Analytics
2.2K members online now
2.2K members online now
Learn to identify referral spam traffic, as well as best practices to reduce referral spam in your Google Analytics account
 
Guide Me
star_border
Reply

Unidentified Spam from Chrome v 43.0.2357.130

[ Edited ]
Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

 Hi There,

 

Since 1/25/16 I've been getting a lot of direct traffic from Chrome version 43.0.2357.130. From looking at our logs and Analytics, this seems to be some kind of toolbar or application that runs on Windows and visits our homepage once a day in its own web browser. Does anyone know what this is?

 

Here's what I know so far:

 

  • This traffic only visits my homepage and bounces immediately, almost entirely "new" visitors.
  • These are real sessions visiting on our hostname and appearing in Apache server logs.
  • The traffic is coming from different residential IP addresses, locations and OS versions (all Windows) and looks very similar to our regular traffic (geographically, technology, etc). The traffic has demographics and interests data, different flash versions and otherwise seems to resemble normal desktop computers.
  • Our server logs show these IPs visiting once per day. They also show hits for AJAX content, so whatever is generating this traffic is on a real browser that can parse JavaScript.
  • Chrome version 43.0.2357.130 was released in June 2015 and replaced just a few weeks later. So, it's unlikely that any real users are using such an old version of Chrome as their actual web browser in March 2016.

 

Screen%20Shot%202016-03-20%20at%209.07.49%20PM

1 Expert replyverified_user

Re: Unidentified Spam from Chrome v 43.0.2357.130

Rising Star
# 2
Rising Star
Are these requests all to your full hostname? Are their any traffic differences between your unfiltered raw profile and this profile?
_________________________________________________________________________
Director of Marketing | Nehmedia | Partner Profile

Re: Unidentified Spam from Chrome v 43.0.2357.130

[ Edited ]
Visitor ✭ ✭ ✭
# 3
Visitor ✭ ✭ ✭

@Phillip B, yeah, all requests are to my full hostname both in Analytics and in my server logs. The only traffic differences I can see are (1) 100% bounce in under 1 second; (2) Windows desktop only; (3) only visits my homepage; (4) 100% new visitors, direct traffic; (5) Chrome version 43.0.2357.130. Otherwise this traffic resembles the rest of my site's traffic very very closely. This traffic has similar demographics, interest groups and geographic distribution to normal traffic, so it seems possible this could be something happening on the computers of our regular visitors.

Re: Unidentified Spam from Chrome v 43.0.2357.130

Rising Star
# 4
Rising Star
This could also easily be external scans or a scraper using a headless browser like PhantomJS going through a proxy network. Its not typical referral spam. I've seen a similar problem with an uptime monitoring script one of my clients implemented. Since you are seeing these in your server logs at this point it isn't a GA issue but may need to be dealt with at the server end - perhaps redirecting traffic from this UA to a static HTML page -- put contact instructions if these are actually people, and return a 403 for the bots.

Do you use GTM? It would be interesting to see if this traffic would hit GA if it is delivered via GTM. If it continues at that point, while you deal with the security issues - you can keep it out entirely if it does by simply not firing GA if you see Chrome v, 43.0.2357.130 in the UA.
_________________________________________________________________________
Director of Marketing | Nehmedia | Partner Profile

Re: Unidentified Spam from Chrome v 43.0.2357.130

Visitor ✭ ✭ ✭
# 5
Visitor ✭ ✭ ✭

@Phillip B What do you mean by "proxy network"? Is that some kind of malware that installs a proxy server on infected client machines? Similar to a DDoS BotNet?

 

Doesn't look like a traditional scraper because it's only visiting our homepage. Also doesn't seem like an uptime monitoring script because I couldn't imagine an uptime monitoring service going through the trouble of changing their user-agent string to several different device types on the same browser version and proxying through hundreds of client machines worldwide in all the cities where we get the majority of our traffic from. Plus if this was PhantomJS we wouldn't be seeing Demographics and Interests data in GA, I don't think, because PhantomJS launches each session stateless without the adsense data (cookies) to populate Demographics and Interests.

 

It's also really strange how this showed up out of nowhere in a single day. Not sure how to explain that...

Re: Unidentified Spam from Chrome v 43.0.2357.130

Rising Star
# 6
Rising Star
No, proxy network is just a collection of proxy servers that rotate through IP addresses. And was using PhontomJS as an example... I looked back over records this morning and actually found a two-week period of time where we got similar traffic from a Bing test (confirmed by Microsoft even).

Suggest the earlier steps to block/redirect the traffic itself as the next step, which might reveal some unanticipated causes.
_________________________________________________________________________
Director of Marketing | Nehmedia | Partner Profile

Re: Unidentified Spam from Chrome v 43.0.2357.130

Visitor ✭ ✭ ✭
# 7
Visitor ✭ ✭ ✭
I am experiencing the same exact problem but it has been going on for about 2 years and ruined our analytics data. I am not an expert and can't seem to get it fixed or blocked. IP 43.0.2357.130

Re: Unidentified Spam from Chrome v 43.0.2357.130

Visitor ✭ ✭ ✭
# 8
Visitor ✭ ✭ ✭
We have the same problem with traffic from this browser (43.0.2357.130). It started on 25th January and seems to be from all over the US. We had a similar problem last year (different browsers) and for a period during March 2015 the traffic reduced significantly and instead we got a lot of traffic from two affiliates on the CJ.com network. The affiliates were Extrabux and Mr.Rebates. Then their traffic stopped and the same day the spam traffic restarted. Can anyone else with the same problem confirm whether they use the CJ.com affiliate network? Here is the old thread but unfortunately it seems to redirect to the new Google Advertiser Communities homepage before you can read it. https://productforums.google.com/d/topic/analytics/sTinRFgimIU

Re: Unidentified Spam from Chrome v 43.0.2357.130

Visitor ✭ ✭ ✭
# 9
Visitor ✭ ✭ ✭
Hmm, that's really interesting. Yes, we use CJ. Might want to escalate this issue to CJ's network quality team.

How do you know it was those particular affiliates? When I look at my logs for this traffic I don't have any referrer and there are no url parameters on the GET requests. But whenever we get affiliate traffic, CJ appends utm tracking parameters before redirecting to our site.

Re: Unidentified Spam from Chrome v 43.0.2357.130

[ Edited ]
Visitor ✭ ✭ ✭
# 10
Visitor ✭ ✭ ✭

The only way I can tell is that we had a similar issue with direct bounce traffic last year (still have it but the browser changes) and for a period in March 2015 it dropped off significantly one day and traffic from those affiliate picked up significantly then the two switched back.  See screengrab from GA [EDIT: I tried to attach a screengrab to this forum but it doesn't want to work for me].  It was as if the utm parameter is being supressed (we also add it with a click append) and it was suddenly there in March and disappeared again. CJ couldn't help when I requested last year. 

 

The affiliates in question say they themselves had problems with spam traffic last year but something doesn't seem to add up.  There was a thread on the old Google Analytics forum about it but it has gone that also mentioned other retailers that use these affiliates with spam traffic. I wonder whether it's a browser add on or something that's trying to land the affiliate cookie.

 

Even weirder, we actually get some orders from this traffic so it doesn't seem to be entirely spam, just extremely low converting and high bouncing.  I tried to reach out to you via Linkedin.  I would be interested in sharing our findings to try to get to the bottom of this.  It's skewing our conversion %.

 

 

I'm making a big assumption that the problem last year as this year but as you can see from the traffic graph, it doesn't seem to have ever gone away.