Filtering spam in GA4 with Stape's Bot detection power-up

Recently there have been a lot of cases when users receive spam traffic in Google Analytics 4. Most often it is referral spam traffic, usually with the location Poland and the same referral sites, these are the most common: news.grets.store, static.seders.website, trast.mantero.online, ofer.bartikus.site.

On the Internet you can find a recommendation to simply add these sites in the GA4 Datastream settings to the List unwanted referrals. But do not do this - it will not solve the problem in any way, but will simply move the source of this traffic to the Direct category.

Unfortunately GA4 also has no way to filter traffic by referral, only by IP address (at least for now). 

Stape received a few requests from our clients to add a bot detection feature. That is why we created an easy-to-use power-up that helps to identify whether the hit was sent from a bot and the likelihood that it was a bot. 

In this blog post, we will show how to use Stape's bot detection power-up as well as other options for filtering bit traffic in GA4. 

1. Stape’s Bot detection power-upCopy link to this section

To solve this problem, you can use Stape's ‘Bot detection’ power-up. Just enable it in the power-ups interface of your container on Stape.

Once activated, with all requests to the server, you will receive two additional parameters X-Device-Bot (true or false) and X-Device-Bot-Score (a score between 1 and 100 probability of a request from a bot) in the request headers with each request:

Then you can simply add this as an additional check to the triggers on the server container:

1. On the server container, create a variable with the type 'Request Header' and specify ‘X-Device-Bot’ in it to receive the value of this header.
2. Use this variable as an additional check in your GA4 trigger on the server and also in any other triggers where you want to limit the impact of bot traffic:

Now, if the request is determined to be from a bot - your tag will not trigger and the data will not be sent.

2. Cloudflare bot detectionCopy link to this section

If you use Cloudflare and, like everyone else, have a specific country where spam traffic comes from (most of them are from Poland) - you can activate Bot Check for IP addresses from Poland. 

This is a good solution, but only if you have no real visitors from the location of the spam traffic otherwise you will definitely affect the number of real visits from there.

You can make the Cloudflare route a bit more dynamic by combining it with threat score. So rather than challenging the whole of Poland, only challenge if from Poland and the threat score is significant enough:

3. Block spam referrals on trigger levelCopy link to this section

You can add an exception trigger for your GA4 tags if the referral contains your spam domains. It is quite easy to do this:

• Make sure you have the referrer variable enabled in your built-in variables.

• Create a new Custom Event trigger that will work for any event (.* via regex will be responsible for this) and specify an additional condition for the trigger that the referrer matches regex your spam domains. In regex you can specify 'or' with | without spaces.

For example: news.grets.store|static.seders.website|another.domain

• Add this trigger as an exception to your GA4 tags and publish the changes on your container.

Thus, the exception trigger will prevent the tags from working if the referral contains one of your spam domains and this data will not be included in GA4.

ConclusionCopy link to this section

There is nothing stopping you from using not only one of the above options for limiting spam queries in GA4, but also their combinations or all of them at the same time.

If you use any other solutions for this - let us know in the comments and we'd be happy to add your option to this list.