Categories: Discuss Tracking and Implementation issues :

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute

Showing 1-147 of 147 messages
(unknown) 2/19/12 11:35 AM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/19/12 3:27 PM
@Becky,

Whats is the ISP Network location (aka broadband name) e.g. "Gomez, SiteSpec, Pingdom". If you can issolate this, then just add an exclude filter to block this robot traffic.

Alternatively, you can update robots.txt to tell the robot not to crawl the homepage. Also, you might also be able to block the bot using htaccess deny {user-agent} OR deny 123.123.123.123 - If you have access to your Raw server logs you will be able to see the user-agent & IP address of this bot.

Exclude filter to block robot traffic:
ISP location ^(google inc\.|yahoo\! inc\.|iac search and media europe ltd|iac search media inc|site confidence test agent servers|site ?confidence|global crossing|apache ltd\.|nielsen netratings)$

Include filter for Browser Whitelist... ^Mozilla Compatible Agent$ is normally a bot
^(Internet Explorer|Firefox|Chrome|Safari|Opera|Android Browser)$

Hope that Helps

Cheers

Phil.




(unknown) 2/19/12 5:46 PM <This message has been deleted.>
(unknown) 2/19/12 10:02 PM <This message has been deleted.>
(unknown) 2/21/12 5:46 PM <This message has been deleted.>
(unknown) 2/21/12 7:46 PM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/22/12 2:14 AM
Are you able to view your server logs, and add the 'user-agent' and IP address of the bot - the add this to this post?

Also, look for unique identifiers in GA e.g.
Java=Disabled
FlashVersion=xxx.x
ScreenSize=1024*800
City=NY etc

If you are unanle to access Logs, try installing StatCounter, as this will show you the IP address (only GA hides this).

Thanks

Phil.

(unknown) 2/22/12 9:56 AM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/23/12 1:44 AM
Please check raw server logs (or install statcounter on homepage) ... then post USER-AGENT name and IP address.

Thanks

Phil.
(unknown) 2/23/12 5:59 AM <This message has been deleted.>
(unknown) 2/23/12 6:12 AM <This message has been deleted.>
(unknown) 2/23/12 7:39 AM <This message has been deleted.>
(unknown) 2/23/12 9:23 AM <This message has been deleted.>
(unknown) 2/23/12 6:55 PM <This message has been deleted.>
(unknown) 2/23/12 7:00 PM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/24/12 12:07 AM
It is very unlikely due to CMS or Apache/IIS.

Please post USER-AGENT from server logs, thanks.

Also, please confirm are these bot visits 100% new visitors (rather than return visits).

Please confirm visitor source/medium/keyword ... are these Direct visits or from SpamDomain.com/referral/(not set keyword)

Lastly, consider enabling Urchin Local gif to get a copy of the 1*1 gif log data being sent into GA.
http://code.google.com/apis/analytics/docs/gaJS/gaJSApiUrchin.html#_gat.GA_Tracker_._setLocalGifPath

Also, are only Fortune500 companies effected or SME's aswell?

And is a particular vertical effected? ( e.g Banking websites, or Image hosting websites)

Thanks

Phil

(unknown) 2/24/12 12:07 AM <This message has been deleted.>
(unknown) 2/24/12 4:52 AM <This message has been deleted.>
(unknown) 2/24/12 5:43 AM <This message has been deleted.>
(unknown) 2/24/12 7:31 AM <This message has been deleted.>
(unknown) 2/24/12 10:18 AM <This message has been deleted.>
(unknown) 2/24/12 12:37 PM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute CoffeeDrinker1234 2/24/12 12:38 PM
I am having the same issue with my site:

Started on 2/21/2012 and is still an issue today

1. Huge surge in Direct Traffic (+/- 30K new direct visits overnight)
2. 90% IE Browser
3. 90% Screen Resolution 1024x768
4. 90% is landing on homepage
5. Time on Site 00:24
6. Bounce Rate 80%
7. Traffic is coming from all over the US, not just one single IP address

This is killing our stats along with potential ad performance and organic page ranking.  Has anyone found a solution yet?  Any ideas what could be causing this?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 2/24/12 12:49 PM
Wow this is funny, looking at the url of showteaser.com you posted, showed me that they are completely scraping what looks like every post from our site straight onto theirs in mass and fully. Wow, this is ridiculous, as if its not hard enough to run a successful website in the first place, you have people completely ripping off your content. That Google Analytics post on his site is straight off of our site, http://zoknowsgaming.com/2012/02/23/huge-sudden-spike-direct-traffic-home-page-google-analytics/
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 2/24/12 1:54 PM
How many visitors are you getting in a day? We aren't tracking it anymore as we are redirecting it to a page we aren't tracking, We just collect the stats from that page for one hour on internal server logs to keep an eye on it.

But when it first started, it was about 20K fake visitors for the whole day. Not sure if this limit helps solve the mystery, but I thought I'd put it out there.

Also -- we noticed on quantcast that gurl.com and diet.com - which have absolutely nothing to do with our site as having a very high affinity with ours.  Those sites also showed high spikes in their traffic lately according to quantcast. That's very strange - we're fantasy sports which is mostly 20-40something men. Not dieting girls. There should be a very low affinity with those sites. We told our hosting provider about what's going on and their support team told us that someone must have put a link on those sites message board to ours. Um, I doubt it :)




Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/24/12 3:00 PM

I have escilated to the GA team.

Here is a summary...

~30K visits per day (20 visits per min)

Started 18th Feb
Screen Resolution:1024x768
100% new visits & 100% bounce rate
Mostly Hompeage visits
Browser:Mostly IE-8 (handful of IE-9)
ISP loction: multiple
IP address: multiple
Hostname:?
Java:enabled
Flash:multiple versions
Source:direct & Medium:none & keyword:none
GA + Statcounter both effected.

* robots.txt access? [tbc]
* crossdomain.xml accessed according to http://researchferret.blogspot.com/2012/02/strange-botnet-that-processes.html


UserAgent examples... http://www.useragentstring.com/

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; BRI/1)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPDTDF; BRI/1; .NET4.0C; InfoPath.3)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Version/11.05689; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MDDS; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)


-----------------

Just an idea...  I wonder if the IE screen resolution is actual or faked. Note, that only IE supports the JS function to resize the browser window:
javascript:resizeTo(1024,768); vbscript:resizeto(1024,768)
http://css-tricks.com/snippets/javascript/1024x768-bookmarklet/

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute danls 2/25/12 8:05 AM
We've been having this same issue since Feb 18. But since we also run Clicky with Analytics, I can confirm that the traffic appears there as well. In other words, this does not seem to be a bug in Analytics, but rather some form of unusual internet activity.

Wish I could figure out what's going on!
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/26/12 3:10 PM
I am still trying to isolate the cause of this.

It is very "conincidnetal" that IE relased a massive patch on 14th Feb to fix 4 critial remote-PC-access holes effecting all versions of IE:
http://www.theregister.co.uk/2012/02/15/patch_tuesday/

I have not rulled out the possibility that IE is "pre-rending" <link rel="prerender" href="http://www.your-domain.com/index.htm">
and that the referral link is comming from a page on SSL - hence it would show as "Direct", not "referral" http://code.google.com/chrome/whitepapers/prerender.html - if this is the case then ga.js would need to be updated, so that it does not execute if IE was run in prerended mode.  

Or that an IE plugins is loading homepage of recent websites - in the background and dropping cookies, like Chromes recent pages feature.

More users effected here:
http://www.webmasterworld.com/analytics/4420174-2-30.htm

-------------------
Monitoring IP`s: How to building a honeypot trap (aka zombie.txt) to record effected IP`s (note some will be dynamicIp`s as multiple ISP`s used).

