Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Unexplained Direct Traffic Increase

Seeing a spike in direct traffic that feels like spam & want to how to stop



3:28 pm on Jul 23, 2014 (gmt 0)

My site has seen a spike in direct traffic over the past two weeks that I believe is spam - the bounce rate has taken a hit, average page/sessions has dropped and average time on site is nearly half of what other mediums of traffic are.

Using Analytics, I've been able to pin down culprit to for the strange traffic to Internet Explorer Browser Version 7. During this time period, the bounce rate for this browser is in the high 90s, the pages per session is just above 1 ("visit" the home page and then leave), and the time on site is a few seconds. In terms of location, the traffic seems to becoming from all over the US, so I can't tie it back to any one location.

My question is this, have you experienced this before? And what did you do to stop it?


8:13 pm on Jul 23, 2014 (gmt 0)

Hi there.

I have been experiencing the exact same problem since 06 July 2014. It stopped over the last weekend, but since Monday direct traffic has been surging again. Our hosting provider could not help us unfortunately.

I have been looking for answers to stop it, but no luck so far.


10:01 pm on Jul 23, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

I would try taking a look at the access logs to see what the traffic has in common. Is it all requesting one page or one image or one file? Are all visits from related IP addresses?


2:47 am on Jul 24, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

welcome to WebmasterWorld, AndM488!

i would also start looking in the web server access file for clues.
you might consider tracking HTTP Request headers to find patterns in this traffic.


2:53 am on Jul 24, 2014 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

welcome to WebmasterWorld, Zeni!


2:29 pm on Jul 24, 2014 (gmt 0)

Thanks for the welcome and the help! :)

It's direct traffic hitting our homepage, 3 seconds and gone again. It's from across the US, various Ip addresses, providers and times. It seems to be going up even more (normal traffic is about 100 sessions per day which is now up to 1500 p.d.).
I'll try to get some info if the Ips are somehow related. Could it be malware in Internet Explorer?


3:13 pm on Jul 24, 2014 (gmt 0)

We're seeing the same spike - Mostly Windows, IE7 users, spread evenly across US cities, insane bounce rate. All of it dropped over the weekend (Friday-Sunday 18-20). It all started July 8th - all of it hitting the homepage. I could ignore it, but want to make sure this isn't an attempted hack or DDoS?


4:02 pm on Jul 24, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

Note - this is an oversimplified explanation that may or may not be the precise cause of what you are seeing, just a general observation..
Often this pattern of traffic comes from bot-nets: compromised computers that are remotely tasked for different things like forum spam. The computer owner is not aware their machine is being instructed to do these things. Sometimes sent on 'dry runs' for testing and setup work by the controller. Blame people's lack of awareness and downloading everything FREE they can find.

Direct traffic also comes innocently from browser history and links shared via email. In other words, keep an eye on it and if you are seeing malicious behavior, think about blocking a few individual IPs (for a time, anyway). It all depends what their behavior is whether it is worth the effort when it is hit and run from residential IP addresses. If it is all images in the file requests, think about adding hotlink protection to your domain setup.


4:55 pm on Jul 24, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

AndM488 --
not2easy is right. Those aren't real human visitors. So you shouldn't talk about things like direct traffic, bounce rate, and time on site, because all of those are meaningless in this case. The "activities" you're seeing are created artificially by computer programs


5:39 pm on Jul 24, 2014 (gmt 0)

Thank you for the welcome phranque! And thank you everyone for the help! Before posting, I did quite a bit of reading online and found a couple of pages with questions similar to mine, but there wasn't a lot of information on what the goal of the traffic was, what the effects could be, or how to stop the artificial traffic. It seems that most just let the traffic run its course or just didn't follow up the posts with how they resolved the issue, so I really appreciate the response!

Unfortunately, I am having difficulty getting a hold of the full server logs, so I don't have the same level of information Zeni has. However, based on what I am seeing in Analytics, out situations sound very similar.


6:42 pm on Jul 27, 2014 (gmt 0)

AndM488, does your analytics system report a pattern in the IPs, browser usage and/or bot name? Any pattern can be useful to blacklist these attacks (because they look like bot attacks to me).


9:08 am on Jul 29, 2014 (gmt 0)

Just to second AndM488 + Zeni I have been having the EXACT same problem as well on multiple domains since July 8th + including the lull in direct traffic on the weekend between the 18th - 20th, followed by an even bigger resurgence of the spam traffic. Trying to look through server logs to see if there are any more clues on this.

Interesting that all the traffic comes from various american IP's even on sites that aren't in English.


2:44 pm on Jul 29, 2014 (gmt 0)

It seems that these spam visits were widespread enough that it got picked up by some of the SEO news sites. Based off of user comments, the common thread among the affected sites seems to be that each of the sites use AdRoll for remarketing. In case anyone would like to read through the comments, here is a link to the SEO Round Table article: [seroundtable.com...]


6:14 am on Jul 30, 2014 (gmt 0)

Yes I bumped into the thread a a few moments after my reply.

Note the comment from Adroll accepting responsibility for the attack. Did you have adroll platform pixel on the site that was affected?


9:14 am on Jul 30, 2014 (gmt 0)

10+ Year Member Top Contributors Of The Month

Do you use a CMS on your site like WordPress? I have seen forum spam software using proxys to use an array of different IP addresses, so that may be a clue?

Featured Threads

Hot Threads This Week

Hot Threads This Month