Archives: Glossary Terms

How Active users Works

Ad Click → [Data Collection Point] → +--------------------------+
                                     │ Active User Analysis Engine│
                                     +--------------------------+
                                                 │
                                                 ↓
                                     ┌──────────────────────────┐
                                     │   Behavioral & Technical │
                                     │       Rule Matching      │
                                     └──────────────────────────┘
                                                 │
                                (Is behavior human-like? Is data valid?)
                                                 │
                                                 ↓
                                 ┌───────────────┴───────────────┐
                                 │                               │
                           [VALID TRAFFIC]                  [INVALID TRAFFIC]
                                 │                               │
                                 ↓                               ↓
                          Allow to Landing Page              Block & Log

🧠 Core Detection Logic

Example 1: Inconsistent User-Agent Filtering

This logic checks for discrepancies between a user’s declared device (via the user-agent string) and their browser’s actual capabilities, a common sign of a spoofing bot. It’s used at the entry point of traffic analysis to quickly filter out unsophisticated bots that fail to mimic a real device environment convincingly.

FUNCTION checkUserAgent(request):
  userAgent = request.headers['User-Agent']
  platform = request.headers['Sec-CH-UA-Platform'] // Client Hint

  // Rule: A user agent claiming to be macOS should not have a Windows platform hint.
  IF "Macintosh" IN userAgent AND "Windows" IN platform:
    RETURN "FRAUDULENT: User-Agent and Platform Mismatch"
  
  // Rule: A mobile user agent should not have a desktop screen resolution.
  resolution = request.screenResolution
  IF "Android" IN userAgent AND resolution.width > 1200:
    RETURN "FRAUDULENT: Mobile User-Agent with Desktop Resolution"

  RETURN "VALID"

Example 2: Rapid-Click IP Throttling

This logic identifies and blocks IP addresses that generate an unnaturally high frequency of clicks in a short period. It serves as a frontline defense against automated click bots and simple click farm arrangements that repeatedly hit ads from a single source to deplete budgets.

FUNCTION checkClickFrequency(ipAddress, timestamp):
  // Define time window and click threshold
  TIME_WINDOW_SECONDS = 60
  MAX_CLICKS_PER_WINDOW = 5

  // Get historical click timestamps for the IP
  recentClicks = getClicksForIP(ipAddress, within_seconds=TIME_WINDOW_SECONDS)
  
  // Add current click to the list for this check
  addClick(ipAddress, timestamp)

  // Rule: If clicks from this IP exceed the threshold in the time window, flag it.
  IF count(recentClicks) + 1 > MAX_CLICKS_PER_WINDOW:
    RETURN "FRAUDULENT: Exceeded Click Frequency Threshold"
  
  RETURN "VALID"

Example 3: Data Center IP Blocking

This logic checks if a click originates from an IP address registered to a known data center or hosting provider rather than a residential or mobile network. Since legitimate users typically don’t browse the web from servers, this is a strong indicator of non-human, bot-driven traffic.

FUNCTION checkIPOrigin(ipAddress):
  // Query an external or internal database of data center IP ranges
  isDataCenterIP = queryDataCenterDB(ipAddress)

  // Rule: Block any traffic originating from a known data center IP.
  IF isDataCenterIP == TRUE:
    RETURN "FRAUDULENT: Traffic from Data Center"
  
  RETURN "VALID"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically blocks clicks from known bots, data centers, and suspicious proxies in real time, ensuring that ad spend is directed exclusively toward reaching genuine potential customers and not wasted on fraudulent interactions.
• Analytics Purification – Filters out non-human and invalid traffic before it pollutes marketing analytics platforms. This ensures that metrics like Click-Through Rate (CTR), conversion rates, and user engagement data reflect true human behavior, enabling more accurate decision-making.
• Lead Generation Integrity – Prevents fake form submissions and sign-ups generated by bots. By ensuring that only genuinely interested users can submit information, businesses improve the quality of their lead funnels and save sales teams from wasting time on fabricated leads.
• Retargeting Audience Refinement – Excludes fraudulent users from being added to retargeting audiences. This prevents businesses from spending money to re-engage bots that have interacted with their site, leading to more efficient and effective retargeting campaigns with a higher ROI.

Example 1: Geolocation Mismatch Rule

// This logic prevents fraud from users whose IP location doesn't match their device's stated timezone.
// It's useful for blocking clicks from users trying to mask their location via proxies or VPNs.

FUNCTION checkGeoMismatch(ip_location, device_timezone):
  expected_timezone = getTimezoneForLocation(ip_location)

  IF device_timezone != expected_timezone:
    // Action: Add the IP to a temporary blocklist and flag the click as invalid.
    BLOCK_IP(ip_location.ip_address)
    LOG_FRAUD('Geo Mismatch', ip_location.ip_address)
    RETURN FALSE // Invalid Click
  
  RETURN TRUE // Valid Click

Example 2: Session Behavior Scoring

// This logic scores a user's session based on human-like behavior.
// It helps differentiate between an engaged human and a bot that only clicks an ad.

FUNCTION scoreSession(session_data):
  score = 0
  
  // Award points for human-like interactions
  IF session_data.mouse_moved_before_click:
    score += 40
  
  IF session_data.scrolled_down_page:
    score += 30

  // Penalize for bot-like interactions
  IF session_data.time_on_page < 2_SECONDS:
    score -= 50

  // A score below a certain threshold indicates likely fraud
  IF score < 20:
    FLAG_FOR_REVIEW(session_data.user_id)
    RETURN "SUSPICIOUS"
  
  RETURN "VALID"

🐍 Python Code Examples

Example 1: Detect Abnormal Click Frequency

This script analyzes a list of click events to identify IP addresses that exceed a defined click threshold within a short time frame. This is a common technique for catching basic bots or manual fraud attempts that generate numerous clicks from the same source.

from collections import defaultdict

clicks = [
    {'ip': '81.2.69.142', 'timestamp': 1672531201},
    {'ip': '81.2.69.142', 'timestamp': 1672531202},
    {'ip': '192.168.1.10', 'timestamp': 1672531203},
    {'ip': '81.2.69.142', 'timestamp': 1672531204},
    {'ip': '81.2.69.142', 'timestamp': 1672531205},
]

def find_rapid_click_fraud(click_data, max_clicks=3, time_window_sec=10):
    ip_clicks = defaultdict(list)
    fraudulent_ips = set()

    for click in click_data:
        ip = click['ip']
        timestamp = click['timestamp']
        
        # Remove clicks outside the time window
        ip_clicks[ip] = [t for t in ip_clicks[ip] if timestamp - t < time_window_sec]
        
        # Add the new click
        ip_clicks[ip].append(timestamp)
        
        # Check if the number of clicks exceeds the max limit
        if len(ip_clicks[ip]) > max_clicks:
            fraudulent_ips.add(ip)
            
    return list(fraudulent_ips)

fraud_ips = find_rapid_click_fraud(clicks)
print(f"Fraudulent IPs detected: {fraud_ips}")

Example 2: Filter Suspicious User Agents

This code checks a user agent string against a list of known non-browser or bot-like signatures. It's a simple but effective way to filter out traffic from common web scrapers and automated scripts that don't attempt to hide their identity.

def filter_suspicious_user_agent(user_agent):
    suspicious_signatures = [
        "bot", "crawler", "spider", "headless", "scraping"
    ]
    
    # Convert to lowercase for case-insensitive matching
    ua_lower = user_agent.lower()
    
    for signature in suspicious_signatures:
        if signature in ua_lower:
            return True # Flag as suspicious
            
    return False # Likely a legitimate browser

user_agent_1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
user_agent_2 = "Python-urllib/3.9 (a simple scraping bot)"

is_suspicious_1 = filter_suspicious_user_agent(user_agent_1)
is_suspicious_2 = filter_suspicious_user_agent(user_agent_2)

print(f"User Agent 1 is suspicious: {is_suspicious_1}")
print(f"User Agent 2 is suspicious: {is_suspicious_2}")

