Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: phranque

Message Too Old, No Replies

Unexplained Direct Traffic Increase

Seeing a spike in direct traffic that feels like spam & want to how to stop

     
3:28 pm on Jul 23, 2014 (gmt 0)

New User

joined:July 23, 2014
posts: 4
votes: 0


My site has seen a spike in direct traffic over the past two weeks that I believe is spam - the bounce rate has taken a hit, average page/sessions has dropped and average time on site is nearly half of what other mediums of traffic are.

Using Analytics, I've been able to pin down culprit to for the strange traffic to Internet Explorer Browser Version 7. During this time period, the bounce rate for this browser is in the high 90s, the pages per session is just above 1 ("visit" the home page and then leave), and the time on site is a few seconds. In terms of location, the traffic seems to becoming from all over the US, so I can't tie it back to any one location.

My question is this, have you experienced this before? And what did you do to stop it?
8:13 pm on July 23, 2014 (gmt 0)

New User

joined:July 23, 2014
posts:2
votes: 0


Hi there.

I have been experiencing the exact same problem since 06 July 2014. It stopped over the last weekend, but since Monday direct traffic has been surging again. Our hosting provider could not help us unfortunately.

I have been looking for answers to stop it, but no luck so far.
10:01 pm on July 23, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2563
votes: 48


I would try taking a look at the access logs to see what the traffic has in common. Is it all requesting one page or one image or one file? Are all visits from related IP addresses?
2:47 am on July 24, 2014 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


welcome to WebmasterWorld, AndM488!


i would also start looking in the web server access file for clues.
you might consider tracking HTTP Request headers to find patterns in this traffic.
2:53 am on July 24, 2014 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


welcome to WebmasterWorld, Zeni!
2:29 pm on July 24, 2014 (gmt 0)

New User

joined:July 23, 2014
posts:2
votes: 0


Thanks for the welcome and the help! :)

It's direct traffic hitting our homepage, 3 seconds and gone again. It's from across the US, various Ip addresses, providers and times. It seems to be going up even more (normal traffic is about 100 sessions per day which is now up to 1500 p.d.).
I'll try to get some info if the Ips are somehow related. Could it be malware in Internet Explorer?
3:13 pm on July 24, 2014 (gmt 0)

New User

joined:July 24, 2014
posts: 1
votes: 0


We're seeing the same spike - Mostly Windows, IE7 users, spread evenly across US cities, insane bounce rate. All of it dropped over the weekend (Friday-Sunday 18-20). It all started July 8th - all of it hitting the homepage. I could ignore it, but want to make sure this isn't an attempted hack or DDoS?
4:02 pm on July 24, 2014 (gmt 0)

Moderator from US 

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:2563
votes: 48


Note - this is an oversimplified explanation that may or may not be the precise cause of what you are seeing, just a general observation..
Often this pattern of traffic comes from bot-nets: compromised computers that are remotely tasked for different things like forum spam. The computer owner is not aware their machine is being instructed to do these things. Sometimes sent on 'dry runs' for testing and setup work by the controller. Blame people's lack of awareness and downloading everything FREE they can find.

Direct traffic also comes innocently from browser history and links shared via email. In other words, keep an eye on it and if you are seeing malicious behavior, think about blocking a few individual IPs (for a time, anyway). It all depends what their behavior is whether it is worth the effort when it is hit and run from residential IP addresses. If it is all images in the file requests, think about adding hotlink protection to your domain setup.
4:55 pm on July 24, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:2684
votes: 95


AndM488 --
not2easy is right. Those aren't real human visitors. So you shouldn't talk about things like direct traffic, bounce rate, and time on site, because all of those are meaningless in this case. The "activities" you're seeing are created artificially by computer programs
5:39 pm on July 24, 2014 (gmt 0)

New User

joined:July 23, 2014
posts: 4
votes: 0


Thank you for the welcome phranque! And thank you everyone for the help! Before posting, I did quite a bit of reading online and found a couple of pages with questions similar to mine, but there wasn't a lot of information on what the goal of the traffic was, what the effects could be, or how to stop the artificial traffic. It seems that most just let the traffic run its course or just didn't follow up the posts with how they resolved the issue, so I really appreciate the response!

Unfortunately, I am having difficulty getting a hold of the full server logs, so I don't have the same level of information Zeni has. However, based on what I am seeing in Analytics, out situations sound very similar.
6:42 pm on July 27, 2014 (gmt 0)

Junior Member from IT 

joined:Oct 29, 2013
posts: 143
votes: 0


AndM488, does your analytics system report a pattern in the IPs, browser usage and/or bot name? Any pattern can be useful to blacklist these attacks (because they look like bot attacks to me).
9:08 am on July 29, 2014 (gmt 0)

New User

joined:Aug 10, 2013
posts: 11
votes: 0


Just to second AndM488 + Zeni I have been having the EXACT same problem as well on multiple domains since July 8th + including the lull in direct traffic on the weekend between the 18th - 20th, followed by an even bigger resurgence of the spam traffic. Trying to look through server logs to see if there are any more clues on this.

Interesting that all the traffic comes from various american IP's even on sites that aren't in English.
2:44 pm on July 29, 2014 (gmt 0)

New User

joined:July 23, 2014
posts: 4
votes: 0


It seems that these spam visits were widespread enough that it got picked up by some of the SEO news sites. Based off of user comments, the common thread among the affected sites seems to be that each of the sites use AdRoll for remarketing. In case anyone would like to read through the comments, here is a link to the SEO Round Table article: [seroundtable.com...]
6:14 am on July 30, 2014 (gmt 0)

New User

joined:Aug 10, 2013
posts: 11
votes: 0


Yes I bumped into the thread a a few moments after my reply.

Note the comment from Adroll accepting responsibility for the attack. Did you have adroll platform pixel on the site that was affected?
9:14 am on July 30, 2014 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:May 27, 2005
posts:428
votes: 3


Do you use a CMS on your site like WordPress? I have seen forum spam software using proxys to use an array of different IP addresses, so that may be a clue?
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members