and drastic increase in Direct Traffic over the last 2 weeks, all of it originating from North America (though spread between cities much as we would expect - just with higher numbers), all of it from Desktop - Windows machines and almost all of it, through IE7.
And well, it's ruining my data and causing me sleepless nights, in two weeks new users from North America are up 1800% and sessions up 1200%, bounce rate for the region is up to 98%, sessions from individual cities are up between 50% and 2000% (new users on IE7 in the region are up 15,875% and the average session time is down to 1 second, that can't be right!).
Any ideas as to what might be causing this? There's no crossover with any marketing activity and even if there was this is data out of the ordinary and non campaign linked. I'm worried this is something untoward, if so, how can I track it down?
Cheers - Ben
|Re: Huge increase in direct traffic only from North America and on Windows Desktop machines, any ideas?||John Wedderburn||7/22/14 12:30 AM|
Hi Ben - Try not to lose sleep, we'll try and fix this!
Firstly - can you get any information about where these visits come from? I'd recommend looking at the audience>technology>network report, you may be able to isolate the visits to one or a few networks.
You can also use the report described here to see if it is bot traffic: http://www.lunametrics.com/blog/2013/09/05/filter-bots-google-analytics/#sr=g&m=o&cp=or&ct=-tmc&st=(opu%20qspwjefe)&ts=1404907763
This blog post also has some nice suggestions: http://davebuesing.com/google-analytics-spam-traffic-bots/
As most of the traffic is from IE7 you can set up an advanced segment which just shows you IE7 traffic and then use the reports from this to help you identify where, or what the traffic is.
Once you can isolate the traffic, then you can create a filter to remove it - the more accurate the better. e.g. Exclude North America would work, but only if the North American visits are not important to you!
|Re: Huge increase in direct traffic only from North America and on Windows Desktop machines, any ideas?||Ben Escape||7/22/14 2:17 AM|
thanks for the reply, I already ran the network report, didn't notice anything there that seemed Network specific - the same pattern of huge percentage increases for sessions, new users and bounce rate, coupled with a drastic drop in page time, just spread over many network providers in the US (comcast/verison/time warner etc).
According to that Lunametrics link as well it doesn't seem to be bot traffic - the focus on IE 7 rather than Mozilla compatible agent seems to preclude that, as well as the fact that this isn't a spike in data, it's a sudden increase that only seems to be getting bigger (though with an extremely noticeable decrease this weekend just gone, only 1 session from IE7 within North America on both Saturday and Sunday...). I've had a read through the Dave Buesing post as well, thanks for that, seemed promising until I realised it was again focused on isolating specific networks or cities, I mean, it does look like the site is being bot spammed, but well, it's not really like anything I'm seeing in these examples unfortunately
Oh, and definitely can't exclude North America as well from the results as it's our second largest market segment! :(
Thanks for your help though - Ben
|Re: Huge increase in direct traffic only from North America and on Windows Desktop machines, any ideas?||Rob Rawson||7/22/14 5:12 AM|
We're getting the exact same problem and have read other reports on the web. Massive increase in traffic from IE7 from around the 7th / 8th of July till now. Super-high bounce rate to our home page only. Multiple IP addresses. The only think I can think of is some kind of bot net that was established from an IE7 vulnerability and is generating traffic to multiple random sites.
|Ben Escape||7/22/14 5:52 AM|
Hi Rob, that sounds exactly like our issue, glad to hear we aren't alone here! But, not glad that this seems to be a real and tangible issue ... :(
|John Wedderburn||7/22/14 9:41 AM|
Does not help so much, but here's some other people reporting the same:
|Farhan Fawzer||7/23/14 12:33 AM|
We are too having the same issue and have been looking for solutions.
What I did so far is,
Filtered the traffic from the browser IE7 & IE8 (where most of this fake traffic is coming from), from the main reporting view to keep the reports clean.