Types of Active users

• Heuristic Rule-Based Analysis: This method uses predefined rules and thresholds to identify suspicious behavior. It flags traffic based on static indicators like clicks from a known data center IP, a user-agent string associated with bots, or an unrealistic number of clicks from one user in a short time.
• Behavioral Analysis: This type focuses on assessing whether the user's actions are human-like. It analyzes dynamic data such as mouse movements, scroll velocity, and keyboard input patterns to distinguish between natural human interaction and the rigid, automated actions of a script or bot.
• Statistical Anomaly Detection: This approach uses statistical models to establish a baseline of "normal" traffic patterns. It then flags deviations from this baseline as potentially fraudulent, such as a sudden, unexpected spike in traffic from a specific country or an unusually high click-through rate from a single publisher.
• Device & Browser Fingerprinting: This technique collects a combination of attributes from a user's device and browser (e.g., operating system, browser version, screen resolution, installed plugins). It creates a unique ID to track users, identifying bots that use inconsistent configurations or try to spoof multiple devices from one machine.
• IP Reputation & Geolocation Analysis: This method checks the click's IP address against databases of known malicious actors, proxies, and VPNs. It also analyzes the geographic location of the IP, flagging traffic that originates from regions outside the campaign's target area or locations known for high levels of fraudulent activity.

How Ad exchange Works

USER VISIT → Ad Request Sent to Ad Exchange
              │
              │
     +────────v─────────+
     │   Ad Exchange   │
     │     (Auction)     │
     +────────┬─────────+
              │
              ├─> Bid Request to DSPs (Advertisers)
              │
     +────────v─────────+
     │ Fraud Detection │ ◀... IP Blacklists, Behavior Analysis, Device Fingerprinting
     +────────┬─────────+
              │
      ┌───────┴───────┐
      │ Legitimate?   │
      └───────┬───────┘
              │
       YES ───┤
              │
     +────────v─────────+
     │   Highest Bid   │───> Ad Displayed to User
     +-----------------+

       NO ────┤
              │
     +────────v─────────+
     │  Block/Flag Bid  │
     +-----------------+

🧠 Core Detection Logic

Example 1: Repetitive Action Analysis

This logic identifies non-human behavior by tracking the frequency of events like clicks or impressions from a single source within a short time frame. It’s a fundamental check against simple bots and click farms, often implemented at the exchange or DSP level to filter out low-quality traffic before bidding.

FUNCTION repetitive_action_check(request):
  ip = request.get_ip()
  ad_id = request.get_ad_id()
  timestamp = now()

  // Get historical clicks for this IP on this ad
  recent_clicks = get_clicks_from_db(ip, ad_id, last_60_seconds)

  IF count(recent_clicks) > 5:
    // More than 5 clicks in 60 seconds is suspicious
    RETURN {is_fraud: TRUE, reason: "High click frequency"}
  ELSE:
    // Log this click and proceed
    log_click(ip, ad_id, timestamp)
    RETURN {is_fraud: FALSE}
  ENDIF

Example 2: Data Center & Proxy Detection

This logic checks the user’s IP address against known lists of data center and public proxy IPs. Since real users typically browse from residential or mobile connections, traffic originating from servers is highly indicative of bot activity. This check is a crucial pre-bid filtering step to eliminate non-human traffic sources.

FUNCTION is_datacenter_ip(ip_address):
  // Load lists of known datacenter/proxy IP ranges
  datacenter_ranges = load_ip_list('datacenter_ips.txt')
  proxy_ranges = load_ip_list('proxy_ips.txt')

  FOR each range in datacenter_ranges:
    IF ip_address in range:
      RETURN {is_fraud: TRUE, reason: "Datacenter IP"}
    ENDIF
  ENDFOR

  FOR each range in proxy_ranges:
    IF ip_address in range:
      RETURN {is_fraud: TRUE, reason: "Public Proxy IP"}
    ENDIF
  ENDFOR

  RETURN {is_fraud: FALSE}
END FUNCTION

Example 3: Impression-to-Click Time Anomaly

This logic measures the time between when an ad is served (impression) and when it is clicked. A time-to-click that is too short (e.g., less than one second) is physically impossible for a human and indicates automated clicking. This is a powerful post-click validation technique used to invalidate fraudulent conversions.

FUNCTION check_time_to_click(click_event):
  impression_id = click_event.get_impression_id()
  click_timestamp = click_event.get_timestamp()

  // Fetch the corresponding impression event
  impression = get_impression_from_db(impression_id)

  IF impression IS NOT FOUND:
    RETURN {is_fraud: TRUE, reason: "Click without matching impression"}
  ENDIF

  impression_timestamp = impression.get_timestamp()
  time_delta = click_timestamp - impression_timestamp

  IF time_delta < 1.0: // Less than 1 second
    RETURN {is_fraud: TRUE, reason: "Impossible time-to-click"}
  ELSE:
    RETURN {is_fraud: FALSE}
  ENDIF

📈 Practical Use Cases for Businesses

Businesses leverage ad exchanges not just for media buying but as a strategic control point for ensuring traffic quality and protecting marketing investments. By participating in exchanges that prioritize fraud detection, companies can significantly improve the efficiency and reliability of their digital advertising operations.

• Budget Protection – Actively block bids on fraudulent inventory, ensuring that ad spend is directed toward real users and preventing immediate financial loss to bot-driven schemes.
• Performance Data Integrity – By filtering out invalid clicks and impressions, businesses maintain clean datasets. This leads to more accurate performance metrics (like CTR and CPA), enabling better strategic decisions and campaign optimization.
• Improved Return on Ad Spend (ROAS) – Ensure that ads are served to genuine potential customers, not bots. This increases the likelihood of legitimate engagement and conversions, directly boosting the overall return on investment for advertising campaigns.
• Brand Safety Enforcement – Exchanges help prevent ads from appearing on fraudulent or low-quality sites, which could harm brand reputation. Vetting publishers and inventory sources is a key function that protects brand image.

Example 1: Pre-Bid Domain Reputation Filtering

This logic allows an advertiser (via their DSP) to avoid bidding on impressions from publishers with a poor reputation or those on a blacklist. It's a proactive defense mechanism used within the ad exchange environment to ensure brand safety and avoid wasting bids on known fraudulent sources.

// Logic running on a Demand-Side Platform (DSP) before bidding
FUNCTION should_bid(bid_request):
  domain = bid_request.get_publisher_domain()
  
  // Load internal blacklist of low-quality domains
  domain_blacklist = load_list('domain_blacklist.txt')

  IF domain in domain_blacklist:
    // Do not bid
    RETURN FALSE
  ENDIF

  // Check against a third-party reputation score
  reputation_score = get_domain_reputation(domain)
  
  IF reputation_score < 40: // Score out of 100
    // Do not bid on low-reputation domains
    RETURN FALSE
  ENDIF

  // Proceed with bidding logic
  RETURN TRUE

Example 2: Geographic Consistency Check

This logic cross-references different location signals within a bid request to spot inconsistencies that suggest spoofing or proxy use. For example, a mismatch between the IP address's country and the device's language or timezone settings is a strong indicator of fraud. This helps ensure ad budgets are spent in the correct target regions.

