SPAM (in Web Analytics)

SPAM in web analysis has a long history, best known of course through various SPAM Waves in Google Analytics. Because there have not yet been any 100% effective security measures for Google Analytics tracking, in principle any spammer could send any access to any Google Analytics Property as long as they knew the corresponding Property ID (which is publicly visible in the source code of a website ). Only with Google Analytics 4 is there a better security concept to avoid SPAM - at least for the measurement protocol, which is used in most Analytics SPAM attacks.

The aim of Web Analytics SPAM is the same as with any other type of (Internet) SPAM - namely to draw attention to a specific website. In Web Analytics Tools, different SPAM content (mostly domains) appear in the various analysis reports. Classics here are e.g. the Referral SPAM:

Referral SPAM in the Google Analytics sources report (screenshot from 2015)
Referral SPAM in the Google Analytics sources report (screenshot from 2015)

Or the Event SPAM:

Event SPAM in the Google Analytics event report (screenshot from 2015)
Event SPAM in the Google Analytics event report (screenshot from 2015)

But SPAM could also be found in some other Google Analytics reports, even languages were used at times to send SPAM to Analytics.

As traffic method partly "normal" tracking pixels are used in the same way as they are implemented into the original websites. Except that they are fired on SPAM servers with headless (fake) browsers, in rare cases also by means of malware on private or company computers. In the case of Google Analytics, however, the so-called Google Analytics Measurement Protocol is used in most cases, an API for tracking Google Analytics hits. With the Hit Builder from Google you can get an idea of how this works technically.

With Universal Analytics, Google then introduced at least a filter for bot traffic (for details see SPAM Filter in Google Analytics 3). Some time later it became very reliable and SPAM in the analytics properties was significantly less. In Google Analytics 4, Google now introduced API-Secrets for the Measurement Protocol, a (finally) really effective measure to avoid Analytics SPAM - at least for SPAM attacks via the Measurement Protocol. Details can be found in our Knowledge Base: SPAM filter in Google Analytics 4.

Types of SPAM

Technically, there are the following ways to spam in Google Analytics:

  • Ghost Traffic SPAM via the Measurement Protocol
    SPAM via the Google Analytics Measurement Protocol (also known as Ghost Traffic)
  • Ghost Traffic SPAM via Headless Browser
    SPAM via so-called headless browsers, which (automatically) visit a prepared page with a Google Analytics tracking code (another form of Ghost Traffic)
  • Bot Traffic SPAM
    Bot SPAM in which headless browsers visit the real website

What can be done to prevent Analytics SPAM?

There are many blog articles and help pages on the internet that describe how to fight Google Analytics SPAM. Most of them, however, are only aimed at one of the types of SPAM. As the current SPAM wave shows, this is of little use.

Since most spam attacks using the previously mentioned Measurement Protocol, there is at least on Google Analytics 4 an effective method against spam. Details on this and also on a SPAM filter for GA4 can be found in our Knowledge Base: SPAM Filter in Google Analytics 4

This method is not available for Universal Analytics, but there is an old trick that should also work against SPAM. Details are also available in our Knowledge Base: SPAM Filter in Universal Analytics

Known SPAM Attacks

In January and February 2021 there was a major wave of Web Analytics SPAM that affected around 10% of Google Analytics traffic worldwide. Details can be found in our blog article from February 4, 2021: New Google Analytics Spam