<?php
$ip=$_SERVER['REMOTE_ADDR'];
$filename="/path-to-file/zombie.txt";
$content="Is IP $ip a Browser?\n";
if (file_exists($filename)) {
$handle = fopen($filename, 'a');
fwrite($handle, $content,strlen($content));
fclose($handle);
} else {
$handle = fopen($filename, 'w');
fwrite($handle, $content,strlen($content));
fclose($handle);
}
?>

<script type="text/JavaScript">
<!--
var zombietest = "zombietest.php";
document.write('<iframe src="/' + zombietest + '" width="1px" height="1px"></iframe>');
//-->
</script>

---------------
Other suggestion (only use this as a short-term fix) .... Sever-side script to BLOCK IE traffic with no referral to homepage:

<?php
if ($_SERVER["HTTP_REFERER"] == "") {

$pg=("http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
echo "<script type=\"text/javascript\">
<!--
window.location = \"$pg\"
//-->
</script>";

} else {
//my content
}
?>

(unknown) 2/26/12 4:28 PM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/26/12 4:38 PM

Here is a link to MS WindowsDefender (free) to check for malware - Maybe tell users who keep hitting your homepage to check for malware ;) http://www.microsoft.com/download/en/details.aspx?id=17

QUESTION: Is anyone seeing traffic from "IE6 running on XP home" - as this is the IE only version not vunerable to the CVE-2012-0012 expoit which effects the "Internal Memory addresses" (aka a Browser history hole)

GA custom report for IE homepage traffic:
https://www.google.com/analytics/web/permalink?type=custom_report&uid=rWcTD25BThyMmyM22qE9XQ

VIDEO: Important details about the IE browser history vunerability:
http://www.microsoft.com/en-us/showcase/details.aspx?uuid=caa47d07-a02a-4fc6-863a-0219efc411e4 [Skip to 6:54sec AND 7:55sec]
http://blogs.technet.com/b/msrc/archive/2012/02/17/february-2012-security-bulletin-webcast-and-q-amp-a.aspx

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 2/27/12 7:51 AM
Whatever it was it seems to be subsiding, but its not quite gone yet. Am I the only that has seen organic and referral traffic drop to almost nothing? To be able to manipulate this much traffic would take a lot of skill and equipment and to do it undetected makes it even more impressive. The whole situation is worrying and nobody seems to be able to explain it.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute fairgame 2/27/12 8:08 AM
This is not a Google Analytics problem; the site I'm monitoring is tracked with Omniture and I'm seeing the exact same behavior--ongoing spike starting on 2/18, 99% of it first-time visits, nearly all of whom exit the page immediately thereafter. Only happens on Windows platforms (not seeing it on Mac/Linux/mobile). Only happens in IE (not seeing it in Firefox/Chrome/whatever). Only in 1024x768.

My initial thought when I looked into this was malware/browser hijack but I tried to convince myself otherwise since it's so implausible.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/27/12 8:10 AM
Google emaiiled me this morning (Monday) to say they are investigating.

It is possible that this issue is not related to Google Analytics - it might be a small BotNet/ZombieNet which is randomly loading homepages pages (Although, I am not sure why a Botnet would load client-side cookies)

Hopefully, Google will post an offical reply onto this thread soon.

Thanks

Phil.

@ThaTruth - I am not sure why you have an issue with organic & referral - this might be unrelated. Most of the bot traffic is shown as "direct".
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute fairgame 2/27/12 8:15 AM
I should also add that it's not hitting our homepage; it's hitting a 3-month old news story that's only a few paragraphs long. There's no way the traffic coming to it is legitimate.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 2/27/12 8:17 AM
Yeah it seems like that is sqeezing out the legitmate traffic, pages that were getting hundreds of hits a day are now barely getting a hundred. I'm in the analytics real-time beta and the numbers are just all off, hardly any referral traffic, 99% of traffic is direct to the homepage, hardly any keyword traffic, and the keyword traffic that is coming is for older stuff, nothing is recent. Weird.
(unknown) 2/27/12 8:34 AM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute fairgame 2/27/12 8:41 AM
Still waiting for my data warehouse pull that'll simultaneously give me browser, OS, and page-level data. Once that arrives, I'll investigate further and see if there's a browser/OS combo that's unaffected.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/27/12 8:51 AM
Yes, as with the SiteConfidence|Gomez acidental cookies - this is a Vendor independent issue. GA + Omniture + StatCounter + Clicky ect will ALL be effected, as the Bot is executing JS and dropping cookies when visiting the homepage.

@fairgame - Please confirm - In Omniture (or GA) ... Are you seeing any bot traffic from "IE6 on XP home" (as this is the only version of IE which is not vunerable to the IE "Internal Memory addresses" (aka a Browser history hole) CVE-2012-0012 http://www.microsoft.com/en-us/showcase/details.aspx?uuid=caa47d07-a02a-4fc6-863a-0219efc411e4

Note: If a user is running IE6 ... they will probably be expecting malware ;) ... but for the purpose of cause & elimination... it would be useful to see if "IE6 on XP home" is effected?

Also, it would be interesting to see if a "drag-and-drop" user interaction (like a drag this icon to bookmark bar) is responsible for intial infection. I am wondering if it i related this this IE-only function: javascript:resizeTo(1024,768); vbscript:resizeto(1024,768)
http://css-tricks.com/snippets/javascript/1024x768-bookmarklet/

Useful GA custom report for seeing IE homepage traffic & Browser Operating system.
https://www.google.com/analytics/web/permalink?type=custom_report&uid=rWcTD25BThyMmyM22qE9XQ

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Lukekb 2/27/12 9:24 AM
I just ran the custom report and I am seeing users with IE6 and XP (it doesn't say whether it is Home or Pro and it doesn't let me drill down farther. The shape of the curve matches the larger traffic for IE, going from 0, spiking and then begining to decline. Does GA beak it down beyond XP into Home vs Pro? I am definitely getting XP IE6 Bot hits at 1024 x 768.

Happily, I upgraded to NGINX and heavy caching the same weekend so it doesn't appear to have impact Referal or Organic Search traffic... yet!

  - Luke
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/27/12 9:54 AM

@Luke,

Looks like "XP-home" and "XP-pro" are both recorded as "XP" within GA`s Operating System version field, in the drilldown report in GA :(


Regarding "browser history" hack (CVE-2012-0012) - It looks like this only effects IE9.
CVE-2012-0012: IE9 does not properly handle creation & initialization of string objects - allowing remote attackers to read data from arbitrary process-memory locations via a crafted web site (aka "Null-byte info disclosure vulnerability"): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0012

IE6-all-versions is not vunerable to "Copy and Paste Information Disclosure Vulnerability" CVE-2012-0010

IE6-xp-home is "moderately vunerable" to "HTML Layout Remote Code Execution Vulnerability". However, IE6-XP-pro is not vunerable to CVE-2012-0011 accorging to MS Vulnerability Severity Rating Chart. http://technet.microsoft.com/en-us/security/bulletin/ms12-010

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute atech 2/27/12 10:42 AM
Same here on an interior page of our site. Started Feb. 18, 2012. Google Analytics, Clicky, and Quantcast all show the increase, which is still occurring. Attached is a log (csv) with user agents for all visitors to that page that had no referrer, sorted by number of page views for the user agent, from a random period of time during today (2/27/2012). The log is of all page views, including some bots that don't show in GA.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute atech 2/27/12 11:51 AM
Same here re gurl.com showing as an affinity (111.5x) in Quantcast, which seems random.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute JeffChristiansen 2/27/12 1:39 PM
I'm working with
BeckyC1995 on this issue with our site. We are still getting 2000-3000 hits during the one hour per day that we're logging it.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/27/12 4:04 PM
This is a bit of a long shot... but here is a robots.txt whitelist: http://db.tt/wd4WUCKp

If this is server monitoring service (rather than malware), then there is a chance that it might obey the User-agent: * Disallow: /

Robots.txt file to upload to root:
http://db.tt/wd4WUCKp

Note1: change yourdomain within Sitemap: http://www.yourdomain.com/sitemap.xml
Note2: www.facebook.com/robots.txt also uses a robots.txt whitelist.