FUNCTION check_geo_consistency(bid_request):
  ip_geo = get_geo_from_ip(bid_request.ip) // e.g., {country: "US"}
  device_timezone = bid_request.device.timezone // e.g., "America/New_York"
  device_language = bid_request.device.language // e.g., "en-US"

  // Rule 1: Check if timezone is consistent with IP country
  IF NOT is_timezone_valid_for_country(device_timezone, ip_geo.country):
    RETURN {is_fraud: TRUE, reason: "Geo mismatch: IP vs Timezone"}
  ENDIF

  // Rule 2: A less strict check for language
  IF ip_geo.country == "US" AND device_language NOT IN ["en-US", "es-US"]:
     // Flag for review, might be legitimate (traveler, expat)
     log_suspicious_activity("Potential Geo mismatch: IP vs Language")
  ENDIF

  RETURN {is_fraud: FALSE}

🐍 Python Code Examples

This Python function simulates checking for an abnormal click-through rate (CTR), a common indicator of certain types of ad fraud. A very high CTR can suggest that clicks are automated rather than resulting from genuine user interest.

def check_suspicious_ctr(impressions, clicks, threshold=0.05):
    """Checks if the click-through rate exceeds a suspicious threshold."""
    if impressions == 0:
        return False  # Avoid division by zero
    
    ctr = clicks / impressions
    
    if ctr > threshold:
        print(f"Warning: Suspiciously high CTR of {ctr:.2%} detected.")
        return True
    return False

# Example Usage:
campaign_A_impressions = 1000
campaign_A_clicks = 150 # Results in 15% CTR
check_suspicious_ctr(campaign_A_impressions, campaign_A_clicks)

This code filters incoming ad traffic by checking the request's IP address and user agent against predefined blacklists. This is a fundamental step in many fraud detection systems to block known bad actors before they can interact with ads.

def is_traffic_valid(request_ip, user_agent):
    """Filters traffic based on IP and User Agent blacklists."""
    IP_BLACKLIST = {"1.2.3.4", "5.6.7.8"} # Example blacklisted IPs
    UA_BLACKLIST = {"KnownBot/1.0", "BadCrawler/2.1"} # Example blacklisted user agents

    if request_ip in IP_BLACKLIST:
        print(f"Blocking blacklisted IP: {request_ip}")
        return False
    
    if user_agent in UA_BLACKLIST:
        print(f"Blocking blacklisted User Agent: {user_agent}")
        return False
        
    return True

# Example Usage:
is_traffic_valid("5.6.7.8", "Mozilla/5.0")
is_traffic_valid("123.123.123.123", "KnownBot/1.0")
is_traffic_valid("99.99.99.99", "Mozilla/5.0") # This one would be considered valid

Types of Ad exchange

• Open Ad Exchange – This is a public marketplace where any publisher or advertiser can participate. It offers the widest reach and largest volume of inventory, but can also carry a higher risk of ad fraud due to its open nature, requiring robust fraud detection measures.
• Private Marketplace (PMP) – An invitation-only auction where a publisher makes specific, premium inventory available to a select group of advertisers. PMPs offer greater transparency and brand safety, significantly reducing the risk of fraud by creating a more controlled environment.
• Preferred Deals – A non-auction model where a publisher offers ad inventory to a specific advertiser at a fixed, pre-negotiated price before it becomes available on the open exchange. This direct relationship helps ensure traffic quality and minimizes exposure to fraudulent sources.
• Programmatic Guaranteed – The most direct approach, where an advertiser agrees to purchase a fixed number of impressions from a publisher for a set price. While automated, it bypasses the auction process entirely, providing the highest level of control and virtually eliminating fraud risk from unknown third parties.

How Ad Fraud Prevention Works

Incoming Traffic → [+ Filter 1: Signature/IP] → [+ Filter 2: Behavioral Analysis] → [Scoring Engine] → डिसीजन │ └─┬─→ [Allow] → Legitimate User │ └─→ [Block] → Fraudulent Traffic → [Reporting]

🧠 Core Detection Logic

Example 1: IP Filtering

This logic blocks traffic originating from IP addresses known to be associated with fraudulent activity. It often targets IPs from data centers, proxies, or those on shared blacklists. This is a foundational layer of traffic protection that filters out common, non-sophisticated bot traffic before it can interact with ads.

FUNCTION check_ip(ip_address):
  IF ip_address IN known_datacenter_ips OR ip_address IN global_blacklist:
    RETURN "block"
  ELSE:
    RETURN "allow"

Example 2: Session Heuristics

This logic analyzes the behavior of a user within a single session to identify non-human patterns. It tracks metrics like the number of clicks, time between clicks, and pages visited. An abnormally high click rate or excessively short time on page can indicate automated browsing and lead to the session being flagged as fraudulent.

FUNCTION analyze_session(session_data):
  click_count = session_data.clicks
  time_elapsed_seconds = session_data.duration
  
  IF time_elapsed_seconds > 0 AND (click_count / time_elapsed_seconds) > 5:
    RETURN "flag_as_fraud"
  ELSE:
    RETURN "valid_session"

Example 3: Geo Mismatch

This technique flags users whose location data is inconsistent. It compares the geographical location derived from the IP address with the user’s browser language, timezone, or other device settings. A significant mismatch, such as an IP from Vietnam with a browser set to US English and Eastern Standard Time, is a strong indicator of a proxy or VPN used to disguise the user’s true origin.

FUNCTION check_geo_mismatch(ip_location, browser_timezone):
  expected_timezone = lookup_timezone(ip_location.country)
  
  IF browser_timezone != expected_timezone:
    RETURN "high_risk"
  ELSE:
    RETURN "low_risk"

📈 Practical Use Cases for Businesses

Practical Use Cases for Businesses Using Ad Fraud Prevention

• Campaign Shielding – Protects active marketing campaigns by blocking fraudulent clicks and impressions in real-time. This ensures that ad spend is directed toward genuine users, maximizing the potential for legitimate engagement and conversions.
• Budget Protection – Prevents the rapid depletion of advertising budgets by automated bots and click farms. By filtering out invalid traffic, businesses ensure their funds are not wasted on interactions that have no chance of resulting in a sale.
• Data Integrity – Ensures that analytics and performance metrics are accurate and reliable. By removing fraudulent data, businesses can make better-informed decisions based on real user engagement, leading to more effective marketing strategies and improved campaign optimization.
• ROAS Improvement – Increases Return on Ad Spend (ROAS) by eliminating wasteful spending on fraudulent clicks. When ads are served only to legitimate potential customers, the conversion rate improves, and the overall profitability of advertising efforts is enhanced.

Example 1: Geofencing Rule

A business running a campaign targeted at users in the United States can use a geofencing rule to automatically block any traffic from outside the target region. This is a simple but effective way to eliminate irrelevant international traffic and basic fraud attempts.

// Rule: Block traffic from outside the target country
FUNCTION handle_request(user_request):
  target_country = "US"
  user_country = get_country_from_ip(user_request.ip)

  IF user_country != target_country:
    BLOCK_ACTION(user_request)
  ELSE:
    ALLOW_ACTION(user_request)

Example 2: Session Scoring Logic

A more advanced use case involves scoring a session based on multiple risk factors. For example, traffic from a data center is given a high-risk score, while the presence of a headless browser signature adds more points. If the total score exceeds a certain threshold, the user is blocked.

// Logic: Calculate a risk score based on multiple factors
FUNCTION calculate_risk_score(user_data):
  score = 0
  IF is_datacenter_ip(user_data.ip):
    score += 50
  IF has_headless_browser_signature(user_data.agent):
    score += 40
  IF has_inconsistent_geo_data(user_data):
    score += 25

  RETURN score

// Enforcement
user_score = calculate_risk_score(current_user)
IF user_score > 80:
  BLOCK_USER()

🐍 Python Code Examples

This Python function simulates checking for abnormally high click frequency from a single IP address. If an IP address generates more than a set number of clicks in a short time window, it gets flagged, helping to identify potential bot activity or click farm behavior.

CLICK_LOG = {}
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 10

def is_suspicious_click_frequency(ip_address):
    import time
    current_time = time.time()
    
    # Remove old entries
    if ip_address in CLICK_LOG:
        CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add current click and check
    clicks = CLICK_LOG.setdefault(ip_address, [])
    clicks.append(current_time)
    
    if len(clicks) > CLICK_THRESHOLD:
        return True
    return False

# Example Usage
# print(is_suspicious_click_frequency("192.168.1.100"))

This code filters traffic based on the user agent string sent by the browser. It checks against a predefined list of suspicious user agents commonly associated with bots or automated scripts, providing a straightforward way to block known bad actors.

