Welcome to WebmasterWorld Guest from 54.91.203.233

Forum Moderators: Robert Charlton & goodroi

Malicious Bounce Rate

     
2:44 pm on Sep 25, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


Need some advice.

I've got a client who's being attacked maliciously effectively running up the bounce rate of certain pages to nearly 100%. The topic is a highly competitive small niche only applicable to the US. All IP's are from foreign countries

DId a little bit of research here to see if someone had a similar experience here and I did see some veteran members saying bounce rate as a ranking measure is a myth, but we know that bounce rates are an important metric otherwise it wouldn't be listed as a main metric in GA. In fact bounce rate + time on page + pages visited are all tied together and important signals to the quality and usability of a web page are they not?

This attack appears to be working unfortunately; as a new page comes online quickly ranks because of the high quality content, then a barrage of ONLY foreign IP's (and some proxies) bounce the page until it disappears.

I've been blocking these foreign IPs at the B level but they just keep coming in, and even though this would make GA on my end appear better, the algorithm can obviously see someone returned to the search.

Any thoughts?
4:12 pm on Sept 25, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:309
votes: 58


we know that bounce rates are an important metric otherwise it wouldn't be listed as a main metric in GA

This is not because GA is listing this metric, that it means it has a significant impact on your ranking at Google Search. Like any metric, this one is made to give "to you" a vision of what is going on at your site, and the behavior of visitors. Then "you" exploit these information the way you want.

Now, I don't think it's a myth that the bounce rate is factor in the ranking algorithm. I think it's one among many other factors. So it's not to be neglected.

That being said, for the issue you are experiencing, and since you said you target only US visitors, you can simply block foreign IP ranges. (or more, said the other way around, you an block all traffic, excepting US IP ranges).
4:14 pm on Sept 25, 2018 (gmt 0)

New User

joined:Mar 14, 2018
posts:5
votes: 4


No real experience in this, but I thought the only way google could detect a bounce rate on the search engine is if that visitor a) searches your site b) lands or doesn't land on a real page c) visits google again and searches something else. So whether or not you block them through ip addresses, does it really matter? Otherwise, google algo would have to peak inside google analytics to figure out if it was a real bounce, which they may or may not do?
5:00 pm on Sept 25, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4055
votes: 249


Have you thought about using a CDN such as Cloudflare to deal with this level of unwanted traffic? If your access logs show that this unwanted traffic is actually coming from Google search in their counties have you made sure to set your country preference in the GSC account?
5:47 pm on Sept 25, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


@justpassing

"you can simply block foreign IP ranges. (or more, said the other way around, you an block all traffic, excepting US IP ranges). "

Is there a list of IP ranges by country someplace?

@Soupmaster

Yes, exactly, this is a problem.

@not2easy

I do have a CDN for files, but not hosting the website as a whole. The traffic seems to come from google.com directly. I have seen some .co.uk though.

Ideas:

Maybe disable back button but I loathe websites that do this. And long term I feel it will hurt the site somehow
Maybe redirect foreign IP's to a page where they have to do some kind of verification to access content
Maybe get microworkers to balance this by staying on the website, but again I feel this not a long term solution
7:17 pm on Sept 25, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4055
votes: 249


Is there a list of IP ranges by country someplace?
That is overkill and not very productive. Isolating the sources and blocking those isn't a bad idea, some of us do that as a habit.

There is a list of various blocking criteria here: [webmasterworld.com...] but before beginning, you should be prepared to spend time getting it set up right. Step one is to examine your raw access logs. When you have learned to spot human vs. non-human activity, then you can begin looking up the IP ranges to block. Threads on that topic can save you a lot of time, the current list is here: [webmasterworld.com...]

Since it appears that you have made efforts to block the offenders without success, it might help to read through some of the threads where blocking is discussed to look for better ways to accomplish what you want to do. I rely on the site search here in the upper right corner. For example, when I find an unwanted IP, I do a lookup to determine the host and range. If I can't find everything I need, I use the search for either host name or IP as "a.b.0.0" or "a.b.255.255" to give me information on the IP ranges that I don't want accessing my sites. It consumes some time to start, but once in place maintaining it takes only a few minutes a month.
8:11 pm on Sept 25, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


Good info thanks
12:54 am on Sept 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14828
votes: 471


In fact bounce rate + time on page + pages visited are all tied together and important signals to the quality and usability of a web page are they not?


LEGIT bounce rate, LEGIT time on page, LEGIT pages visited are just signals for YOU to interpret to understand why visitors are coming to your site and IF you need to adjust anything. If at all.

Bounce rates and so on from rogue bots are noise and only noise to those metrics.

Because search engines no longer show keywords, those metrics are less useful than they used to be.
1:54 am on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


Do you think Google considers bounce rate in its search ranking algo?
2:05 am on Sept 26, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14828
votes: 471


Do you think Google considers bounce rate in its search ranking algo?


