Filtering spam in GA4 using server-side GTM and Stape’s Bot Detection

Recently, site owners have been increasingly faced with strange and unwanted traffic in Google Analytics 4 reports. The most common problem is referral spam with suspicious sources and geolocation "Poland". The source sites of such traffic are usually the same: news.grets.store, statis.seders.website, trast.mantero.online, ofer.bartikus.site. If you have already encountered them, you are not alone.

Google Analytics recommends adding these sites to the List of unwanted referrals. But in fact, this does not solve the problem; it only changes the traffic category to "Direct," leaving spam in your analytics. Another issue is that GA4 cannot filter traffic by referrals, only by IP addresses.

In this article, we will examine spam through the Measurement Protocol, the types of spam that occur most often — particularly referral and event spam — and, most importantly, how to effectively protect your data in the GA4. 

Google Analytics is the most popular web analytics tool millions of users use. Referral spammers hope that when you go to Google Analytics and see traffic from unknown websites, you will be curious to see what they are. It is one of the grey ways of getting traffic. There are multiple ways of monetization: redirecting to any affiliate offers or directing to a landing page offering to buy something, download software, promote a marketing agency, or any other service. 

Spammers need to know your Google Analytics ID to send fake hits to your GA account. But sometimes, they don't even bother themselves with finding real Google Analytics IDs. Spammers may generate fake IDs in large quantities and hope that some of them are real GA identifiers. An automated script sends false data to GA accounts using measurement protocol. 

Because of ghost spam, you cannot see the real data about your website visitors since fake traffic is mixed with organic. Ghost spam affects all GA metrics: number of visits, bounce rate, average session duration, etc. 

It can also lower your organic ranking since search engines can interpret spam traffic as attempts to increase your SEO positions by using grey technologies. 

There are two ways to block referral spam using the GTM server container. GTM server tagging can be used not only to block spam through the Measurement Protocol but also to reduce the site's loading time, better protect user data, and access complete data in analytical software.

Another protection option is to hide your real Google Analytics id. Some spammers first scan sites (similar to Google bots) to get Google Analytics identifiers. They then use the Measurement Protocol to send fake hits to your Google Analytics account. If you set up a GTM server container and add your own URL for tagging, you can replace the real Google Analytics ID with a fake one. Spam bots will see a fake ID and will not be able to send spam through the Measurement Protocol to your real account. GA settings will look like in the screenshot. You can add any Tracking ID, but be sure to specify and configure the transport URL. I recommend testing the changes before publishing - just go to GA and check the data in real-time.

To solve this problem, you can use Stape's Bot detection power-up. Just enable it in the power-up interface of your container on Stape.

Once activated, with all requests to the server, you will receive two additional parameters, X-Device-Bot (true or false) and X-Device-Bot-Score (a score between 1 and 100 probability of a request from a bot) in the request headers with each request:

Then you can simply add this as an additional check to the triggers on the server container:

Now, if the request is determined to be from a bot - your tag will not trigger, and the data will not be sent.

If you use Cloudflare and, like everyone else, have a specific country from which spam traffic comes (most of it is from Poland), you can activate Bot Check for IP addresses from Poland. 

This is a good solution, but only if you have no real visitors from the location of the spam traffic. Otherwise, you will definitely affect the number of real visits from there.

You can make the Cloudflare route a bit more dynamic by combining it with threat score. So rather than challenging the whole of Poland, only challenge if from Poland, and the threat score is significant enough:

If the referral contains your spam domains, you can add an exception trigger for your GA4 tags. It is quite easy to do this:

For example: news.grets.store|static.seders.website|another.domain

Thus, the exception trigger will prevent the tags from working if the referral contains one of your spam domains, and this data will not be included in GA4.

Some users suspect that bots automatically find their measurement id on pages and use it to send spam events from other resources.

In this case, you can use a random, not real, GA4 measurement ID on your web container in Google Tag and Events and overwrite it on the server with a real one.

It's very easy to do:

So, from the browser side, it will not be possible to determine your real GA4 ID, but at the same time, on the server, it will be replaced with your real ID, and the data will be sent to the correct GA property.

Note that this will not help you if spam traffic is generated by bots visiting your site, in which case you should also try to implement the previous options.

Referral and event spam in Google Analytics 4 is a serious problem that distorts statistics and can damage your SEO strategy and data-based solution. Unfortunately, the built-in GA4 mechanisms currently do not allow the filtering of such traffic by referral sources effectively.

And although the GA4 does not yet have simple tools for filtering such traffic, the solution is. In this article, we talked about how exactly you can protect your data using server tagging through Google Tag Manager and the powerful Stape Bot Detection tool. From hiding the Measurement ID and adding a secret key - to exceptions in triggers and bot filters.

The most important thing is not to ignore the problem. The sooner you implement basic protection, the more accurate and useful your reports will be. And if you also switch to server GTM, you will get not only protection, but also additional advantages: cleaner data, better site speed and more control over analytics.

If you do not know where to start - try to test at least one of the solutions described in this article. You will see how your analytics will change in a few days.