SUSPICIOUS_USER_AGENTS = [
    "phantomjs",
    "headlesschrome",
    "selenium",
    "python-requests"
]

def is_suspicious_user_agent(user_agent_string):
    user_agent_lower = user_agent_string.lower()
    for agent in SUSPICIOUS_USER_AGENTS:
        if agent in user_agent_lower:
            return True
    return False

# Example Usage
# ua = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/108.0.5359.71 Safari/537.36"
# print(is_suspicious_user_agent(ua))

Types of Ad Fraud Prevention

• Rule-Based Filtering: This method uses predefined rules to block traffic. For example, it can block users from specific IP addresses, countries, or those using outdated browsers. While effective against known threats, it is less adaptable to new or sophisticated fraud techniques.
• Behavioral Analysis: This approach uses machine learning to analyze user behavior, such as mouse movements, scrolling speed, and click patterns. It establishes a baseline for normal human interaction and flags deviations that suggest bot activity, making it effective against more advanced fraud.
• Signature-Based Detection: This technique identifies known fraudulent signatures, such as specific bot user agents or device fingerprints. It works like an antivirus program, comparing incoming traffic against a database of known threats to block recognized fraudsters and scripts.
• Honeypot Traps: This method involves placing invisible ad elements or links on a webpage that are undetectable to human users but are accessed by bots. When a bot interacts with the honeypot, its IP address and other identifiers are captured and blocked.
• Collaborative Threat Intelligence: This approach involves sharing fraud data across a network of publishers, advertisers, and security vendors. By pooling information on new threats, the entire ecosystem can adapt more quickly and effectively block emerging ad fraud schemes.

How Ad Impression Works

  +-----------------+      +-----------------+      +--------------------+      +-----------------------+      +-----------------+
  |   User Visits   | →    |    Ad Server    | →    |  Impression Pixel  | →    |  Data Collection &  | →    |   Fraud Score   |
  |   Website/App   |      |    Delivers Ad  |      |       Fires        |      |      Enrichment     |      | (Valid/Invalid) |
  +-----------------+      +-----------------+      +--------------------+      +-----------------------+      +-----------------+
                                     │                                                 │
                                     └───────────────────┐                             │
                                                         ↓                             ↓
                                             +-------------------------+      +---------------------+
                                             |     Ad is Rendered      |      |   Analysis Engine   |
                                             +-------------------------+      +---------------------+

🧠 Core Detection Logic

Example 1: Impression Velocity and Frequency Capping

This logic prevents a single user or bot from generating an excessive number of impressions in a short period. It is a fundamental defense against simple automated scripts designed to repeatedly reload pages or cycle through ads to inflate impression counts. This rule is typically applied in real-time or near-real-time at the session level.

// Rule: Impression Frequency Analysis
FUNCTION checkImpressionVelocity(impressionEvent):
  // Extract user identifier (IP address or device ID) and timestamp
  userID = impressionEvent.ip_address
  timestamp = impressionEvent.timestamp

  // Retrieve past impression timestamps for this user
  userHistory = getImpressionHistory(userID)

  // Define thresholds
  TIME_WINDOW_SECONDS = 60
  MAX_IMPRESSIONS_IN_WINDOW = 15

  // Filter history to the defined time window
  recentImpressions = filterHistoryByTime(userHistory, timestamp, TIME_WINDOW_SECONDS)

  // Check if the number of recent impressions exceeds the cap
  IF count(recentImpressions) > MAX_IMPRESSIONS_IN_WINDOW:
    RETURN { status: 'INVALID', reason: 'High Impression Frequency' }
  ELSE:
    // Record the current impression and return valid
    recordImpression(userID, timestamp)
    RETURN { status: 'VALID' }
  END IF
END FUNCTION

Example 2: Data Center and Proxy Detection

This logic filters out impressions originating from non-residential IP addresses, such as those from data centers, servers, VPNs, or known proxies. Since legitimate human users typically browse from residential or mobile networks, traffic from data centers is highly indicative of bot activity used to scale impression fraud.

// Rule: Data Center IP Filtering
FUNCTION validateImpressionSource(impressionEvent):
  // Extract the IP address from the impression data
  ipAddress = impressionEvent.ip_address

  // Load known data center IP range blacklists
  dataCenterBlacklist = loadDataCenterIPs()
  proxyBlacklist = loadProxyIPs()

  // Check if the impression's IP matches any blacklisted range
  isDataCenterIP = isIPInList(ipAddress, dataCenterBlacklist)
  isProxyIP = isIPInList(ipAddress, proxyBlacklist)

  IF isDataCenterIP OR isProxyIP:
    RETURN { status: 'INVALID', reason: 'Source is a known Data Center or Proxy' }
  ELSE:
    RETURN { status: 'VALID' }
  END IF
END FUNCTION

Example 3: User-Agent and Header Anomaly Detection

This logic inspects the technical details of the request headers, particularly the User-Agent (UA) string, to identify non-standard or known fraudulent clients. Bots often use outdated, inconsistent, or headless browser UAs (like PhantomJS) that differ from those of legitimate, updated web browsers used by humans.

// Rule: User-Agent Signature Matching
FUNCTION analyzeClientHeaders(impressionEvent):
  // Extract User-Agent string from headers
  userAgent = impressionEvent.headers.user_agent

  // Load list of known bot and suspicious User-Agent signatures
  botSignatures = ["PhantomJS", "Selenium", "headless", "bot", "crawler"]

  // Check for presence of any bot signature in the User-Agent string
  FOR signature IN botSignatures:
    IF contains(userAgent, signature):
      RETURN { status: 'INVALID', reason: 'Known Bot User-Agent Signature' }
    END IF
  END FOR

  // Add checks for other header anomalies (e.g., missing standard headers)
  IF NOT hasStandardHeaders(impressionEvent.headers):
     RETURN { status: 'INVALID', reason: 'Header Anomaly Detected' }
  END IF

  RETURN { status: 'VALID' }
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Real-time analysis of impressions allows businesses to block traffic from known fraudulent sources (like data centers or botnets) before an ad is even served, directly protecting the advertising budget from being wasted on invalid activity.
• Analytics and Reporting Integrity – By filtering out fraudulent impressions, companies ensure their campaign performance metrics (like CPM, reach, and frequency) are accurate. This leads to better strategic decisions based on real human engagement rather than skewed bot data.
• Improving Return on Ad Spend (ROAS) – Ensuring ads are shown to genuine users increases the likelihood of meaningful engagement and conversions. Analyzing impression quality helps optimize ad placements and targeting toward channels that deliver clean, high-performing traffic, thus maximizing ROAS.
• Lead Generation Quality Control – For businesses focused on acquiring leads, validating impressions ensures that the top of the funnel is not contaminated by bot-submitted forms. This prevents sales teams from wasting time on fake leads generated by non-human traffic.

Example 1: Geofencing and Location Mismatch Rule

This pseudocode checks if an impression originates from a geographic location that is part of the campaign’s target market. It also flags mismatches between the IP-based location and other signals (like language or timezone), which often indicate VPN or proxy usage by fraudulent actors.

// Use Case: Ensure ad impressions are from the target country and not masked by proxies.
FUNCTION validateGeoLocation(impression, campaignRules):
  ip_location = getLocationFromIP(impression.ip_address)
  device_timezone = impression.device.timezone

  // 1. Check if impression is within the campaign's allowed countries
  IF ip_location.country NOT IN campaignRules.target_countries:
    RETURN { valid: FALSE, reason: "Geofence Mismatch" }
  END IF

  // 2. Check for timezone and location inconsistencies
  expected_timezones = getTimezonesForCountry(ip_location.country)
  IF device_timezone NOT IN expected_timezones:
    RETURN { valid: FALSE, reason: "IP-Timezone Mismatch" }
  END IF

  RETURN { valid: TRUE }
END FUNCTION

Example 2: Viewability and Interaction Scoring

This logic scores an impression based on whether it was actually viewable and if there was any human-like interaction. An impression that is served but never comes into the user’s viewport or receives no mouse movement is considered low-quality or potentially fraudulent (e.g., ad stacking).

