How to fight bot-traffic.icu Google Analytics Bot Spam
Welcome to the club. You have been most likely spammed by bot-traffic.icu and even if you are lucky enough to read this without being a victim, consider reading anyways because you might want to take some actions to prevent such an attack on your site in the first place.
What happened and why do you see bot-traffic.icu in Google Analytics?
Someone hijacked your Google Analytics Tracking ID and sent much traffic via this ID. But of course it's not real traffic, it's just a bunch of events the spammer sends via the Measurement Protocol to GA. Means, your webserver / cloud server never got any real requests, which at least didn't generated more problems on the hosting side of things. The real pain is that your statistics and graphs in GA look really bad, especially for smaller sites which only get a very small fraction of request on a normal day, making the line graph very flat for all other days.
It looks like there is no traffic except for one day. But of course there is traffic but you simply can't see it easily. Bad if your boss looks at that one and thinks: "what happened with our traffic".
How to remove this data in Google Analytics
Removing is pretty simple. Google Analytics provides a feature called Segments. With them you can filter out specific data on your historical dataset. So let's create a segment which excludes this /bot-traffic.icu URL which. Luckily the bot just used this non-existent page as its page event target. This is how the Segment looks like:
We only define a custom definitions which says: "Please exclude all data which has the value /bot-traffic.icu in the page identifier".
We give the segment a name like "No ICU Bot" and just save it. Remember, the segment is not active without doing one more step in one of the reports sections. So we go to the "audience report" which normally looks like this for "All Users" (upper left corner).
When we change the segment to our created segment "No ICU Bot", the same report looks like this:
No you can see that you have your data cleaned so that only the real visitors are counted again. Quite a difference these line diagrams right?
How to prevent recording spam data it in the future?
There are ways to prevent it and it depends on how you integrated Google Analytics on your site. The two most common ways are:
Use Google Tag Manager to prevent spam
First we need to define a "constant variable" in GTM. The value is some secret passphrase you can define. Let's imagine the blurred out passphrase is ABC123 We name the variable Spam Filter Var. You will need it later on.
Next you modify your GA Settings variable in order to apply a custom dimension. If you don't use a GA Settings variable and instead use a hardcoded GA Tracking ID in your GTM GA Tag, just use the variable instead, it's cleaner anyway. Just put the GA Tracking ID in that variable instead right into the GTM Tag.
You see we create a custom dimension with index 1 and apply the just created Spam Filter Var to it. For those who have never used the GA Settings Variable, check out the GA Tag and how it looks like if you use the GA Settings Variable.
As you can see, we just mapped the Settings Variable to the tag and removed the hardcoded Tracking-ID value. Now it inherits the Tracking ID value from the Settings variable. The next steps are outlined in the Add Dimension to Google Analytics Section.
Use Google Analytics Tag to prevent spam
Lets say your GA Javascript snippet looks like this:
<script>
window.dataLayer = window.dataLayer || [];
function gtag() {
dataLayer.push(arguments);
}
gtag('js', new Date());
gtag('config', 'GA_TRACKING_ID', { 'anonymize_ip': true });
</script>
All you need to do is to add the following line right after the config line.
gtag('set', 'Spam Filter Var', 'ABC123');
Add Dimension to Google Analytics
Now we create a custom dimension named "GTM Hit" (you can name it whatever you like) which looks like this.
The last part is creating a filter. But first the golden Rule in GA.
Never apply filters to your default View in GA
Otherwise you will never know which original data went into GA, which makes debugging quite unachievable. So instead create a new View in GA and apply filters there. I wont go into details how to create a view or what a view is. You can read that in the Google Analytics Views Documentation.
On this new View you can create a filter.
Just use any name you like for the filter and just define that you want to have a custom filter where the Filter Field "GTM Hit" needs to have the passphrase ABC123. Spammers wont have this passphrase because they just stole your GA Tracking ID, not the passphrase. Using GTM makes it even more secure because the passphrase is not baked into the homepage via JS.
The motivation behind this GA Spam
Believe it or not. There are shady businesses who try to attract customers by spamming them. In this case it's a company called gammatraffic.com. They provide exactly what we have seen. They create fake visitors. It is the same business as those selling fake facebook friends. So if you are a SEO guy, just buy a book and improve your site and don't try to present your boss fake charts. If he is not totally out of this world, he won't buy that spike anyway.