Thanks

Phil.

Also, here are more examples of robot spider-traps...
http://www.webproworld.com/webmaster-forum/threads/58822-Prevent-referrer-spam-block-bad-bots-from-stealing-bandwith
http://danzcontrib2.free.fr/en/pieges.php#bloquer

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/28/12 2:04 AM

@atech

I could not find a common user-agent element in your csv file.

However, I noticed that AskToolbar and Funwebproducts were both common (they were on 12% of your list - out of 4,641 sample).

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute AnalyticsPro.Aruna 2/28/12 9:50 AM
Hi All,

We're investigating this issue and I'll keep you posted.

Thanks Phil for escalating this.

Cheers,
Aruna
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 2/28/12 10:27 AM
Thanks!  And thanks to everyone who responded to my initial post. Hopefully everyone can find a solution
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute fairgame 2/28/12 11:18 AM
Someone much more tech-savvy than I went through our server logs and found a bunch of traffic with the useragent "FunWebProducts," which matches what you saw in atech's csv.

Anybody else able to replicate that?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute danls 2/28/12 11:32 AM
Here's what I found about FunWebProducts...

You may have noticed a high volume of "FunWebProducts" references appearing in the User Agent Field of your server logs. We want to assure you that Fun Web Products does not "spider" websites, nor does it contain malicious software. It is simply an extremely popular webtool that continues to grow in popularity.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute CoffeeDrinker1234 2/28/12 1:26 PM
Amazon (my hosting provider) said they weren't really able to block traffic from multiple sources like this, but they did recommend we install a module in ISS that may help combat the traffic.

http://www.iis.net/download/DynamicIPRestrictions

Unfortunately it did nothing to help control unexplained direct traffic surge...
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 2/28/12 3:57 PM
@Fairgame

It would be really useful, if I could look at an effected GA account - maybe someone could email me and then add me, as a read-only GA user to their account, so that I can data-dive myself?

My comments...

atech`s csv file sample was not conclusive; there is not a common user-agent factor (other Windows and IE - ie. iPhones and Chrome are safe)

The fixed screen resolution 1024 x 768 appears to be the only common factor [please confirm if you are seeing other screen resolutions - is this a red hearing?]

There was a high proportion of users with Ask.com/FunWebProducts toolbars installed (e.g about 12%), but it is not clear if this is the cause, or a side-effect. For example if a Windows machine is infected, it is common for toolbars and malware to be maliciously installed as part of a virus payload along with keyloggers, tracking proxies, smtp server and all manner of nastiness!

Due the diversity of user-agents, and range of ISP and IP, this suggest malware rather than server-monitoring bot. Although why this is localized to USA is strange - is anyone seeing this traffic coming from outside of USA?

An IP-range block suggested by Amazon is a good way to prevent low-level DoS, until such time as the users de-zombify their PC.

Thanks

Phil.

Note: If you are sure that "FunWebProducts" is the caus, then you can add an htaccess deny:
RewriteCond %{HTTP_USER_AGENT} ^(.*)FunWebProducts(.*)
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 2/29/12 4:31 AM
Has anyone else noticed that for certain keywords, their sites' homepage has started to appear as the top search result with a snippet from the post underneath it? In these cases, the homepage, actually appears to be a valid result for the search term that the user is searching for. When they click the link it takes them to the homepage. Its not normal Google behavior but it could explain a minor spike as people are searching for something else and click your link because it comes up in the results but then it takes them to the homepage instead of the direct article they were really looking for. While this is definitely odd behavior and may be indicative of another issue, for even a mildly popular site that would only explain a small portion of the increased traffic to the homepage?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute CoffeeDrinker1234 2/29/12 6:29 AM

I run an online media company, and the “junk” direct traffic is actually causing the page to load and impressions to be served.  Would a new spider or bot be causing the page to actually load?

If not, I am leaning towards some malicious redirect that’s causing the sudden surge in direct traffic. The big question is where, and how to locate and shut down the source.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute CoffeeDrinker1234 2/29/12 12:00 PM
Aruna, Do you have any sort of update?  Also, would it be possible to have someone look into my GA analytics account?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 2/29/12 1:42 PM
Hi Phil,

I'd be willing to show you our GA account, however we are redirecting that traffic. However it seems though that a few hundred of these fake visitors are still slipping through and showing up on our GA stats. That may be something significant - not sure.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute fairgame 3/1/12 6:55 AM
Phil,

I got Omniture to send me their logs from Feb 18; there's still a high amount of FunWebProducts, but it's not the useragent for all the problematic hits. It's a problem; I don't think it's the problem. I agree with you.

I'm getting a small amount of traffic to the effected page from outside the USA.

I'm also getting resolutions other than 1024x768 to other pages; the fact that you're seeing 1024x768 on the problem pages is a unique characteristic of the problem, as is the fact it's all Windows OS+IE Browser.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/1/12 7:32 AM
@Fairgame

The "1024x768" resolution IS a red hearing. I have now looked at an effected account and ALL resolutions are present within the "IE 6-9 new visit traffic To homepage.

I have not found a common cause within GA :(

I am waiting for feedback on the 
robots.txt whitelist method;
http://db.tt/wd4WUCKp
Note1
: change yourdomain within Sitemap:http://www.yourdomain.com/sitemap.xml
Note2: www.facebook.com/robots.txt also uses a robots.txt whitelist.


On a DIFFERENT note: a small amount of Bot traffic can be prevent by adding these 3 filters (this will NOT fix this IE issue, but will increase accuracy)

IMPORTANT: Apply these filters to a TEST profile, before adding to MAIN profile.

EXCLUDE Browser:
^Mozilla Compatible Agent$

EXCLUDE ISP-location filter:
^(google inc\.|yahoo\! inc\.|iac search and media europe ltd|iac search media inc|inktomi corporation|site confidence test agent servers|site ?confidence|global crossing|apache ltd\.|nielsen netratings|meebo inc\.)$

INCLUDE hostname filter:
(^|\.)(YOURDOMAIN\.com|\(not set\))$

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute staffjam 3/1/12 10:13 AM
Hi Phil - i'm happy to give you read access to my GA account - you can contact me on james (at) floatingmix.com. This has been going on for 10 days now.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/1/12 11:34 AM
I have been undergoing this attack for about ten days or so.  It started about noon on February 21.  All direct traffic (no referrer), all hitting the home page of a site (and only the home page) all IE in various OS and screen resolutions.  It's like a slow drip DDOS.  I've been told by multiple sources that there's just no stopping it, because it looks like normal users; there's no common signature.  Because the particular site it hit for me is a community service site that is supported by ads, I'm looking at having to shut it down and/or putting on an entirely new domain, without redirects. 

We've been discussing this at webmasterworld as well --> http://www.webmasterworld.com/analytics/4420174.htm

If you think about where this sort of thing could go, it's pretty disturbing.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/2/12 3:17 AM
I have viewed two effected GA accounts, both were USA based, and both had banners on their homepages. The IE-direct hompeage traffic spiked on same day:

Friday 18th Feb 2-3pm - site1
 Friday 18th Feb 9-10pm - site2
Note: GA default time setting zone may be different, so I am unable to correlate if started at the exactly same time.

I have updated the GA Custom report to show this traffic (and remove the screen 1024*768 resolution filter)...

* GA custom report: IE6-9 on Windows - New Visits only - Landing on Homepage
https://www.google.com/analytics/web/permalink?type=custom_report&uid=2_CnuhWvT5WWP88KRkupvg

I have read that the possible intent of this Botnet is to either inflate CPM`s for publishing websites, or harvest onsite emails for captcha boxes that require cookies. However, the email capture would require a crawl of the whole website - thus this reason seems less feasible. Most of the traffic is from USA and language=us-en this supports that idea that it is CPM intent (as non-USA traffic is generally filtered out by the banner networks).