Good question. :)

Not on a granular "We're going to demote this ONE web page out of trillions of web pages because the bounce rate of this ONE page is a disgrace" level. No. It's not like that.

Bounce rate is used as an algorithm quality control and in helping train an algorithm. That's at the forest level, not at the tree level.

Make sense?
;)
2:29 am on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


Yes but I disagree, otherwise these jerks wouldn't waste their time, and I wouldn't be here asking you guys for help ;)
3:16 am on Sept 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2233
votes: 589


otherwise these jerks wouldn't waste their time,

Just because people engage in shady practices doesn't make those practices effective. There are loads of people buying links to try gain positions, no one know for sure whether that is actually effective. We know that Google ignores some links. So some buy links and their site gains in the rankings, others do the same and nothing happens and yet another groups does it and gets penalized. The only group that knows whether buying links contributed to the end result was the group that was penalized and that is only because Google told them so.

Bottom line is no one can point to any one thing and say this will cause your site to gain or lose rankings. So the "jerks" are likely wasting their time but doing it with the sincere belief that this practice is effective.

@Soupmaster made a very good point, you can block these IPs but since they are coming through the Google SERP blocking them will only cause them to go back which is what your are trying to avoid in the first place. Moreover, blocking IP's will likely result in a number of false positives, thus blocking more users and forcing them back to Google essentially making the situation worse.

I suggest signing up for Cloudflare. Users from a variety of IP's that come through Google are likely real user browsing with compromised browsers. Cloudflare can detect this and then will force the user to go through a captcha. That should dampen the impact while allowing real users (false positives) the ability get through if they really are interested in the website. It can be set up in minutes, no messing with htaccess files and what not, no stress and you can go on focusing on more important stuff.
10:17 am on Sept 26, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:309
votes: 58


Is there a list of IP ranges by country someplace?

If you use Apache, here is how you can block or allow countries : [briansnelson.com...]

And with nginx : [docs.nginx.com...]
4:50 pm on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


@NickMNS

Bottom line is no one can point to any one thing and say this will cause your site to gain or lose rankings


This is true. However it appears as though this is having an affect from my testing.

@Soupmaster made a very good point, you can block these IPs but since they are coming through the Google SERP blocking them will only cause them to go back which is what your are trying to avoid in the first place. Moreover, blocking IP's will likely result in a number of false positives, thus blocking more users and forcing them back to Google essentially making the situation worse


Thats why I said in my first post: "and even though this would make GA on my end appear better, the algorithm can obviously see someone returned to the search. "

Ok the bottom line is, this question. Does Google take analytics data into effect in ranking webpages. Why wouldn't it? So while they may hurt the bounce rate from the Google search perspective, I'm stopping them from hurting the GA, data perspective, and in my opinion the GA data is far more accurate than the search perspective. Think about it.

Cloudflare... I will look into hosting here thanks for the suggestion.

@justpassing

These are good! Thanks
5:13 pm on Sept 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2233
votes: 589


Does Google take analytics data into effect in ranking webpages. Why wouldn't it?

They don't and there is very little evidence to suggest the contrary. There are many reason not to, the most compelling is that GA can very easily be gamed. The premise for referral spam is exactly that.

Setup an external browser to make calls directly to the GA endpoint such that when the webmaster reviews the data it will appears as if there is a spike in traffic coming from a specific referrer. Then the webmaster types the referring URL into his/her browser and immediately gets infected with some malware. That is roughly how referral spam is said to work. In the case of referral spam all the requests are made directly to Google's endpoint and none of those hits are ever made to the attacked website's server. This is a concrete and real example of how GA is being gamed. One could easily set up request to make it appear as though users are loving the website, clicking on links, spending time whatever you would like. At the end of the day it would all be meaningless.

If you are really concerned that GA is causing ranking problems for a website then turn it off, use Piwik or one of the many other non-Google solution available. Or don't use any, use a solution that analyzes your logs instead.

Cloudflare... I will look into hosting here thanks for the suggestion.

Just to be clear Cloudflare is not a host, it is reverse proxy server that sits between your server on your current host and the web. Web requests are routed through Cloudflare and filtered based on rules that you can set. It also acts as CDN and can cache your static resources, thus serving cached content instead content from your server and as such reduces the load on your server. There are various packages available including a free version. Amazon offers a similar service called CloudFront and I'm sure there are others as well.
6:41 pm on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0




They don't and there is very little evidence to suggest the contrary. There are many reason not to, the most compelling is that GA can very easily be gamed. The premise for referral spam is exactly that.