// Use Case: Score impressions to pay only for those seen by humans.
FUNCTION scoreImpressionAuthenticity(impression, interaction_data):
  score = 100
  reasons = []

  // 1. Penalize non-viewable impressions
  IF impression.viewability_percentage < 50 OR impression.viewable_duration_ms < 1000:
    score = score - 50
    reasons.append("Low Viewability")
  END IF

  // 2. Penalize impressions with no human-like interaction
  IF interaction_data.mouse_events_count == 0 AND interaction_data.scroll_events_count == 0:
    score = score - 40
    reasons.append("No User Interaction")
  END IF
  
  // 3. Penalize impressions from suspicious device types (e.g., emulators)
  IF isEmulator(impression.device_id):
      score = 0
      reasons.append("Detected Emulator")
  END IF

  RETURN { authenticity_score: score, issues: reasons }
END FUNCTION

🐍 Python Code Examples

This function simulates checking a stream of impression events to identify IPs that generate impressions too quickly. It maintains a simple in-memory log to track impression times for each IP and flags those that violate a frequency threshold, a common sign of bot activity.

from collections import deque
import time

IP_LOGS = {}
TIME_WINDOW = 60  # seconds
MAX_IMPRESSIONS = 20

def is_impression_fraudulent(ip_address):
    """Checks if an IP is generating impressions too frequently."""
    current_time = time.time()
    
    if ip_address not in IP_LOGS:
        IP_LOGS[ip_address] = deque()
    
    # Remove old timestamps from the log
    while (IP_LOGS[ip_address] and 
           current_time - IP_LOGS[ip_address] > TIME_WINDOW):
        IP_LOGS[ip_address].popleft()
        
    # Add the current impression timestamp
    IP_LOGS[ip_address].append(current_time)
    
    # Check if the count exceeds the max allowed impressions in the window
    if len(IP_LOGS[ip_address]) > MAX_IMPRESSIONS:
        print(f"FLAGGED: IP {ip_address} has {len(IP_LOGS[ip_address])} impressions in {TIME_WINDOW}s.")
        return True
        
    return False

# --- Simulation ---
impressions_stream = ["1.2.3.4", "1.2.3.4", "5.6.7.8"] + ["1.2.3.4"] * 20
for ip in impressions_stream:
    is_impression_fraudulent(ip)
    time.sleep(0.1)

This example demonstrates how to filter impressions based on their User-Agent string. It checks each impression's User-Agent against a blocklist of known bot and crawler signatures to weed out obvious non-human traffic before it contaminates analytics.

BOT_SIGNATURES = [
    "bot", "crawler", "spider", "headlesschrome", "phantomjs", "selenium"
]

def filter_by_user_agent(impression_event):
    """Filters out impressions with suspicious User-Agent strings."""
    user_agent = impression_event.get("user_agent", "").lower()
    
    if not user_agent:
        return {"is_valid": False, "reason": "Missing User-Agent"}
        
    for signature in BOT_SIGNATURES:
        if signature in user_agent:
            return {"is_valid": False, "reason": f"UA contains bot signature: {signature}"}
            
    return {"is_valid": True, "reason": "Clean User-Agent"}

# --- Simulation ---
impression1 = {"ip": "1.2.3.4", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"}
impression2 = {"ip": "2.3.4.5", "user_agent": "My-Awesome-Bot/1.0 (+http://example.com/bot)"}

print(f"Impression 1: {filter_by_user_agent(impression1)}")
print(f"Impression 2: {filter_by_user_agent(impression2)}")

Types of Ad Impression

• Served Impression - This is the most basic type, counted when an ad server sends an ad to a publisher's website. In fraud detection, relying solely on this type is risky, as it doesn't confirm the ad was actually seen, making it a primary target for bots that generate views without visibility.
• Viewable Impression - This type is counted only when a certain percentage of the ad's pixels (e.g., 50%) is visible on the user's screen for a minimum duration (e.g., one second). It is a crucial metric for combating impression fraud like ad stacking or pixel stuffing, where ads are loaded but never seen by a human.
• Tracked Impression - This refers to an impression that includes an advanced tracking script or pixel. The script collects additional data points beyond a simple view, such as mouse movements, scroll depth, and browser properties. This enriched data is vital for behavioral analysis to distinguish sophisticated bots from genuine users.
• Pre-Bid Verified Impression - In programmatic advertising, this is an impression opportunity that has been analyzed for fraud signals *before* an advertiser bids on it. Fraud detection services scan the request for red flags like a data center IP or bot signature, helping advertisers avoid wasting money on fraudulent inventory from the start.
• Sophisticated Invalid Traffic (SIVT) Impression - This is not a desired type but a classification of fraudulent impressions generated by advanced bots, malware, or hijacked devices designed to mimic human behavior. Detecting SIVT impressions requires complex techniques like behavioral analysis and device fingerprinting because they evade simple filters.

How Ad inventory Works

Incoming Ad Request
       │
       ▼
+---------------------+
│ 1. Inventory Source │
│   (Publisher URL)   │
+---------------------+
       │
       ▼
+---------------------+
│ 2. Verification     │
│  (e.g., ads.txt)    │
+---------------------+
       ├─ Legitimate ─────► Deliver Ad
       │
       └─ Fraudulent
            │
            ▼
+---------------------+
│ 3. Fraud Detection  │
│  (Pattern Analysis) │
+---------------------+
       │
       ▼
+---------------------+
│ 4. Block & Report   │
+---------------------+
  

🧠 Core Detection Logic

Example 1: Domain Spoofing Detection via ads.txt

This logic verifies if the seller of the ad space is authorized by the publisher. It prevents a common fraud type where a low-quality site pretends to be a premium publisher to command higher ad prices. It’s a foundational check in programmatic advertising.

FUNCTION check_seller_authorization(bid_request):
  publisher_domain = bid_request.get_domain()
  seller_id = bid_request.get_seller_id()

  // Fetch the publisher's authorized seller list
  authorized_sellers = fetch_ads_txt(publisher_domain)

  IF seller_id IS IN authorized_sellers:
    RETURN "Authorized"
  ELSE:
    RETURN "Unauthorized - Potential Spoofing"
END FUNCTION

Example 2: Click Farm Identification via IP Analysis

This logic identifies multiple clicks originating from a single source within a short time frame, a hallmark of click farms or bot activity. It helps block traffic that is not genuinely interested in the ad content, thereby protecting the advertiser’s budget from being wasted.

// Session data store (key: IP address, value: list of click timestamps)
IP_CLICK_LOGS = {}

FUNCTION is_click_farm_activity(click_event):
  ip = click_event.get_ip_address()
  timestamp = click_event.get_timestamp()
  
  // Initialize log for new IP
  IF ip NOT IN IP_CLICK_LOGS:
    IP_CLICK_LOGS[ip] = []

  // Add current click timestamp
  IP_CLICK_LOGS[ip].append(timestamp)

  // Check for excessive clicks in the last minute
  clicks_in_last_minute = count_clicks_since(IP_CLICK_LOGS[ip], now() - 60 seconds)

  IF clicks_in_last_minute > 20:
    RETURN TRUE // Flag as fraudulent
  ELSE:
    RETURN FALSE
END FUNCTION

Example 3: Session Heuristics for Bot Detection

This logic analyzes user behavior within a session to differentiate humans from bots. Bots often exhibit non-human patterns like instantaneous clicks after a page load or no mouse movement. This check helps invalidate traffic that lacks genuine user engagement.