If anyone is able to contact one of these effected IE users (e.g. via a popup), it would be really interesting to run the HiJackThis diagnostic tool, and then ask the user to post the report-output. The report should highlight any IE plugin or malware etc. http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi

Also, looking for mouse movements, or human behaviours as a means of filtering-out this bot traffic would be useful, but obviously GA out-of-box does not support this feature. Although a GA beta function for visible screen size is active, but the link to the report is hidden (e.g to know if the IE screen is being run in stealth mode or in a very small frame). Read this post for details: http://translate.google.com/translate?hl=en&sl=it&u=http://www.goanalytics.info/analytics-si-prepara-a-registrare-la-dimensione-della-finestra/

Also plugins scripts for page-scroll and mouse are available here:
http://cutroni.com/blog/2012/02/21/advanced-content-tracking-with-google-analytics-part-1/
http://code.google.com/apis/analytics/docs/tracking/eventTrackerWrappers.html

Installing ClickTale on the homepage, then playing back a session would lso be interesting to seen, as this records page scroll and mousemovements byy default: www.clicktale.com

--------------------------------
OFF-TOPIC  Note to GA team (or Apple iOS team) - Please update the GA log parser to separate-out
"Mozilla Compatible Agent (web)" from "Mozilla Compatible Agent (mobile)".

"Mozilla Compatible Agent on mobile" is legitimate traffic from AppleWebKit from browsing within MobileApps.
"Mozilla Compatible Agent on web" is generally robots from SiteConfidence bot, YahooNews bot, or Ask.com bot.

Readme: Blog post about Browser=Mozilla Compatible Agent here:
http://stackoverflow.com/questions/6121849/customer-filter-for-google-analytics-mozilla-compatible-agent-iphone

Examples:
GOOD: "Mozilla Compatible Agent" on iPhone
Mozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_3+like+Mac+OS+X;+en-gb)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Mobile/8J2

GOOD: "Safari" on iPhone
Mozilla/5.0+(iPhone;+U;+CPU+iPhone+OS+4_3_1+like+Mac+OS+X;+en-us)+AppleWebKit/533.17.9+(KHTML,+like+Gecko)+Version/5.0.2+Mobile/8G4+Safari/6533.18.5

BAD: SiteCondence, Gomez and Ask.com on Web
Mozilla/5.0+(Windows; U; Windows NT 5.1; en-gb; SiteCon/8.8.14)
Mozilla/4.0+(compatible; GomezAgent1.0; MSIE 7.01; Windows NT 5.0)
Mozilla/5.0+(compatible; Ask Jeeves/Teoma)

* GA Report BotCheck: Mozilla Compatible Agent (Mobile) vs Mozilla Compatible Agent (web)
https://www.google.com/analytics/web/permalink?type=custom_report&uid=Ben2yDftSZmil8gNxBY56A
--------------------------------

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute staffjam 3/2/12 7:10 AM
Thanks for the update Phil. You mention the botnet could be there to inflate CPM's - i'm wondering why then is it affecting sites that aren't part of networks and who don't cet any benefit from the increased (inflated) visitor numbers?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 3/2/12 7:16 AM
We are most definitely seeing the direct traffic issue to the homepage, but neither of those reports return any results for us.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/2/12 8:21 AM
(Okay, I can't make head nor tail of how to post a non-treed response - this is why I never use Google Groups anymore)

Attack still going on.  These are NOT actually users, there is no mouse movement to track.  It occurred to me that (putting on a tinfoil hat) it could even be someone ticked off enough at Google to want to render a bunch of Analytics data useless - this being the test.  We are seeing more and more reports of this on WebmasterWorld as it spreads.  In my case, there were no CPM banners on the home page, just AdSense, which was immediately removed once the traffic started. Nor do I think I am being targeted myself - I have many sites, and if someone really wanted to target me, they'd pick one of the bigger ones. 

I'm really thinking infected Windows botnet. But what the purpose is, I do not know.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute thatruth2006 3/2/12 8:35 AM
We don't even have Adsense on that page? Curious, did the traffic stop after your removed the ads?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/2/12 8:38 AM
No, I took off all ads within 15 minutes of its starting, on February 21.  The traffic has on-and-off slowed down a bit, but it's still going on now.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/2/12 12:58 PM

Given that ISP are having their bandwidth burnt by this Cookie-Hungry BotNet ;) It would be a good idea to contact them, with a list of effected IP`s and timestamps. They would then be able to match dynamic IP`s to router-MAC address and temporarily suspend effected broadband connections, until the PC`s are cleaned.

ISP list:
http://customer.comcast.com/help-and-support/account/ways-to-get-help/
http://help.rr.com/HMSFaqs/e_supportcommit.aspx
http://www.att.com/esupport/
http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshooting/Network/Network.htm
http://www.myaccount.charter.com/customers/support.aspx
http://static.optonline.net/Support
http://qwest.centurylink.com/internethelp/emailsupport/techemail.html
http://help.suddenlink.com/Pages/default.aspx
http://www.centurylinkservices.net/faq.php#abuse
Note: The list above was based ISP-Domain report in GA:
https://www.google.com/analytics/web/permalink?type=custom_report&uid=frNMzPDwThWuHnLhzv-gkA

Most ISP automatically suspend a broadband connection, if they detect excessive use of outgoing email-SMTP traffic on port 25/587 – maybe this same technology can be applied to web-traffic on port 80/443? Or their ISP live traffic monitoring can be adjusted to detect this type of traffic behaviour?

Crazy Idea1: If you have added a server-side htaccess or coldfusion rule to redirect direct IE users with no-referral to /homepage-verion2.htm …. Then you could also add a 100mb file to this homepage. Then eventually, users bandwith caps would be exceeded, as they are constantly clearing cookies and refreshing this page. This would also provide a “taint” flag for ISP`s to monitor. Although this might cause your own website bandwidth to be exceed aswell - so the ISP would need to lift the server bandwidth cap in addition - It`s a bit of an extreme test, but interesting to see if a "Giant Gobstopper-Cookie" would cause the BotNet pause :)

Crazy idea2: It is possible that the bot is set to only load homepages on http - thus switching to httpS (SSL) might cause the a domain not to meet the matching criteria (guess). Note: Installing an SSL cert and ensuring all external JS elements are on SSL is time consuming, and it is not clear if this would fix.

Also, contacting Security Experts with user-case examples would be a good idea - so that AV software can be updated and remove users from the botnet.
https://forms.cert.org/VulReport/
http://isc.sans.edu/contact.html
http://www.sans.org/vendor/contact

If anyone is able to contact one of the effected IE users (e.g. via a popup) then it would be useful to run HiJackThis diagnostic tool,
http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi
and then ask the user to post the report-output (or submit this to https://forms.cert.org/VulReport/ for analysis).

Thanks

Phil.

------------
@thatruth2006  - Re:GA custom report with "no data":
https://www.google.com/analytics/web/permalink?type=custom_report&uid=2_CnuhWvT5WWP88KRkupvg

I make an assumption that your homepage was  "/"  or  "/(index|default).(htm|php|asp|cfm)" if your homepage is in a folder
e.g. /home_folder/index.htm or  .jsp / .ext - then the report will be empty. But you can adjust the RegEx to include this:
^/(HOME_FOLDER/)?((index|default|home)\.(YOUR_EXT|html?|php|aspx?|cfm))?([?]|$)
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/5/12 3:46 AM
I attached an excel summary of @Atech`s csv log file for IE user-agent with no referrer on 27th Feb 2012. Toolbars is actually 15% (not 12% from what I said earlier).
  • Only IE9 has toolbars installations at normal levels at 3%.
  • IE8 is in 20% for toolbars installations in the log!









