A new spam exploit leads marketers to believe they're getting referral traffic from untrustworthy sources - how to identify and remove it.

As a digital marketer, a lot of what I do revolves around consultancy, and filtering trends, techniques, and technologies into impacting my clients’ bottom lines. My clients rely on me to answer the hard questions, like, “Can you resend the dial in?,” “This dial in isn’t working,” and “Can we reschedule this call for next week?” In staying up to date with best practices so I can advise clients on how to better achieve their online marketing objectives, I’ve noticed firsthand an increasingly common spam tactic that digital marketers should be on the lookout for as they analyze their traffic profiles.

Effectively, some websites (call them source A) seeking to increase their traffic through less-than-white hat means are exploiting unique identifiers associated with other websites’ (call them source B) analytics profiles to make it appear as though traffic from source A is arriving at source B. In reality, it’s an attempt from source A to coerce the users in source B’s analytics account to visit source A.

Before I give you a real-world example of how this works, let me give you a crash course in traffic. (Personally, I’d like a crash course in puns, because I’m driving this one into the ground.)

Web traffic can come from a handful of broad sources, including direct, organic, referral and paid:

  • Direct traffic is when someone goes directly to a site by typing the URL into a browser’s address bar
  • Paid traffic usually corresponds to advertisement clicks
  • Organic traffic usually means visits from a search engine
  • Referral traffic usually means someone clicked a link to a site from another site

People continue to bend the rules with paid traffic and organic traffic, but I like this referral traffic exploit because of where it falls on the technological literacy spectrum. It is somewhat uniquely positioned to trick those who are savvy enough not to respond to emails from Nigerian princes, but may not know how to set software installation preferences to prevent the secondary installation of browser malware, for example.

This exploit is important first because it misrepresents the true traffic profile of your website – and clean data is crucial to good digital marketing; and second because the site executing the exploit might in and of itself not be trustworthy.

Let’s look at how it works

First, we need a website with not very much traffic. A website that probably lacks decent security and has lots of flaws. My website. Let’s take a look at my website traffic month over month:

Oh boy! 50 percent more sessions. I am now the king of the internet.  Let’s see where it came from.

A site called Darodar is directing a lot of referral traffic to my site. I bet those guys at Darodar came to visit me because I am king of the internet. They appreciate my royalty.  Let’s learn more about my new fans.

Neat!  I can learn more about my new fans.  By clicking the “open in new window” box, I can navigate directly to the traffic source. There’s no way this could be spam!

By clicking, I am directed to this page. Yes! I love sweaters. I’m also now a sucker for spam traffic, and probably not king of the internet. I don’t have any links on Aliexpress that could account for the referral traffic, so I should probably figure out how to remove that traffic from my dataset. Fortunately, doing so is even easier than buying sweaters in winter.

To be clear, that listing was the exploit. The point was, as someone navigating through an analytics UI, my curiosity would drive me to click through to the traffic source. In effect, Aliexpress would gain a new visitor, a new browser cookie to remarket to, and ideally a new revenue source.

Now let’s get rid of those spam referral traffic

Under the view settings of the admin panel in analytics, navigate down to the bottom and check the “exclude all hits from known bots and spiders” option. Every popular radio single from classic progressive rap metal boy band “Known Bots and Spiders” will immediately be removed from your Pandora playlist. Just kidding. It’s not a band – they had no hits.

That should hopefully eliminate a healthy chunk of whatever spam referral traffic you might experience, but spam traffic is craftier than an IPA at a Budweiser festival, so you might consider adding a filter in an analytics view to only contain your hostname, and any hostnames that you deem relevant. Alternatively, you could do the reverse, simply excluding unwanted hostnames. Keep in mind that if you do the latter, you may have to revisit the filter from time to time to update the list.

Having a better web presence

If you look at the digital landscape now against even five years ago, you’ll notice just how much more accessible the web has become.  From Web 2.0, to social media superstars, to marketing automation tools, to GoDaddy’s 11th Super Bowl commercial, there’s a general consensus that anybody can make an impact on the web.  That said, my Twitter account has 47 followers, most of them robots, so maybe the better message is that anybody can learn how to have a better web presence.  Or that robots are taking over.

David Behuniak is a Content Marketing Strategist who inexplicably ignores most of his social media profiles. He has a background in digital marketing and advertising, but is also a mediocre musician.