FUNCTION analyze_session_behavior(session_data):
  time_on_page = session_data.get_time_on_page()
  has_mouse_movement = session_data.has_mouse_events()
  time_to_click = session_data.get_time_to_first_click()

  // Rule 1: A real user spends some time on the page before clicking
  IF time_to_click < 1 second:
    RETURN "Fraudulent: Click too fast"
  
  // Rule 2: A real user typically moves the mouse
  IF time_on_page > 3 seconds AND NOT has_mouse_movement:
    RETURN "Fraudulent: No mouse activity"
  
  RETURN "Legitimate"
END FUNCTION

📈 Practical Use Cases for Businesses

Example 1: Geolocation Mismatch Rule

This logic prevents fraud where traffic is masked to appear from a high-value country. A business running a US-only campaign would use this to reject clicks from inventory where the user’s IP address doesn’t match the expected geographical location.

// Rule to check if the click's IP location matches the campaign's target country

FUNCTION validate_geolocation(click_ip, campaign_target_country):
  user_country = get_country_from_ip(click_ip)
  
  IF user_country != campaign_target_country:
    // Mismatch detected, flag as invalid
    REJECT_CLICK(reason="Geolocation mismatch")
    log_event("Fraud Warning: IP country does not match campaign target.")
    RETURN FALSE
  ELSE:
    // Geolocation is valid
    ACCEPT_CLICK()
    RETURN TRUE
END FUNCTION

Example 2: Ad Stacking Detection

This logic detects if an ad impression is fraudulent because the ad is hidden or “stacked” beneath other ads, making it invisible to the user. Businesses use this to ensure they only pay for viewable impressions, protecting their budget from being wasted on unseen ads.

// Logic to check the visibility of an ad element on a page

FUNCTION check_ad_visibility(ad_element_id):
  ad = get_element_by_id(ad_element_id)
  
  // Check if the ad is hidden via CSS
  IF ad.style.visibility == "hidden" OR ad.style.display == "none":
    RETURN "Fraudulent: Ad is hidden"
  
  // Check if the ad's dimensions are impossibly small (pixel stuffing)
  IF ad.width < 2 AND ad.height < 2:
    RETURN "Fraudulent: Pixel stuffing detected"

  // Check if the ad is obscured by another element on top
  element_at_ad_center = get_element_at_coordinates(ad.center_x, ad.center_y)
  IF element_at_ad_center != ad:
    RETURN "Fraudulent: Ad is stacked or obscured"
    
  RETURN "Legitimate"
END FUNCTION

🐍 Python Code Examples

This code filters incoming ad clicks based on a predefined list of high-risk IP addresses known for fraudulent activity. It is a direct and effective method to block obvious bot traffic and protect advertising campaigns from repeated offenders.

# A predefined set of known fraudulent IP addresses
FRAUDULENT_IPS = {"198.51.100.1", "203.0.113.10", "192.0.2.55"}

def filter_by_ip_blocklist(click_ip):
    """
    Checks if a click's IP is in a known fraudulent IP blocklist.
    """
    if click_ip in FRAUDULENT_IPS:
        print(f"Blocking fraudulent click from IP: {click_ip}")
        return False  # Invalid click
    print(f"Accepting legitimate click from IP: {click_ip}")
    return True  # Valid click

# --- Simulation ---
filter_by_ip_blocklist("198.51.100.1")  # Returns False
filter_by_ip_blocklist("8.8.8.8")        # Returns True

This example demonstrates how to detect abnormally high click frequency from a single user agent, which can indicate automated bot activity. By tracking the number of clicks over a short time window, this function can flag non-human behavior designed to exhaust ad budgets.

from collections import defaultdict
import time

# In a real system, this would be a more persistent store like Redis
CLICK_TIMESTAMPS = defaultdict(list)
TIME_WINDOW_SECONDS = 60
CLICK_LIMIT = 15

def is_abnormal_frequency(user_agent):
    """
    Detects if a user agent has an unusually high click frequency.
    """
    current_time = time.time()
    
    # Get timestamps for this user agent
    timestamps = CLICK_TIMESTAMPS[user_agent]
    
    # Filter out old timestamps that are outside the time window
    recent_timestamps = [t for t in timestamps if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add the current click's timestamp
    recent_timestamps.append(current_time)
    CLICK_TIMESTAMPS[user_agent] = recent_timestamps
    
    # Check if the click count exceeds the limit
    if len(recent_timestamps) > CLICK_LIMIT:
        print(f"Fraud Warning: High click frequency from User-Agent: {user_agent}")
        return True # Abnormal frequency detected
    return False # Normal frequency

# --- Simulation ---
ua_bot = "Mozilla/5.0 (compatible; MyBot/1.0)"
for _ in range(20):
    is_abnormal_frequency(ua_bot)

Types of Ad inventory

How Ad mediation Works

USER SESSION
      │
      ▼
+---------------------+
│ App Requests Ad     │
│ (via Mediation SDK) │
+---------------------+
      │
      ▼
+-------------------------+      +------------------+
│   Mediation Platform    │◄-─-─┤ Fraud Detection  │
│  analisa & optimises   │      │ (Pre-Bid Analysis) │
+-------------------------+      +------------------+
      │                                ▲
      ├─[WATERFALL]--------------------│
      │ 1. Network A (Highest eCPM)    │
      │ 2. Network B                   │
      │ 3. Network C                   │
      │                                │
      └─[IN-APP BIDDING]---------------┘
        (Simultaneous Auction)

      │
      ▼
+---------------------+
│ Winning Ad Network  │
+---------------------+
      │
      ▼
+---------------------+
│ Ad Displayed in App │
+---------------------+

🧠 Core Detection Logic

Example 1: IP Reputation and Blacklisting

This logic prevents participation from IP addresses known for fraudulent activity. It operates at the earliest stage of the ad request, acting as a gatekeeper. By checking against a dynamic blacklist of data center IPs, known proxies, and addresses with a history of bot traffic, it filters out a significant portion of non-human traffic before it can consume resources.

FUNCTION handle_ad_request(request):
  ip_address = request.get_ip()
  
  // Check against known bad IP lists (data centers, proxies, bots)
  IF is_blacklisted(ip_address):
    REJECT request_with_reason("Blocked IP")
    RETURN NULL
  
  // Check for abnormal frequency from the same IP
  click_count = get_clicks_from_ip(ip_address, last_hour)
  IF click_count > 50:
    REJECT request_with_reason("High Frequency IP")
    ADD_to_blacklist(ip_address)
    RETURN NULL
    
  // If clean, proceed to mediation auction
  PROCEED_to_mediation(request)

Example 2: Session Heuristics and Behavioral Analysis

This logic analyzes user behavior within a single session to determine legitimacy. It looks for patterns that are uncharacteristic of genuine human interaction. For example, a click that happens fractions of a second after an ad loads is likely automated. This check happens post-impression, helping to invalidate fraudulent clicks and refine future filtering rules.

FUNCTION analyze_ad_click(click_event):
  session_data = get_session_info(click_event.session_id)
  
  // Time between ad load and click
  time_to_click = click_event.timestamp - session_data.ad_load_time
  IF time_to_click < 1.0: // Less than 1 second
    FLAG_AS_FRAUD(click_event, "Click Too Fast")
    RETURN
    
  // Check for missing or minimal user interactions
  IF session_data.mouse_movements < 5 AND session_data.scroll_events == 0:
    FLAG_AS_FRAUD(click_event, "No Human-like Interaction")
    RETURN
    
  // All checks passed
  VALIDATE_CLICK(click_event)

Example 3: Geo Mismatch Detection

This logic validates that the geographical data associated with a request is consistent. Fraudsters often use proxies or VPNs to mask their true location, leading to discrepancies between the IP address's location and the device's stated language or timezone. This check is crucial for identifying sophisticated attempts to bypass simpler IP-based blocking.