Then I created a new view called (IE Traffic) to monitor the large volume of direct traffic.
|John Wedderburn||7/23/14 1:46 AM|
Just to add to Farhan's suggestion - how big a % of your traffic is IE7? If it's not such a high volume then filtering it away should not hurt too much.
|Ben Escape||7/23/14 6:44 AM|
Hi John & Farhan, thanks we've just put the filter in place now, this IE spurt was making up nearly 50% of all traffic...!
I'm definitely keen to find out what's going on, next stage will be some serious IP investigation here at least
Cheers - Ben
|Kyna Taylor||7/23/14 10:04 AM|
Hi Ben and John and everyone,
I am having this exact same issue. Exactly. I can put the filter in to exclude the IE7 traffic, but we do get IE7 traffic that is legitimate ...
Is there a way to report this vulnerability to Microsoft?? I'm pretty new to these kinds of things. Do we just have to sit and wait?
|Stephen Oliver||7/24/14 6:42 AM|
Yeah too many cases have been reported with this error - http://www.seroundtable.com/direct-traffic-ie7-analytics-18897.html
|Ben Escape||7/24/14 7:20 AM|
One interesting thing I'd be intrigued to know if anyone else experienced was the total drop off in these visits over the weekend of the 19th/20th of this month? For both the saturday and sunday we recorded none of these
visits, anyone else notice the same thing?
|ChristopherMills||7/24/14 8:08 AM|
We've had the traffic increase across two client websites since July 6th growing increasingly each day. We also saw a complete dropped offlast Sat/Sun (19th/20th). Most traffic is IE 7, Windows 7 coming from NA with bounce rates 99-100. This is it segmented out:
|Dawit||7/24/14 3:37 PM|
I've seen this drastic increase in direct traffic dating back to May 2013 and I posted about it back then but got no responses. The stats I'm seeing are a bit different from others. There are two main user agents hitting my site (specifically the /topics/ directory), they are: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Starting on May 15, 2013 i noticed huge increases in ivisits from IE 9 and IE 10. The main networks that stand out in GA are:
amazon technologies inc.
These were the common host names I saw requesting those pages while going through the server logs:
AMAZON-2011L, Ashburn, VA, United States - Amazon AES IAD
AMAZON-EC2-USEAST-10, Ashburn, VA, United States - Amazon AES IAD
AMAZON-EC2-8, Ashburn, VA, United States - Amazon AES IAD
i'm aware that AWS EC2 is used a lot for scraping. It all seems like botnet traffic but i haven't been able to confirm. I saw you all having this problem recently and thought i'd chime in. However, the traffic has been on a decline in the past couple of months but its still far above normal. Let me know if anyone else has noticed similar things.
|Scott Seward||7/24/14 8:57 PM|
Yeah, seeing a similar issue.
|Stephen Oliver||7/25/14 3:25 AM|
Is there any method to restrict these visits?
|John Wedderburn||7/25/14 5:25 AM|
Hi Stephen - use the filter Farhan describes further up this thread, as one solution. Though this will impact your data collection, particularly if IE7 is a significant source of sessions.
|Stephen Oliver||7/25/14 5:51 AM|
Hi John, Filter is not a good option, as my site receives genuine IE7 traffic.
Is there any way where I can be able to block traffic of IE7 browser from USA?
Preferably through .htaccess OR Analytics
|Vosko||7/25/14 9:32 AM|
i am going to create a profile that filters out IE7 traffic
i am doing:
what should the filter pattern be? just "IE7" or something else?
|Vosko||7/25/14 11:05 AM|
i am creating a profile that filters out IE7 traffic but am not sure what the 'filter pattern" should be. do i just put in IE7 or is there some other equation i need to do
i am doing
Filter field = browser version
Filter pattern = IE7
but i suspect my filter pattern should be written a different way but can't find an article that tells me
can you help?
