First steps to prevent Click Fraud
How to read and use the Click Detail Report
The Click Detail Report is the advertiser's best tool for analyzing campaign
traffic from search engines, and other PPC
and advertising programs. In order to
effectively use the report, the market must learn the meaning of the report
fields and the various flag codes generated by the ClickHawk analysis engine.
It is important to realize that proper analysis of click traffic
includes considering all
of the factors associated with a given click, and not
just a single flag or problem. Often, there are legitimate explanations for a
single problem, so it is important to take into consideration the big picture,
and look for certain tell-tale combinations of flags that together indicate
possible click fraud, robot traffic, or other problems.
Flag Key Codes and detailed definitions.
- Multiple Clicks from the same IP address
This IP has clicked multiple time in this report period. Orange
indicates 2 to 5 clicks, Red
indicates over 5 clicks. Note that multiple clicks from the same IP do not
always indicate a problem. ISPs and businesses often use the same IP address for
more than one user.
ISPs, especially dial-up providers, dynamically assign IP addresses from a pool
to each user as they log in, so in a given day, several different users may be
online at different times using the same IP. However, a user's IP address
remains the same throughout their session, so multiple clicks from this IP
during that are close together in time are most likely to be the same person.
Businesses often use a common gateway to the internet for all of their
employees, such as a proxy sever or router. In this case, each user has a their
own IP address behind the gateway, but all users will be seen as the same IP
address to all external servers. So, while it is possible that two clicks from
the same IP address on the same day are from different individuals within the
same company, it is relatively unlikely, and much more likely to be the same
If the Unique ID
field is present,
you can use that to distinguish unique users sharing the same IP address.
Mu - Multiple Clicks from the same User ID
This unique user has clicked multiple time in this report period. Orange
indicates 2 clicks, Red
indicates over 2 clicks. The Unique User ID is useful in distinguishing multiple
users sharing the same IP address, and also likely fraud cases in which the same
user is clicking multiple times from different IP addresses. The first time a
user clicks one of your links, he/she is assigned a unique user ID by the
ClickHawk system and a browser cookie is used to store this ID. Of course, if a
user's browser is set not to accept cookies the user ID would not be saved and
although this is very rare, it is a good reason to use the Unique ID in
combination with all other report fields and flags when making your assessment
of a possible problem.
- No Referring URL
No Referrer. Referring URL not found in header. When a visitor to a web site
clicks a link on that site, certain information is sent to the destination
server that is not visible to the user. This is the "header" and it is part of
every single HTTP request an internet user makes. One field in the header is
known as the "Referrer" and contains the URL of the exact page on which the user
clicked the link to your site. If the Referrer field is missing, this may
indicate that the click link was either entered directly into the browser
command line or generated by a robot or some other automated program, rather
than a person actually clicking on your ad link.
More notes on Referring URL
: Some browsers can be configured not to send the referring URL, but
this is very uncommon. Clicks on an ad link sent in an email will also result in
no referring URL. Ads served through a third party ad serving system often
obscure the referring URL, depending on how they are served. In this case, the
true referrer can only be obtained at the impression level. As always, the lack of a referring URL should not be used
alone to make a problem assessment, but in conjunction with the presence, or
lack thereof, of other flags and alerts.
P - Proxy Server
User appears to be connecting via a proxy server. Proxy servers are computers
that sit between the end user's and the internet. Instead of connection directly
to the internet, each and every request to and from the end user's machine and
the web server goes through the proxy server. Proxy users add a degree of
anonymity for web users as they hide the user's tru IP address and location.
Some corporations, universities, and other organizations, use proxy
servers to connect their internal intranets to the internet. However, many proxy
servers are "open", meaning that anyone can connected to other web sites through
the proxy server, and the web sites will see the IP address of the proxy server,
not the end user.
The proxy server flag alone does indicate a problem, but combined with other
flags or suspicious data, can increase the evidence that a problem exists.
Crawler, Spider, or Robot
User agent is an automated program. Not a human visitor. Advertisers should not
be billed for traffic from a web crawler or search engine spider. These programs
are used by search engines, ISPs, corporations, and now even individual users,
to index and store (cache) web pages. They work by loading known URLs and then
following all links on every page they arrive on. When the "follow" an
advertiser's paid link, a click is recorded, but these clicks should not be
billed to the advertiser.
Browser Cookies Disabled
disabled. For example, in Internet Explorer, this would be the highest setting ("Block All Cookies").
With cookies disabled, it is impossible to set the Unique ID field for this user. For this reason, it is important to watch for multiple clicks from the same IP address that are also flagged for No Cookies. In these cases, examination of other fields, such as Browser and Operatiing System, can help distinguish a unique or repeat clicker even without the unique ID present.
W, W - Browser Window Size Alert
A common click fraud technique involves automatically opening your web site in
an invisible browser window or frame. Scripts on the abusers web page, or other methods, may
simulate clicks on your paid link for every visitor to their web site (or every n
visitor), even if the visitor does not click the link. In the case of an
invisible window, the user will never even be aware that their browser connected
with your site (through the paid link). In the case of a small window, the user
may see the window appear briefly and then disappear; again, recording a paid
click on your link. This scheme is difficult to detect with other methods
because the users are all real, the browsers are real browsers, and the IP
addresses and Unique IDs are different, as they would be for legitimate traffic.
CP - Captcha Validation Fail
Another great feature of ClickHawk is the ability to set a "trap" for robots,
crawlers, and other non-human visitors. CAPTACH is actually an acronym for
"Completely Automated Public Turing test to Tell Computers and Humans Apart".
You have undoubtedly run into Captcha validations many times. They present code
(made of of letters and numbers) in the form of an image, not text. The
characters are skews, deformed, or misaligned and designed to be unreadable to
the automated programs crawl the web clicking on all links and submitting all
forms they encounter.
ClickHawk users can optional set a Captcha screen on suspect IP address or User
ID. Once activated, clicks from that IP or ID will go to an intermediary
validation page first before being redirected to the advertiser's landing page.
It is important to note that whether or not the correct code is entered, the
visitor is always redirected to your landing page after the Captcha test. The
pass or fail is recorded for the advertiser's use but is transparent to the end
user. Click here to see an example of the ClickHawk Captcha validation page.