Did any on try the Robots.txt whitelist? (I have added a disallow on the robot "User-agent: FunWebProducts")
http://db.tt/wd4WUCKp

I am not sure if this is related, but "Blackhole Exploit Kits" which expoit non-updated versions of Windows have increase by 20% vs last 2wks according to AVG:
www.avgthreatlabs.com/webthreats/#timeline_individual

Has anyone manage to contact a Security expert or get a HiJackthis diagnoistic report export from an effected user?

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute staffjam 3/6/12 5:33 AM
Thanks Phil. I'm still receiving a lot of traffic - it doesn't appear to be settling down. I was wondering if you heard anything from Google?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BB_CCIT 3/7/12 12:27 PM
We have been getting the same kind of traffic to our homepage now for 17 days.  Slow enough that it doesn't do anything but ruin our analytics and advertising impressions.

One way that we started filtering things out was...

1) If it is an internet explorer user
2) It has no referrer (direct traffic)

If so we mark the IP on our blacklist at the bottom of our fully loaded page.  If we detect a mouse movement or click event using javascript, we then update our database and mark their IP address as a verified user via an ajax call.    This filtering system basically allows the bot to visit our site once and after we blacklist them any re-visits to our site will receive a 404 page for them.


Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/7/12 12:32 PM
Some updates on the item on Webmasterworld.com: 

http://www.webmasterworld.com/analytics/4420174.htm

Bottom line is, we thought we might have had a solution, but turned out we didn't, it on it goes.  More people noticing.  At some point, I would think Google would take an interest; as this spreads it's damaging their data and their product as well.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute AnalyticsPro.Aruna 3/8/12 7:41 AM
Hi All,

We're still investigating this issue and I'll keep you posted when there are further updates. We appreciate your patience.

Thanks,
Aruna
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/8/12 7:55 AM
@Aruna - Thanks for the update :)

Are the Adsense team also aware of this? (i.e Fake impressions from bots)
https://groups.google.com/a/googleproductforums.com/forum/#!forum/adsense
http://support.google.com/adsense/bin/answer.py?hl=en-GB&answer=1067521

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute geronimo 3/8/12 8:06 AM
I've the same problem. But isn't a Google Analytics Issue... I think it's a big DDoS attack to corrupt GA data and/or Adsense CTR.
I hope that Google can investigate on it to help us to resolve this problem
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/8/12 8:16 AM
It's hitting sites that have no AdSense at all, so I don't think that's an intentional target, and it's not enough of a DDOS to actually get in the way of performance.  It just screws up stats (and AdSense, if you have it)

But it IS a Google Analytics issue, because it skews the data and lessens the value of the GA product.  I would think Google would be pretty anxious that that didn't happen.  As well as all the other stats programs out there - as this reads javascript, this traffic gets into *all* stats and analytics programs. If people can't trust their analytics, well that's a whole kettle of fish right there.

What this looks like to me is either some kind of Windows malware infection, or else some program similar to the Gomez Peer Zone (they swear it's not them, and say that Gomez shows up in their User Agents - and at this point I don't have a reason not to believe them) that tests "network performance" by hitting sites randomly picked as "benchmarks" - usually in the form of a screensaver that kicks in when the user leaves the computer on and it goes idle.

I can't know for sure of course, but that seems like it's closest to fitting the pattern I see.

Whatever it is, it is devastating to my site, and I hope Google does take an interest in getting to the bottom of it. They've got a lot more resources to bring to the table than I do.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 3/8/12 8:47 AM
Hi everyone, OP here, - just posting an update for what it's worth... For the last 6 days or so, the zombie traffic has decreased about 15%.

The fake traffic is automatically redirected to a page without GA tracking code, quantcast or comscore code -- also this page does not have advertising impressions shown.

Could this bot be looking for the GA tracking code or ads?
(unknown) 3/8/12 10:43 PM <This message has been deleted.>
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/8/12 10:45 PM
@BB_CCIT

Your idea is very reasonable.  Thanks!  Also I'd mention that rather (or in addition to) blacklisting, I could imagine conditionally loading analytics JS based on these criteria.  Sever-side, even you could not load google analytics for IE traffic with no referrer, but then load it from the client side if human-lick behavior is detected.  

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Nabil Orfali 3/9/12 6:53 PM
I started to have the exact same issue today .. and getting a lot of Direct Traffic that is 100% bounce. But the interesting part is that according to the GA the traffic is coming from:
  1. Cities: Seattle and Ann Arbor, 
  2. Service Provider: "microsoft corp" 
  3. Browser: "Mozilla Compatible Agent"
  4. OS: Windows
hope that will help GA team investigate further.

Thanks,
Nabil
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/10/12 4:03 AM
@nazil

You can FIX that by excluding broadband ISP =microsoft corp

BUT thats a different issue (i.e BingBot loading JavaScript and dropong cookies).  "Mozilla Compatible Agent" is the catch-all for undefinded browsers for example -SiteConfidence, gomez and YahooNews bots are all recorded under this browser name.

Note: I am waiting for the GA team to fix a bug with the log parsing on 'Safari on iPhone apps such as GoogleMobileSearch and TweetDeck' being INCORRECTLY recorded as Mozila compatible agent - when the should be 'Apple WebKit' or 'Safari inApp Mode''.

But that is a different issue!

The above thread ONLY relates to Browser=INTERNET EXPLORER.

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Nabil Orfali 3/10/12 7:41 AM
I checked the server logs and found this "Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/534++(KHTML,+like+Gecko)+BingPreview/1.0b" What should I block? and if did will I affecting Bing bot from indexing my site so SEO will be affected? 
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/10/12 11:38 AM
@Nabil

Dont block the BingBot SERP image preview bot, (unless you want reduced organic CTR from bing.com) just add an EXCLUDE filter into GA for  broadband ISP location =
^(microsoft corp\.?|google inc\.|yahoo\! inc\.|iac search and media europe ltd|iac search media inc|inktomi corporation|site confidence test agent servers|site ?confidence|global crossing|apache ltd\.|nielsen netratings|meebo inc\.)$

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute atech 3/13/12 10:17 PM
Any update? Patience is waning.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/16/12 11:17 AM
Anybody?  Bueller?  Bueller?

Going on a month (next week) for me.  It's let up some in intensity, but still going.  More people showing up on WMW with the problem; most of which began on February 21.  Google, someone is trashing several of your products here; I'd think you'd take an interest.  Like in maybe actually talking to someone who is experiencing it?

Maybe if I post it to Google+
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/16/12 2:23 PM
@Netmet and @AdTech

I suspect Google are looking at this, but I is likely to be difficult to Fix.

The only way to kill the Botnet is for Microsoft to rollout an update to WindowsDefender or WindowsUpdate, or for the ISP`s to cutoff the Broadband connections, or for the Botnet Command&Control server to be shut down. All of these factors are outside of Google`s control, and the Standard user-agents and diversity of IP`s, makes this traffic difficult to diferentiate vs human visitors. Thus I suspect, it is also difficult to track down the source on a network level. Additionally, as Chrome is not effected - only Microsoft will have access to IE status reports on browser settings and plugins.

Did anyone have any luck reaching out to any security professional or ISP`s?
http://www.microsoft.com/about/twc/en/us/twcnext/timeline.aspx#2001-01
http://blogs.technet.com/b/security/

Thanks

Phil.

* Security Experts...

https://forms.cert.org/VulReport/
http://isc.sans.edu/contact.html
http://www.sans.org/vendor/contact

* ISP list...

http://customer.comcast.com/help-and-support/account/ways-to-get-help/
http://help.rr.com/HMSFaqs/e_supportcommit.aspx
http://www.att.com/esupport/
http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshooting/Network/Network.htm
http://www.myaccount.charter.com/customers/support.aspx
http://static.optonline.net/Support
http://qwest.centurylink.com/internethelp/emailsupport/techemail.html
http://help.suddenlink.com/Pages/default.aspx
http://www.centurylinkservices.net/faq.php#abuse

HiJackThis diagnostic tool
http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute atech 3/16/12 3:18 PM
Google has no security experts who can investigate? Other than completely skewing our analytics data, this isn't causing any other problems. It's a shame that I would need to hire a security expert to figure out why Google Analytics can't filter out completely irrelevant traffic.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/16/12 5:53 PM
I bet that the reason Google is having a hard time doing much about this is that this traffic is very difficult for anyone to distinguish from real traffic -- them included.  The best and only option I've seen so far (see above I think), is to conditionally load analytics for the offending browsers in the case of direct traffic ... the load would only occur on a mouse movement or keystroke (to distinguish this traffic from zombie traffic.)