|Vosko||7/25/14 11:09 AM|
can you also help me create a view that shows ONLY ie7 traffic. i assume if i do a filter to include ie7 it will still include all other stuff. can't figure out how to have it only inclued ie7
we don't have a webmaster so i am having to figure this out on my own:) and can't find specific help in google support area
|Stephen Oliver||7/25/14 10:28 PM|
Vosko, you can use this advance segment to filter out IE7 based USA traffic.
|sanity check||7/27/14 5:34 AM|
@Ben Escape: Yes, I've seen the same thing. For me, the surge started Saturday, the 12th of July, with a sudden dip between the 18th and the 20th. Since then, the surge continues onward and upward each day. Overwhelmingly IE7 traffic, which stays on site for one second. There is no referer. Definitely bot-like behavior.
|Farhan Fawzer||7/27/14 11:09 AM|
Use the below. It won't conflict with other browsers as their versions are completely different to IE.
Filter field = browser versionFilter pattern = 7.0
& If necessary
Filter field = browser versionFilter pattern = 8.0
|Nicky Yuen||7/27/14 3:33 PM|
Looks like this is the work of a botnet!
Hope this helps.
This email, including any attachments, is for the sole use of the intended recipient and may contain confidential information. If you are not the intended recipient, please immediately notify us by reply email or by telephone, delete this email and destroy any copies. Thank you
|Martin Reiterer||7/28/14 9:30 AM|
aren't you filtering out Safari 7.0 traffic as well by excluding browser versions 7.0.
I created a Custom Filter with a Custom Field which combines Browser and Browser Version.
|(unknown)||7/28/14 11:37 AM||<This message has been deleted.>|
|Mary Lynn Gilbert||7/28/14 11:42 AM|
Yes, Ben Escape, we see the same striking drop off during July 19 & 20.
|Vosko||7/28/14 1:14 PM|
thanks, Stephen. i am not familiar with advanced segments so not sure why better than just adding another filter.
can you tell me why you chose to create a segment versus another filter to help me learn?
|Vosko||7/29/14 12:07 PM|
is there a delay for this to take affect? if not it doesn't seem to be working. the traffic for my profile/view that includes ie7 (my original view) and the one i added your advanced segment to are exactly the same for yesterday. they both record 1378 sessions.
|Vosko||7/29/14 12:15 PM|
Thanks Farhan, someone else suggested i use an advanced segment but it doesn't seem to be working so i am going to try my original thought using a filter.
also our CEO wanted me to look into this method:
|Tracy-72||7/30/14 6:01 AM|
Dawit, I'm having a slightly similar issue to yours.
There's been a spike in direct traffic for three of my clients beginning around May 29. All three have seen dramatic increases coming from Ashburn, Virginia.
The browser in these cases is Chrome 21.0.1180.83.
Bounce rate is 0%, yet average session is 11-12 seconds for all three clients.
Here's the interesting piece: This is only happening to client sites that are using the same hosting company. They are all using VPS hosting.
My next step is to contact the hosting company and see if we can find a common thread between the three different client sites and possibly block this particular traffic.
|Stephen Oliver||7/30/14 6:21 AM|
|Ben Escape||7/30/14 6:25 AM|
Brilliant - thank you Stephen, great to have some clarity on this!
|Stephen Oliver||7/30/14 6:29 AM|
Ben, Glad I could help.
|ChristopherMills||7/30/14 6:39 AM|
Good spot mate! I'd already put a ticket in with them but didn't hear anything back. Excellent news
|Tracy-72||7/30/14 8:00 AM|
We've had a slightly different experience, and it's with Chrome 21.0.1180.83:
There's been a spike in direct traffic for three client sites beginning around May 29.
