"fake" traffic ? what is this ?
 

Hey guys, got a quick question here. I seem to be getting a lot of "fake" traffic and I am wondering if this is a standard browser behaviour, bug or a bot posing as a visitor. I get in my logs, people that repeatedely ask for the "/" document but then don't download anything: no images, no css, nothing else. Example logs are shown below:


209.28.22.13 - - [26/Jan/2005:13:43:44 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
209.28.22.13 - - [26/Jan/2005:13:43:50 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
209.28.22.13 - - [26/Jan/2005:13:43:56 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
209.28.22.13 - - [26/Jan/2005:13:44:06 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
209.28.22.13 - - [26/Jan/2005:13:44:34 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
209.28.22.13 - - [26/Jan/2005:13:44:39 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"


Notice the seconds apart in requesting the / document but nothing else! I am asking because I have been arguing with business.com for over 1 month about this. My CPC with them is around 2.5$ and they charge me for hundreds of clicks that I don't even consider real clicks, just like above!! I tried reasoning with them but they claim those are still real visitors. Anyone knows what causes the pattern above to happen ?

Thanks!

It's the firefox browser alright, looks like a surfer, not a bot. Click fraud? Perhaps, what you're describing sounds alot like it.

i doubt its a bot as it has the browser string as firefox. maybe its some sort of frames. Do you run a referrer script or open stats program ?

The guy that wants to burn up your money so you bail on the keyword and he can get it much cheaper is what causes that problem.

nope
 

to the website from which I have those logs I have no referral whatsoever except for google..but as you can see in those logs ( it's the combined format in Apache and it contains the referrer as well ), there is no referrer!

That IP just requested my / a few times and for real - see how it downloaded the full size of index.php which is 9883 bytes!

I get tons of traffic like this on all of my websites but I only mind this on those for which I pay for the referral!

I really need to find out what's causing this

anyone ?
 

anyone seen or sees this behaviour in their logs ?

Everytime I have seen it, It was from a hitbot.

smokeys sig rocks out lol

NOT.

-Dino

hmm
 

sicone, so you are saying that a hitbot is faking the useragent and just goes around clicking on my links ?

Now I knew this was happening but I'm not sure why the retards at business.com aren't being more helpful in this matter. I've shown them logs under which one of these 'visitors' asked for /robots.txt but they still claimed it was valid!

Not sure why they don't get that instead of trying to rip me for a few hundred dollars and pissing me off, they can work with me, not charge me for this obvious crap, and thus allow me to get a higher position or more listings with them! Right now I spend 1k for position #3 with something like 120 fake clicks when I could be getting position #1 for this money with only the real clicks!

I guess I'm just trying to find undeniable proof of all this botting

I'm not an expert but it looks like hitbot with long time sequence so it can pass through some simple ddos/hitbot protection

looks legit 2 me

single user trying to hit a page 6 times in a minute from the same referal, business.com, with the same IP - doesnt look legit especially if you pay per clicks, wouldnt you agree?

the thing that makes me wonder is if they can fake useragent, they could easily fake IP too, then it would look completely legit.

so with business.com if I click a link 100 times, will they charge for 100 clicks even though it came from single unique user?

I dont see what the problem is?

You are correct, No modern browser would send in a reqest string and not try and retrive the images. Most people are not using any of the features to turn off images.

The other proof, It's not requesting the Favicon.ico which Firefox and Mozilla ALWAYS ask for.

here is a sample from a valid click on a page with no images:
IPCONCEALED - - [DATE] "GET: / HTTP/1.1" 200 5836 "FULL URL" "Mozilla/5.0 (X11; U; Linux; rv:1.73 ) Gecko/20041020 Firefox/0.10.1
IPCONCEALED - - [DATE] "GET: /favicon.ico HTTP/1.1" 404 20731 "-" "Mozilla/5.0 (X11; U; Linux; rv:1.73) Gecko/20041020 Firefox/0.10.1"

Give me 10 minutes with perl, and LWP and I can fake the Referer and The Request all in simple script. It's not that hard.

Looks like he is img srcing you, or is using a poor quality bot...

yeah
 

faking UserAgent is no big deal..it can be done in Perl using LWP in a few minutes.

the big problem is proving this as I have no working partner in business.com.

They are happy to charge me more and don't realize that they will instead lose my business and everyone's else business if they don't fight on the customer's side

about the images as I said, I will post below a 'valid' click:

144.132.24.154 - - [12/Jan/2005:00:50:20 -0500] "GET / HTTP/1.1" 200 9309
144.132.24.154 - - [12/Jan/2005:00:50:20 -0500] "GET /gstyle.css HTTP/1.1" 200 2308
144.132.24.154 - - [12/Jan/2005:00:50:20 -0500] "GET /images/gtech_02.jpg HTTP/1.1" 200 32090
144.132.24.154 - - [12/Jan/2005:00:50:20 -0500] "GET /images/gtech_03.jpg HTTP/1.1" 200 4522

and so on...

User fires up browser, comes to my website, gets index.html which in turn tells the browser to get all my images/css, etc. That's what you see above.

In the clicks I complain about, like in the first post, the '/' is retrieved several times and each time it is retrieved completely - all the bytes. Usually, when a browser got a page once and the page is unchanged, it will not download it again and you will see a log without a transferred size which might look like this:

209.28.22.13 - - [26/Jan/2005:13:43:44 -0500] "GET / HTTP/1.1" 200 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"

instead of:

209.28.22.13 - - [26/Jan/2005:13:43:44 -0500] "GET / HTTP/1.1" 200 9883 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"


in other instances, as I said in a previous post, these 'visitors' ask for /robot.txt too! And as funny as it may sound, business.com reps told me that, that click too, was valid and billable.

Yeah, I should probably switch providers but so far nobody else can provide specialized traffic the way they do. I am just pissed that instead of getting 600 real clicks at 3.5$ and being #1, I get 900 'shady' clicks at 2.5$ and am #3.

sounds like a bot to me and it sucks... click fraud was the reason I stopped using adwords.

Are they ALWAYS coming from the 209.28.22.13 IP? or are they coming from multiple IP ranges?

.
 

that was just one example.

clicks can come from any IP address so I can not do any sort of IP blocking. And even if I did...I would still get charged. They can claim it's not their fault that I don't respond to certain IP addresses.

well, anyhoo, sucky situation

just beware if you plan on purchasing traffic from business.com. They act all nice on the phone in order to get your $$$ but do nothing to help you out!

wow, Really sorry to hear that, good luck, and well noted.

fake useragent I'd say.

It would be interesting to know if your competitors for the keywords in question are seeing the same problem.

i don't think so