Setup an external browser to make calls directly to the GA endpoint such that when the webmaster reviews the data it will appears as if there is a spike in traffic coming from a specific referrer. Then the webmaster types the referring URL into his/her browser and immediately gets infected with some malware. That is roughly how referral spam is said to work. In the case of referral spam all the requests are made directly to Google's endpoint and none of those hits are ever made to the attacked website's server. This is a concrete and real example of how GA is being gamed. One could easily set up request to make it appear as though users are loving the website, clicking on links, spending time whatever you would like. At the end of the day it would all be meaningless.

If you are really concerned that GA is causing ranking problems for a website then turn it off, use Piwik or one of the many other non-Google solution available. Or don't use any, use a solution that analyzes your logs instead.

Just to be clear Cloudflare is not a host, it is reverse proxy server that sits between your server on your current host and the web. Web requests are routed through Cloudflare and filtered based on rules that you can set. It also acts as CDN and can cache your static resources, thus serving cached content instead content from your server and as such reduces the load on your server. There are various packages available including a free version. Amazon offers a similar service called CloudFront and I'm sure there are others as well.


I don't disagree with you, but you're talking about referral spam vs. google sent traffic. So really what you have here is a complete line in the chain from: user inception > search query > SERP click > site interaction behavior > goals. Without GA, the chain stops at SERP click. Do websites get more favor if they complete the chain and have good metrics? If I were them, I'd consider this a huge signal in ranking. Can this be manipulated? absolutely. Would it be difficult? Depends but the real real question is this fair if true? Well, if it forces webmasters to create better interaction rates in the chain to serve the people's queries better but at the expense of giving over too much power. We can go real deep with this...but the point is I think we're all just a bit naive about what google can and actually does with the information they have.

Cloudflare, yes I meant as a CDN. A little hesitant only because I've seen the cloudflare screen of death several times. I'm sure the benefits outweigh those small outages. Will look into it...
6:48 pm on Sept 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2233
votes: 589


There is nothing support your claim. The referral spam example was to demonstrate how easily GA stats can be manipulated.

If you feel so strongly that GA stats can impact your ranking then you should already be writing scripts to manipulate the stats in your favor.
7:05 pm on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


Can you manipulate google.com referrals in GA? If that can be done then you're right about ga stats being meaningless to the algo.

/edit (referrals manipulated by script not going to google.com searching etc)
7:26 pm on Sept 26, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:2233
votes: 589


Can you manipulate google.com referrals in GA?

Yes that is what referral spam is.
8:37 pm on Sept 26, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


The referral spam you described earlier is not what I'm talking about. If you can write a script that pretends to be google the search engine sending clicks to a website and the ga data 'organic search results' shows an increase then Google has big problems. I doubt this is possible.
9:28 pm on Sept 26, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15256
votes: 691


Can you manipulate google.com referrals in GA?
You can manipulate absolutely anything in GA--and similarly any analytics program, though the problems are increased when it doesn't live on your own server. Analytics doesn't track requests for your content. It tracks requests for the analytics file, with an enormously long query string that might show information about a bona fide human visit--or might be 100% fabricated.
4:39 am on Sept 27, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14828
votes: 471


otherwise these jerks wouldn't waste their time


IF it's negative SEO, then they're trying to tax your server load to keep Google from crawling your site effectively. It's like a DDOS that's executed at the same time that Google is crawling. IF there is a crawling error due to that then it'll manifest in GSC crawl errors report.

But in reality it's probably not negative SEO. It's just the natural state of the Internet. Every site that has links or ranks gets attacked by scrapers and so on. Scrapers hit sites at night for the same reason search engines do: Because there's supposed to be less traffic during the late night early morning hours.

If your client's site has ranking problems, the crawler/bounce rate theory is just an uninformed guess. The real reason lies elsewhere.

No offense meant but the reason I say it's an uninformed guess is that a lack of understanding of how search engines use bounce data (and don't use it) leads to these kinds of conclusions.

I've read the patents and algorithm research papers. That's where my opinions about how search engines work comes from.

Not from reading someone's blog. ;)

Good luck,
;)
5:16 am on Sept 27, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:8726
votes: 699


I just keep it simple. If they are not providing value I nuke 'em (by range, or country). Easy Peasy and MY LIFE goes on normally.

If one thinks this is a problem, eliminate it. At whatever level is appropriate.

With 7 billion folks on the planet, denying 2 billion or so is not going to hurt you.

PERSPECTIVE.
4:33 pm on Sept 27, 2018 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 4, 2003
posts:107
votes: 0


@martinibuster

This isn't my first rodeo you know...not coming up with these things from reading someones blog.

@tangor

Yes indeed.
12:05 am on Sept 28, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1820
votes: 106


Lots of overthinking going on here.

No real experience in this, but I thought the only way google could detect a bounce rate on the search engine is if that visitor

Not so, Google Chrome is used to provide Google with a full map of all user actions. I'm sure their beacons and things like analytics give them even more data but Chrome is their workhorse.

They send some immediate traffic to many new pages, a sampling, and shut it off again quickly. They come up with a first impression extremely quickly these days.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members