I don't know if this link was already included in this thread, but the post and the comments to it were helpful. http://davebuesing.com/google-analytics-spam-traffic-bots/
|Vosko||10/13/14 11:27 AM|
Just fyi, this advanced segment isn't working. i still see all the bogus hits. i ended up just filtering on 7.0 browsers and that is showing more realistic numbers
but still my unfiltered site still getting over 10,000 bogus "hits" a month
|Stephen Oliver||10/13/14 11:01 PM|
Can you try with this newly created segment - https://www.google.com/analytics/web/template?uid=SCXHcVokQaSsej3As5pXYw (It will exclude most fake visits)
I hope it should work for you.
Do let me know if it helps you.
|James_FS||10/22/14 2:45 AM|
I have been seeing these bogus/fake visits for about 4 months now. The IE7 visits have increased again to around 1k per day over the past week or so. I appreciate your comments about the segment but surely that is just masking the problem and it would be great to identify an actual fix for this.
Here are the stats from IE7 traffic yesterday:
Bounce rate: 98.09%
Avg Time on Site: 00:00:07
% New Visits: 95.36%
Any help on this matter would be appreciated.
|ChelleMos||10/22/14 11:28 AM|
We are seeing a huge surge in IE11 traffic to our homepage now. It started with IE7. We tried removing the Adroll code, and the hits did not let up. We asked our host and they said our site was not under attack. Google analytics read we have a 80%+ bounce rate from our homepage. I am thinking that can not be good for our site ranking. Is there anyone out there that can help? Thank you. ~ Michelle
|Vosko||10/28/14 12:26 PM|
thanks, i have added to one of my profiles. hoping it is just a matter of clicking on link, picking a profile and saving.
We are also now seeing a surge from IE8 that we suspect is another bot as time on site is so short and the spikes unexplainable.
we are thinking maybe we need a segment that filters out people on site less than a certain amount of time to catch these bad visits
what do you think?
we checked the new box to exclude known bots on all our profiles but not sure how effective that is .
|(unknown)||10/28/14 12:30 PM||<This message has been deleted.>|
|Vosko||10/28/14 12:31 PM|
We are stuck in this same cycle. lots of bogus hits with high bounce rates and no way to stop it or filter them out
|James_FS||10/29/14 1:34 AM|
I tried excluding bots and spiders (in Analytics) but this had no effect on the invalid traffic we are receiving from IE7/US visitors.
|Vosko||11/4/14 10:53 AM|
we are now seeing surges in traffic from IE 8 and it started oct 7th . anyone else?
i don't want to filter out all IE8 like we did for IE7 as too many people still using IE8
is there a way to build a segment that filters out IE8 and IE7 traffic that hits site for less than a certain number of seconds so we only filter out the obvious bot traffic?
if so is there someone out there that can show me step by step how to build or can build for me and explain? if so what is your rate ($) to do this for me?
thanks a bunch,
|Vosko||11/6/14 12:55 PM|
|Vosko||11/6/14 12:57 PM|
|Vosko||11/6/14 12:59 PM|
even with the new advanced segment our sessions are still sky high
so don't think it is working.
i clicked on link you sent, chose a profile and selected.
|Vosko||11/7/14 2:14 PM|
Our problem is now with IE 8 traffic surging. and we still have a 2.5% bounce rate which is ridiculously low so the bot is staying long enough and hitting sub pages to not affect bounce rate.
any help out there? tried advanced segment on the ie 7 issue but didn't work. maybe an advanced filter that filters out visits of less than 10 seconds or something?
|EliseAIM||11/9/14 6:07 PM|
I am having the same problem. Huge spikes from Direct Traffic on both 15th of Sept and 15th October?
|Vosko||11/13/14 12:18 PM|
we are now seeing huge surges again and it looks to be IE8- we no longer have ad roll code on our site so can't be that.
is there a way to filter out traffic that hits site for say less than 10 seconds or something? the bots are also hitting sub pages so our bounce rate is still ridiculously low at 2.5%
at this point google analytics is worthless as we have no idea what our real traffic is.
can you help us? advanced segments don't seem to be working so not sure if we can use a more standard filter like we do with the IE7 traffic.
|Matt Bologna||1/12/15 12:47 PM|
I'm experiencing the same, seems like an increasingly widespread issue.