Google could implement something like this on its end, but with difficulty.

There are problems with this ... for example, as a percentage of those using adwords or analytics, how big a problem is this, and does it justify (from google's pov.) a somewhat major change in how its analytics are loaded or recorded for a great many browsers.  Also, would it still not count legitimate traffic that just happened to be of bad quality and not really do anything once it visits the page ...

In the end this really just can't be solved server side -- your web server, or google's analytics stuff simply will not know the difference between this bot and a legitimate visit unless some user behavior is factored in -- this is because these probably are (in a way) legitimate visits -- people's browsers are probably, without their permission, opening background windows or something ... that seems to be the nature of this traffic.

Personally, my hat's off to anyone who can figure this out without recourse to abuse complaints etc (which don't strike me as a particularly fruitful way to go either.) 

Anyway, good luck to us all -- I'm getting tired of dealing w/ this.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/16/12 8:22 PM
I think a possibility might be a worm that uses the infected machine's IE browser to access any website. Thus the traffic appears to be normal as the operation occurs in the background as IE is accessed and controlled directly. No window opens up for the user, so they could be using their own computer while this is occurring making it even harder for even Google who sees a lot more than just your website traffic of that user to tell it's a bot that's controlling the session. If it's not a clickbot then the question remains on why it's doing what it's doing if that is what is going on.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/18/12 11:28 AM
I am wondering if anyone has any further developments on this? Surely Google would have noticed an aggregate jump in direct traffic across all sites.

Tried a lot of things and can't figure it out. A pre-rendering problem seems like a plausible issue... but is there any way to verify. Would a specific HTTP header be sent by the client it is was a pre-rendering request? Is this the same as prefetch?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/18/12 12:17 PM
@Darin

IE does not support prerendering (only Chrome prerenders, and ga.js is set to ignore chrome prerendered visits). So this is NOT the cause.

I have come to the conclusion, that this is a botnet (not a native IE function loop, or prerender error).

Thanks

Phil.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/18/12 1:11 PM
It's very likely being that if it's happening from different ip addresses that these are infected machines.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/18/12 8:35 PM
Yes it's all different IP's. It's a pretty constant 8k visitors per day now... peaked at about 14k.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BDH 3/21/12 8:50 AM
Can everyone affected by this provided their hosting company. Danny Sullivan of Search Engine Watch hasn't heard of this. I suspect this is "attacking" webhosts.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/21/12 8:57 AM
Danny Sullivan is at SearchEngineLAND, not SearchEngineWatch, and there's a link to my post on my experience ON SearchEngineLand as of yesterday.

(you can read it here Zombie Robots Are Eating My Site)

It's not an attack on webhosts; my host (TigerTech) has a lot of other clients (including Danny Sullivan AND SearchEngineLand - hey what a coincidence) and they don't have anyone else having the problem.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BDH 3/21/12 12:05 PM
Thanks for the response. Yeah, I meant SearchEngineLand :) . We left a response on your post. This thing looks like a sneaky Trojan horse. We got to thinking maybe somebody is prepping something for 12/21/12.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/21/12 3:12 PM
Has anybody traced the ip addresses to see if there is a common isp or a big enough chunk of them that maybe the isp can do something to help stop it? Like maybe tell their customers that their computers are infected?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PimaMedicalInstitute 3/22/12 12:02 PM

Hi Aruna:

I think I speak on behalf of all of us in appreciation of your attention on this issue, but at this point I’m in need of some immediate answers. In reading through this blog, I am unsure of the level of users being affected by false direct visits, but I am a new employee of a .Edu and the issue happening is not in the hundreds nor the thousands for us  – it’s in the ten’s of thousands. Our Direct visitation is 700% above baselines and the data has us crippled. We have looked at every possible offending channel – from IPs to host servers to time of day visitation and every single factor points to this visitation as being real – but it is obviously not. Our direct visitation is our highest converting channel and the incremental visits are proving not to turn into business. We have also determined that most of this visitation has zero time on site, which is a strong indicator of non-human activity.

 

It’s hard not to fall into a conspiracy theory mindset here, but I also find it unusual to see no response from Google on the issue for over 10 days - no word on this blog, nor our AdWords contact, Analytics contact and even our client services representative. My organization is by no means small and we do have media exposure. Our next step will be to reach out to our media partners to gain some sort of elevation on what is proving to be a major business issue.

 

Any update would be appreciated.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 2:46 PM
Ever think of contacting your web hosting company to see if they can do something about it? Or at least point you to a few of the isp's who's got infected machines on their network so that you can contact those isp's?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PimaMedicalInstitute 3/22/12 2:57 PM
Yep. That was last week's exercise. We've tried everything we know of at this point. I'd like to think it's a direct link in an email somewhere, but that doesn't substantiate the steady increase in volume each month - not to mention the sheer volume it's generating.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/22/12 2:59 PM
@PimaMedicalInstitute 

Allow me to just +1 what you said.  We are a large media company, also affected by this in the 10,000+ visits/day range.  My prediction is that this will soon hit the mainstream technology media at the very least ... I'd love to hear from Google on this too, as soon as possible.

However, the reality probably still is that this is very very hard to figure our and/or mitigate.  But some sort of word would be nice.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 3/22/12 3:10 PM
OP Here :)
We're still getting it too, with the same profile as everyone else.

We too have done everything: Logged it, reviewed it, etc. etc.

We contacted our hosting company weeks ago, right at the beginning of this. I think even before I posted here. They were no help. Their tech support suggested that someone must have put a link to our site up on a message board somewhere. We get 100M page views a year. I don't think THAT was the solution - they should have known better. I gave up with them because they said to investigate further, they would have to charge us an hourly rate. Um, no.


I've given up trying to figure out what's happening and are just dealing with the redirect for now.

I can't say I'm "Glad" to see so many others with the problem, but at least it's not just the few of us anymore. Hopefully google will give us more attention soon. Google, you out there? Are you listening?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 3:12 PM
If your web host cannot help you, then it's time to move to a web host that can.

I'm sure once you tell your current web host that you are no longer going to be paying them for services and moving your websites elsewhere they will be more than willing to help you solve your issue or at least trace the ip's for you. Unless you're on one of those $7.95 a month hosting plans and not spending hundreds of dollars a month on a dedicated server.


Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute BeckyC1995 3/22/12 3:18 PM
That's the point that everyone is having - the hosting company can't help because this is a very weird unusual situation. Also, trying to trace all the IP addresses is crazy. There are thousands of them.


PS - Oh please, I'm not moving hosting companies.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 3:56 PM
It's not a Google problem, so Google won't be of much help.
They'll simply tell you to block the offending ip's or install some sort of intelligent filter program or intelligent firewall.

So if you're not willing to pay your host to solve the issue, or even threaten them with moving to another host so they'll do it maybe this one time for free, then I think you're pretty much on your own. You're going to have to pay somebody to figure it out and all you need now is to figure out who you're going to pay and how much. Or of course you can simply just leave things be until the system crashes and you loose everything that you have not backed up, not to mention all the time it might take to configure the server again and restore from the backed up data once it does.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/22/12 4:10 PM
I do agree that Google is not the cause of the problem, however they are in a unique position... They would be seeing this data in aggregate across thousands if not millions of sites and they have the resources. So in other words, if anyone can figure it out, it would be them.

They don't "have to", but given the traffic is skewing Analytics data, it would be a noble and valuable contribution.