FUNCTION validate_geo_data(request):
  ip_geo = get_geo_from_ip(request.ip) // e.g., "Germany"
  device_lang = request.device.language // e.g., "en-US"
  device_tz = request.device.timezone // e.g., "America/New_York"

  // Simple mismatch check
  IF ip_geo == "Vietnam" AND device_lang == "en-US":
    FLAG_AS_SUSPICIOUS(request, "Geo Mismatch: IP vs Language")
    
  // Timezone vs IP country check
  tz_country = get_country_from_tz(device_tz) // e.g., "USA"
  IF ip_geo != tz_country:
    FLAG_AS_SUSPICIOUS(request, "Geo Mismatch: IP vs Timezone")
    
  // If suspicious, may require further checks or be blocked
  IF is_suspicious(request):
     INCREASE_FRAUD_SCORE(request)

📈 Practical Use Cases for Businesses

• Campaign Budget Protection – By filtering out bot clicks and other forms of invalid traffic, ad mediation ensures that advertising budgets are spent on reaching real, potential customers, directly improving return on ad spend (ROAS).
• Data Integrity for Analytics – It cleans the traffic data that feeds into analytics platforms. This provides businesses with accurate metrics on user engagement and campaign performance, leading to better strategic decisions.
• Enhanced User Acquisition Quality – By weeding out fraudulent installs and fake user events, mediation helps businesses acquire genuine users, leading to higher lifetime value (LTV) and more accurate performance marketing analysis.
• Reduced Ad Spend Waste – It prevents advertisers from paying for clicks and impressions that have no chance of converting, such as those from data centers or automated scripts, directly preserving marketing funds for legitimate opportunities.
• Improved Publisher Reputation – For publishers, serving clean, fraud-free traffic to advertisers builds trust and encourages more ad networks to bid on their inventory, leading to higher and more stable ad revenue over time.

Example 1: Geofencing Rule for a Local Business

A local retail business wants to ensure its ads are only shown to users within a 50-mile radius of its stores. This logic uses the device's GPS data (if available) or IP-based geolocation to filter out traffic from outside the target area, preventing budget waste on irrelevant impressions.

FUNCTION handle_ad_request(request):
  user_location = get_location(request.device_id, request.ip)
  business_locations = ["lat/long_1", "lat/long_2"]
  
  is_within_radius = FALSE
  FOR store_loc in business_locations:
    IF calculate_distance(user_location, store_loc) <= 50:
      is_within_radius = TRUE
      BREAK

  IF is_within_radius == FALSE:
    REJECT request_with_reason("Outside Geofence")
  ELSE:
    PROCEED_to_mediation(request)

Example 2: Session Scoring for Conversion Fraud

An e-commerce app notices a pattern of fraudulent conversions. This logic scores each user session based on a series of actions. A session with a high score is deemed legitimate, while a low score (e.g., install-to-purchase time of 2 seconds) indicates fraud and the conversion is flagged for investigation.

FUNCTION score_session_authenticity(session):
  score = 100
  
  // Penalty for impossibly fast conversion
  IF (session.purchase_time - session.install_time) < 10: // 10 seconds
    score = score - 80
    
  // Penalty for no pre-conversion activity
  IF session.product_views < 1 AND session.add_to_cart_events == 0:
    score = score - 50
    
  // Bonus for human-like behavior
  IF session.scroll_depth > 75:
    score = score + 10
    
  IF score < 50:
    FLAG_AS_FRAUDULENT(session)
  
  RETURN score

🐍 Python Code Examples

This Python function simulates checking an incoming ad click against a known list of fraudulent IP addresses. It's a fundamental step in pre-bid fraud filtering to immediately reject traffic from sources that have already been identified as malicious or non-human.

# A simple set of blacklisted IP addresses (e.g., known data centers, proxies)
FRAUDULENT_IPS = {"198.51.100.1", "203.0.113.25", "192.0.2.14"}

def block_known_fraudulent_ips(click_request):
    """
    Checks if the click's IP address is in a blacklist.
    Returns True if the click should be blocked, False otherwise.
    """
    ip_address = click_request.get("ip")
    if ip_address in FRAUDULENT_IPS:
        print(f"Blocking fraudulent click from IP: {ip_address}")
        return True
    print(f"Allowing legitimate click from IP: {ip_address}")
    return False

# Example usage:
click_1 = {"click_id": "abc-123", "ip": "8.8.8.8"}
click_2 = {"click_id": "def-456", "ip": "198.51.100.1"}

block_known_fraudulent_ips(click_1) # Returns False
block_known_fraudulent_ips(click_2) # Returns True

This code analyzes the time difference between an ad impression and a click (Click-to-Time, CTT). An impossibly short duration is a strong indicator of an automated bot, as a real human requires time to process information and react.

import datetime

def detect_abnormal_click_timing(impression_time, click_time):
    """
    Analyzes the time between an impression and a click.
    Flags clicks that happen too quickly as suspicious.
    """
    time_delta = click_time - impression_time
    # A real user is unlikely to click in under 0.5 seconds
    if time_delta.total_seconds() < 0.5:
        print(f"Suspiciously fast click detected: {time_delta.total_seconds()}s")
        return "SUSPICIOUS"
    return "VALID"

# Example usage:
impression_event_time = datetime.datetime.now()
# Simulate a bot click 100ms later
bot_click_time = impression_event_time + datetime.timedelta(milliseconds=100)
# Simulate a human click 2 seconds later
human_click_time = impression_event_time + datetime.timedelta(seconds=2)

detect_abnormal_click_timing(impression_event_time, bot_click_time) # Returns "SUSPICIOUS"
detect_abnormal_click_timing(impression_event_time, human_click_time) # Returns "VALID"

Types of Ad mediation

• Waterfall Mediation - The traditional method where ad networks are arranged in a sequence and called one by one based on historical eCPM. If the first network cannot fill the ad request, it passes to the second, and so on. This method risks lower revenue if a lower-ranked network would have paid more.
• In-App Bidding - Often called header bidding, this modern approach allows all ad networks to bid on an impression simultaneously in a real-time auction. This ensures the publisher receives the highest possible price for each ad spot and is more efficient at preventing revenue loss compared to the waterfall method.
• Hybrid Mediation - This model combines waterfall and in-app bidding. An auction is run first with bidding-enabled networks. The winning bid then competes against the sequentially called networks in the waterfall. This approach leverages the benefits of both systems to maximize fill rates and revenue.
• Custom Mediation - A publisher-controlled system where specific rules and priorities are manually configured. This might involve creating custom events to call ad networks not officially supported by the mediation platform or setting up complex waterfall arrangements based on proprietary business logic and fraud analysis.

How Ad network Works

+---------------------+      +---------------------+      +---------------------+
|   Advertiser        |      |     Ad Network      |      |      Publisher's    |
|   (Campaign Setup)  |----->| (Broker/Aggregator) |<-----|      Website/App    |
+---------------------+      +----------+----------+      +---------------------+
                                        |
                                        | Data Flow
                                        v
+---------------------------------------+---------------------------------------+
|                      Traffic Adjudication & Fraud Detection                     |
|                                       |                                       |
|  +-----------------+     +----------------------+     +---------------------+  |
|  |  Data Collector | --> | Rule Engine/ML Model | --> |   Action Engine     |  |
|  | (IP, UA, Click) |     |  (Analyze Patterns)  |     | (Block/Allow/Flag)  |  |
|  +-----------------+     +----------------------+     +----------+----------+  |
|                                                                  |             |
+------------------------------------------------------------------+-------------+
                                                                   |
                                        ┌--------------------------┘
                                        v
                          +--------------------------+
                          | Legitimate User Sees Ad  |
                          +--------------------------+

🧠 Core Detection Logic

Example 1: IP and User Agent Mismatch

This logic identifies a common sign of bot activity where the device information presented does not match what is expected. For example, a request might claim to be from an iOS device but have a user agent string associated with a Windows desktop browser. This fits into traffic protection by flagging inconsistencies that are highly unlikely in legitimate users.