Significant volume of traffic with 100% bounce rate, landing on the same pages over and over, with Service Provider showing as "amazon technologies inc" and Network Domain showing as "amazonaws.com," using an old version (23) of Chrome as the browser, and in our case originating in Ashburn, Virginia.
|Hayley Canning||2/19/15 2:50 AM|
I'm getting exactly the same
|James_FS||2/20/15 3:29 AM|
We have been experiencing this same issue since approx. 9th January 2015. We have been going round in circles with Amazon and have now been asked to contact Heroku. This invalid traffic is over 1/3 of our overall web traffic.
Can I ask whether you are currently running Amazon Product Ads?
I originally reported this abuse via this web form: http://portal.aws.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse
I hope this helps.
|Tom Browning||2/24/15 8:58 AM|
We are seeing a big spike in visits and bounces from the USA since 4th Jan.
It is hard to narrow down to one specific browser as it seems to be across all the main browsers, albeit, very old versions. IE7, 8 AND 9 are big causes, as is Chrome 18.0.1025.168, plus a few older versions of Firefox.
However, some of these visits are genuine so don't want to filter them all from GA as we will be missing valuable sales data.
How best do we resolve, as our Bounce rate for visits from USA has gone up to average over 90% every day!
|gazraa||2/24/15 9:47 AM|
We are seeing very similar patterns from the start of January but are trying to get the filters right in GA to prove it. How are you filtering results?
We've tried excluding amazonaws as the network provider and a few others but it's not having a huge effect on the spike we are seeing. The pattern is so close to what you are talking about that it's got to be a very similar issue.
|CJCotton||2/25/15 5:15 AM|
I have exactly the same issue with exactly the same features and trying to resolve it now. I don't think this is the same issue as some of the previous posters, it's not amazonaws as far as I can tell. Have you looked at the traffic by hour and by minute yet? In my case the traffic is incredibly metronomic with virtually the same traffic by hour and by minute within the hour. It's like something checking uptime or something. Let me know if you get any further and I will do the same.
|Jared111||3/9/15 10:38 AM|
I am seeing the same issue. I have posted about this in another thread no one seems to have been able to solve the issue. I am hoping someone here has and they just have not been able to get back to the thread and put in their solution. I did see a decrease in this type of traffic over the past weekend. However I am still seeing it on one of my websites completely and the one with the decrease does seem to be still getting some of this bad traffic.
|Bandy1080||3/17/15 4:59 PM|
We are seeing the exact same problems as well. On January 2nd our direct traffic started to go through the roof. It is mainly with IE 9 and some Chrome traffic as well. Our direct traffic is now quadruple what it should be and continues to increase on a daily basis.
Does anyone have any idea what it could be?
|TripleR007||3/19/15 11:29 AM|
|amitynation||3/23/15 11:27 AM|
I was able to find more information in Audience > Technology > Browser & OS > (within browser) > (within browser version) > Secondary Dimension = "Landing Page." My Source and afsrc=1 is CJ. I don't have a current account (since November), but once used them for affiliate marketing. It may not be CJ for others, but that might give you more information as to your specific visitor bots.
I've contacted them but am not able to give them detailed URL referral reports because Source/ Medium is direct/ (not set) and there's no more drill down (unless someone has an idea of another place I can look?)
|Jared111||5/18/15 4:21 PM|
I have worked extensively on this issue in this thread: https://productforums.google.com/forum/#!msg/analytics/sTinRFgimIU/u0UoM8dWwMMJ looking to see if anyone here who might not be following it has found any resolutions.
|aviral bajpai||5/20/15 8:11 AM|
i am receiving a lot of traffic for USA , with cities as 'not defined' and so does the language. the Operating system is Macintosh and the network provider is 'google inc.' . i am pretty sure this is spam , but how do i stop it