Question to those that have analyzed this traffic - have you gone as far as to track HTTP headers? I wonder if there is some common header being sent by this botnet.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 4:31 PM
I simply don't see Google getting involved because of privacy issues.

And just because it's happening on one site does not mean it's happening on other sites, and even if it is, it doesn't necessarily mean it's from the same source.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PimaMedicalInstitute 3/22/12 4:34 PM
Thanks for that Darrin - I don't think OkayNetwork is reading through this blog. So far, this one has everybody - EVERYBODY stumped. We even reached out to Danny Sullivan. The disturbing thing is that we can't even get Google's attention. This is either something that is happening in isolation to a select few (and therefore not a priority) or it also has Google stumped. I've had issues like this in the past and Google has always helped out. Could this be a precursor for something bigger? Don't know. Sure would like to find a solution.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute JeffChristiansen 3/22/12 4:59 PM
I hope to explain the issue to the folks that have recently joined this thread...

Since the zombie visitors (from all over the world) have an IE user agent, it's actually a Microsoft problem, however it's us that are dealing with it. We're hoping that Google could help solve the problem or at least provide information since they can review website logs via their analytics software that we all use.

The zombie visits never have mouse activity nor do they go beyond the landing page. The visits only have IE user agents. There arent any specific browser plugins that are reported in the user agent. They visit at any and everytime during the day. The IP addresses map to every country, even ones that don't generally have any visits to the site.

Thanks,
Jeff

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 5:05 PM
I spend whatever little in between time I have between the many things I do over here to volunteer and help others, but when the task becomes so great in scope that I would have to devote much more time and take away a lot of time from my current job, then my boss expects me to charge for those services (or to look for another job if I don't). I'm no security expert and so if Danny Sullivan is and has looked over the information or is willing to for free, then I suggest you let him work his magic and if he gets stumped, well then I'm afraid if you want to get to the bottom of this then paying a security expert is probably the best advice I can give.

Keep in mind there are a few services out there that claim to be able to stop botnets in their tracks while allowing legitimate traffic through. Usually it's a monthly fee that's charged or some software you have to buy and install on your server.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 5:09 PM
How about just blocking IE users for a few days?
If the botnet is only using an IE exploit, then it might back off when it realizes it can't get a response any more.

Also how about also checking your logs for brute force password attempts at the administrator account.
This could be a cover up to make you focus on web traffic and not look at failed login attempts. Just a thought.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:13 PM
Yes we have analyzed it, and tracked the HTTP headers. No common header.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:17 PM
We've done all this, and more. Completely blocked IE direct users for a week. As soon as I unblocked it, the traffic was there.

Currently have my site enrolled in CloudFlare to see if they have anything that will help (so far it doesn't look like it)  If nothing else, if they have other customers experiencing this, perhaps they have a large enough honeytrap of IP numbers.  At this point, we're not talking thousands of IP numbers, we're talking tens of thousands; maybe more.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 5:18 PM
How about any common elements to which you can block at a server level, like all of the bad traffic using the same browser which you can detect and program your server to ignore.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/22/12 5:25 PM
So I had a couple of ideas. First I thought that IE users could be served an interstitial page with a JS redirect... But JS is obviously being executed because GA is registering hits. So what about HTTP redirects - does anyone have a confirmed case of the botnet hitting a 301 or 302 and following it? If not, I thinking... serve IE users a 302/301

Also, it's been stated that the mouse cursor is mouse cursor is never moved... I have not dug deep enough to confirm this, however it might just be a piece of gold - there are a few things that could be done with it...

1) For IE users only, serve the page with everything loaded in a JS variable and do a document.write of it only when some mouse cursor movmement takes place (GA wouldn't execute until the doc.write).

2) Use the same principle, but only load the GA code when a mouse movement takes place.

Each has it's pros and cons.

Darrin Ward
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:26 PM
It'd probably be a good idea to read the entire item.  All the traffic is using IE. Different versions. Different Windows OS versions. There's nothing on which to block this traffic without blocking a significant number of real users. NOTHING.  We have analyzed the headers at length.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 5:27 PM
If this is getting past CloudFlare what do they have to say about it since you are a paying customer of their service which is supposed to prevent this.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:28 PM
We're looking into the mouse movement.  Regarding the 302/301 - this is the home page of my site; that would cause an ungodly mess my (perfectly fine) search results. I'll rebrand it on another domain before I do that - and it may come to that.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:32 PM
I only put it in two hours ago.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/22/12 5:33 PM
Great!  Mouse movement or any DOM events are the only way I can see to separate this traffic from any other sort -- there's no server side way that will not eliminate good traffic too (people seem to ask over and over about this, or seem to think there must be  --- there' not, and therefore nothing any hosting company can do about this.)

netmeg3 please let us know if you find anything out about DOM events -- in particular does this bad traffic ever exhibit click or mouse movement events?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/22/12 5:33 PM
Trust me, I understand that - SEO is my core competency. Preserving SEO is always in my mind. To clarify, only IE would be served a 301/302... - perhaps to an insterstitial page that sets a required-for-IE cookie. Chome, Firefox, Googlebot, etc would see your site without any issues.

As for rebranding. Surely you don't need to go that far. I mean, sure... it messes up Analytics and adds a few dollars on the Bandwidth bill, but it's nothing too crazy - is it?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:39 PM
No, it appears to load the DOM and disconnect immediately.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute DarrinWard 3/22/12 5:40 PM
Another possible thing to check would be the onFocus status/event on the <body>. Check if the window is in focus (the presently-selected browser window/tab), or if it comes into focus. Also, does anyone know... If I have a JS function to detect mouse movement in a non-focused window - will it detect mouse movement? I suspect not.

So combining these two things... There should definitely be a way to solve this problem. It's not server-level, but if coded the right way you can make it so there is negligible bandwidth as a result of these hits, you'll keep it out of Analytics data, and it won't affect SEO.

Darrin Ward
Founder SEOChat.com
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/22/12 5:43 PM
Re: SEO - mine too. That's why I won't do it.

Rebrand - if I have to.  Or shut it down entirely.  The site in question is seasonal and it gets insane traffic for a short period of time.  Really insane. Also, I run my sites as a business, and I can't keep one that A) won't pay for itself and B) I can't get accurate analytics for. I'm half of a two person operation with a lot on our plates (plus full time jobs), and we have already spent way more time on this than we can afford.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/22/12 6:55 PM
Well then give it a couple of days to analyze your traffic.
Keep us posted.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/22/12 8:55 PM
Hi Darrin -- I agree with you ... I'm far from a crack javaScript developer, but one could try something like this:

if ( ( navigator.appName == 'Microsoft Internet Explorer' ) && ( document.referrer == '' ) ) {
document.onFocusOut = document.onFocusIn = document.onMouseMove = letgitTraffic();
}else{
legitTraffic();
}
function legitTraffic() {
//inject stuff like Google Analytics, adsense -- see for example https://gist.github.com/902140
}
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute zipprosytem 3/22/12 9:42 PM
Aka We solved this issue. Might be direct ISP traffic is from your third-party tracking srevices - on that automated crone is run via scripts by diffferent locations. Even they had dedicated servers within local area or country. Things should be clear that if you are tracking via some private analystics services then it was a primary factor.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute PPC_Guru 3/26/12 7:05 AM
Microsoft just shut down a big Zeus Botnet yesterday - Anyone seeing a reduction in Traffic today?
http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx

Thanks

Phil.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 3/26/12 7:09 AM
Not here, unfortunately.  If anything, it seems to be creeping back up.

Also not getting much assistance from Cloudflare either - they aren't able to identify as bot traffic.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Cynosure 3/28/12 8:02 AM
Has anyone tested this script? Does it work?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/28/12 9:22 AM
My only concern for not wanting to try it out is the GA script doesn't activate until the mouse is moved. This can cause a few second delay in load time sampling and really throw your figures off. I'm thinking a better solution would be to still track that first mouse movement, however have the script that you use to track the mouse movement execute the GA event tracker, make sure to set the non interaction field to true or every visit that triggers the tracker will cause it to register as a non-bounce. Anyway, if you do this, then you can create an advanced segment that you can apply to just about every report and compare all traffic with your advanced segment of just the event triggering traffic.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/28/12 9:48 AM
Ah interesting ... yes this would work too ... I think

Just to frame these two possibilities directly:

Option 1:
- for IE, direct traffic only, inject GA scripts only when the mouse moves (or some other human event happens.)
- this will affect load time stats (those under the site speed tab and presumably time on site), but all other reports will be normal and lack any trace of the bad traffic

Option 2:
- for IE, direct traffic only, fire off a GA event only when there's a real mouse movement or other human DOM event.
- this will leave the bad traffic in stats, but allow you to generate segmented reports which exclude it?

In the case of option 2 ... how would you segment the reports to include all traffic except that which generated no human event?  I could see how you could limit it to only that traffic which generated the event, but then you'd have to generate the event on all traffic, for all browsers and traffic sources ... is that what you had in mind?

Matt


Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/28/12 10:00 AM
In all of your reports there is the advanced segment button which allows you to create and apply advanced segments to just about any report. You can even apply multiple segments to the same report and see how they all compare with each other. Really neat stuff.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 3/28/12 10:13 AM
Yes I know :-)

The question is, how would you generate the following segment (required for option 2 above)

"Show me all traffic that is not direct IE traffic AND all direct IE traffic that is associated with GA event XXX"  ... seems like a difficult thing to segment, but I'm no expert.

What would be easy as pie to segment is:

"Show me all traffic that is associated with GA event XXX", but that would require you to fire the event on ALL traffic, which is the question I asked above ... :-) 
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/28/12 11:40 AM
Advanced segments are like filters applied to the current report, they do not interfere with data collection in the sense that you can apply advanced segments to past data as well as current data. You still have to create the event data from this point on or it won't apply to your advanced segment. Depending on what you pass as the event information is how you would set up your advanced segment to only show you that traffic which matches. There is the event category, action, label, and value, as well as the opt_noninteraction (which should be passed as true otherwise you end up with a skewed bounce rate).
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute CoffeeDrinker1234 3/30/12 1:57 PM
It seems like what ever this is, its gotten smarter. Screen resolution is now all over the place, where as before it was mostly 1024x768.  Does this help explain anything?  It certainly still fits the IE 8 & 9 profile.  However, for something like this to change/adapt, it would seem to indicate that someone has changed the profile that this thing triggers.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute OkayNetwork 3/30/12 2:21 PM
Let me explain how this works......

1) A program infects a bunch of windows running computers all around the world.

2) That program then launches IE from those computers and visits a single website or a set of websites, whatever it is told to do.

Not only that, but the infected machines usually can be used by whoever is at the actual terminal without them even being aware all this is going on as the instance of IE the botnet is using is run in the background since it doesn't need to display the pages, only fetch them. So this explains why you're seeing different versions of IE on the botnet, as not everybody is running the same version of windows on their infected machines.

Now the question is, if this botnet is not clicking on the ads on your site, and really only driving traffic to the site and not really doing any harm that you can tell (except screwing up your stats a bit), it makes you wonder if your site was just on a list of sites that it's using to create what appears to be legitimate traffic so that when it does click on certain website's ads it appears to be a legitimate click. Remember, click fraud rings are becoming more and more sophisticated in their methods as Google is becoming more and more smarter in discovering when and where they are operating.

See most botnets you're going to see using IE simply because of the lack of security that you can find in a lot of windows machines. Stupid stuff like not even running AV software or not upgrading immediately when patches to security issues are released, or even opening that attachment in the email the user thought was from somebody they knew (heck it could have been sent to them by a botnet that infected a machine of somebody they knew without that users knowledge).
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Matt Grist 4/27/12 11:58 PM
Not really sure if this thread is still alive, but we did end up solving this problem on the client side for Google Analytics at least, using the fact that indeed this bad traffic does appear to lack any DOM events, mousemove/keydown in particular.  Here's all the details -- good luck:

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Bidderboy 10/25/12 5:49 AM
OMG ! there must be something wrong, I am also getting sudden huge traffic on my website, 
All visitors are  from SAN JOSE (USA) 
All visitors are DIRECT and accessing different pages for average of 5-6 minutes, 
All are using SAFARI browser . 

This is totally unexpected

I am monitoring this on Google Analytic's Real Time monitoring tool. this started on 25th Oct 2012, I am really shocked to see this. 

I suspect, there is something abnormal, may be any competitor of me has done something to increase my site's bounce rate and this will affect my SEO. Can any one help me PLEASE to find root cause and fix the issue ??
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute netmeg3 10/25/12 6:52 AM
That's just the way iPhone traffic shows up now.

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Bidderboy 10/25/12 7:29 AM
Thanks netmeg3, 
This could be Apple iOS 6 issue , but all users are from SAN JOSE location only.
During the day we observed that, suddenly 20-22 users visits site, stays for 6-7 minutes and goes back to-gather.
All of their landing pages were different, there are almost 100+ different product pages our Online Penny Auction Site
all of them landed on different pages.
So overall, this does not looks real human trafficked by iPhone users. 

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Dean Hearne 12/4/12 12:45 AM
Is anyone else still having this problem?? we are still seeing over 3000/4000 visits a day from direct traffic since July and before that we only averaged a couple hundred, i have searched around online, can't really find anyone that seems to have a solid solution or been able to pinpoint the problem?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute oseymour 12/13/12 8:21 AM
I'm still seeing this 10 months later...
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute brassman2010 3/5/13 8:24 AM
For everyone who has posted here:

Browse to the pages that these fake users are hitting and make sure that the network requests that your browser makes are the ones you would expect. I recently saw a site that had clearly been hacked. The hackers inserted a script tag in some of the template code which inserted a number of hidden iframes on the site. Pay-to-promote sites and other ad-supported sites were loaded in the iframes. The fake traffic was hitting the site to generate revenue for the sites in the hidden iframes.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute StrongBham 9/24/13 3:02 PM
This is still happening to several sites, did you ever figure it out?
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Dean Hearne 9/24/13 11:57 PM

We actually tracked down our issue to a particular script in a plugin we was using on wordpress. 


Basically, when the new EU cookie law came in, we installed a plugin to provide the pop up message/warning that all sites are now required to do so by law, this it seems Is what was throwing all our direct traffic and stats out, so as soon as we turned this off and uninstalled it, changing for a different version, it fixed everything!


There is a possibility this is what might be causing it on some other sites also!

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute InfraPPP Blogs 9/25/13 3:27 AM
Hello I also installed an EU cookie plugin and I am having the same problem. 

I just deleted it to see what happens. 

I didn't retain the name of the plugin, though.

Álvaro

Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Richards Guitars 3/31/14 2:04 AM
Wow this is REALLY interesting.

I am not very techy but I can confirm I also had about 1000 extra direct views logged on my site building up to Christmas and came down sharply around this same date.  I am fascinated by what you have said as this sounds the same as me.  I have been trying to get my head around how I could have so much extra traffic - maybe a mention on PRIME TIME TV!!!  Sales have been strong too during the same period so it really made me think but I am pretty sure its some kind of error now.  Or robots visiting the site?

Thanks for the information.
Re: Huge Spike in Traffic from Direct Internet Explorer visitors - nearly100% bounce rate, stays for only one minute Dean Hearne 3/31/14 2:08 AM
We traced our error to a plugin as we use wordpress, when the EU cookie ruling came in that you had to get users to agree for cookies to be used on their computer when visiting sites (you have probably seen this pop up on a lot of sites) this was causing a conflict with our google analytics and registering as the extra traffic. as soon as we turned this off, traffic went away!
More topics »