FUNCTION detectMismatch(request):
  user_agent = request.getHeader("User-Agent")
  device_os = request.getDeviceOS()

  is_ios_device = "iPhone" in user_agent or "iPad" in user_agent
  is_windows_os = device_os == "Windows"

  // Rule: An iOS user agent should not originate from a Windows OS
  IF is_ios_device AND is_windows_os THEN
    RETURN "Fraudulent: OS and User-Agent mismatch."
  END IF

  RETURN "Legitimate"
END FUNCTION

Example 2: Click Frequency Throttling

This logic prevents a single user (identified by IP address or device ID) from clicking on the same ad campaign repeatedly in a short time frame. It’s a fundamental defense against simple bots or manual click farms. This is applied post-click to invalidate rapid, successive clicks that drain budgets without genuine interest.

FUNCTION checkClickFrequency(click):
  user_ip = click.getIP()
  campaign_id = click.getCampaignID()
  timestamp = click.getTimestamp()

  // Get the last 5 clicks from this IP for this campaign
  recent_clicks = getRecentClicks(user_ip, campaign_id, limit=5)
  
  // Check if the last click was within the last 10 seconds
  IF recent_clicks.count() > 0 AND (timestamp - recent_clicks.last().timestamp) < 10 seconds THEN
    RETURN "Invalid: Click frequency too high."
  END IF
  
  recordClick(click)
  RETURN "Valid"
END FUNCTION

Example 3: Data Center Traffic Blocking

This logic checks if the incoming traffic originates from a known data center or hosting provider rather than a residential or mobile network. Since legitimate users typically do not browse from servers, this is a strong indicator of non-human traffic. This check is performed pre-bid or pre-request to filter out a significant portion of bot activity.

FUNCTION blockDataCenterTraffic(request):
  ip_address = request.getIP()

  // isDataCenterIP() checks the IP against a known list of data center IP ranges
  IF isDataCenterIP(ip_address) THEN
    RETURN "Blocked: Traffic from data center."
  ELSE
    RETURN "Allowed: Traffic from residential/mobile network."
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically block traffic from known malicious sources, such as data centers and competitor botnets, to prevent budget waste before clicks occur and protect campaign performance.
• Lead Quality Filtering – Ensure that form submissions and leads generated from ad campaigns come from real, interested users by filtering out automated scripts that fill out forms with fake or stolen information.
• Analytics Integrity – Keep marketing analytics clean and reliable by preventing fraudulent clicks and impressions from skewing key performance metrics like click-through rate (CTR) and conversion rate.
• Return on Ad Spend (ROAS) Improvement – Maximize the return on ad spend by ensuring that budget is allocated toward reaching genuine potential customers, not wasted on invalid interactions that provide no value.

Example 1: Geolocation Mismatch Rule

This pseudocode blocks clicks where the IP address's geographic location does not align with the timezone reported by the user's browser or device. This is a common tactic used by fraudsters trying to spoof their location to match a campaign's target audience.

FUNCTION validateGeoMismatch(click):
  ip_geo = getGeoFromIP(click.ip) // e.g., "USA"
  device_timezone = getDeviceTimezone(click.headers) // e.g., "Asia/Tokyo"

  // If the IP is in the US but the device timezone is in Asia, flag it.
  IF ip_geo.country == "USA" AND "Asia/" in device_timezone THEN
    RETURN "BLOCK"
  END IF

  RETURN "ALLOW"
END FUNCTION

Example 2: Session Behavior Scoring

This logic scores a user session based on behavior. A session with unnaturally fast clicks, no mouse movement, or instant bounces is scored as high-risk. This helps identify non-human behavior that simple IP or user-agent checks might miss.

FUNCTION scoreSession(session):
  score = 0
  
  IF session.timeOnPage < 2 seconds THEN
    score += 40
  END IF

  IF session.mouseMovements == 0 THEN
    score += 30
  END IF
  
  IF session.clicks > 5 AND session.timeOnPage < 10 seconds THEN
    score += 30
  END IF

  // A score over 50 is considered suspicious
  IF score > 50 THEN
    RETURN "HIGH_RISK"
  ELSE
    RETURN "LOW_RISK"
  END IF
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking for abnormally frequent clicks from a single IP address within a short time window. It helps block basic bots or manual fraud by defining a reasonable threshold for user interaction, preventing rapid-fire clicks that waste ad spend.

CLICK_LOG = {}
TIME_WINDOW_SECONDS = 10
CLICK_THRESHOLD = 5

def is_click_fraud(ip_address):
    """Checks if an IP has exceeded the click threshold in the time window."""
    import time
    current_time = time.time()
    
    # Filter out old clicks
    if ip_address in CLICK_LOG:
        CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW_SECONDS]
    
    # Add current click
    clicks = CLICK_LOG.setdefault(ip_address, [])
    clicks.append(current_time)
    
    # Check if threshold is exceeded
    if len(clicks) > CLICK_THRESHOLD:
        return True
    return False

# --- Simulation ---
# print(is_click_fraud("192.168.1.100")) # Returns False on first few clicks
# for _ in range(6): print(is_click_fraud("192.168.1.101")) # The 6th call will return True

This code filters incoming traffic by examining the `User-Agent` string. It blocks requests from known bot signatures or from headless browsers, which are commonly used for automated ad fraud, ensuring ads are served to genuine users instead of scripts.

import re

SUSPICIOUS_USER_AGENTS = [
    "bot",
    "spider",
    "headlesschrome",
    "phantomjs"
]

def filter_by_user_agent(user_agent_string):
    """Blocks traffic from suspicious user agents."""
    ua_lower = user_agent_string.lower()
    for pattern in SUSPICIOUS_USER_AGENTS:
        if re.search(pattern, ua_lower):
            print(f"Blocking suspicious User-Agent: {user_agent_string}")
            return False
    print(f"Allowing User-Agent: {user_agent_string}")
    return True

# --- Simulation ---
# filter_by_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36")
# filter_by_user_agent("MyAwesomeBot/1.0 (+http://example.com/bot)")

Types of Ad network

• Premium Ad Networks – These networks represent high-quality publishers with significant, engaged audiences. For fraud prevention, they typically have stricter traffic quality standards and more robust, built-in filtering, reducing the likelihood of bot traffic and improving advertiser safety.
• Vertical Ad Networks – Focusing on specific industries or niches (e.g., automotive, travel), these networks offer advertisers access to a highly targeted audience. This focus can aid fraud detection by making it easier to spot anomalous behavior that doesn't align with the expected user profile of that vertical.
• Performance-Based Ad Networks – These networks, including affiliate networks, focus on paying for specific actions like conversions or sign-ups (CPA). While this can reduce risk, they are also targets for sophisticated fraud where bots or human farms mimic actions, requiring deeper behavioral analysis to detect.
• Mobile Ad Networks – Specializing in ad inventory within mobile applications, these networks face unique fraud challenges like SDK spoofing and fake app installs. Their detection methods must analyze mobile-specific data points like device IDs and app store information to verify traffic authenticity.
• Video Ad Networks – These networks focus on delivering video ads on platforms like YouTube or within publisher content. Fraud detection here targets inflated view counts from bots designed to watch videos, requiring analysis of viewing patterns and engagement metrics to ensure views are from real users.

How Ad podding Works

User Starts Video → Ad Break Triggered (e.g., Mid-Roll)
                     │
                     ▼
Ad Pod Request │ Sent to Ad Server
     │           ├─ Pod Definition (e.g., 60s total, max 3 ads)
     │           └─ User/Device Data
     │
     ▼
Ad Server Logic │ 1. Selects multiple ads based on bids, targeting & rules
     │            2. Applies Competitive Exclusion & Deduplication
     │            3. Assembles the Ad Pod
     │
     ▼
Ad Pod Response │ Sequenced VAST/VMAP tags sent to Player
                     │
                     ▼
Video Player    │ Plays Ad 1 → Ad 2 → Ad 3 (sequentially)
                     │
                     └─ Content Resumes

🧠 Core Detection Logic

Example 1: Sequential Ad Anomaly Detection

This logic detects non-human patterns in how users interact with ads within a pod. Bots often exhibit predictable, uniform behavior, such as skipping every ad at the exact same millisecond or completing every ad without variation. This system flags users whose interaction patterns across multiple pods are too consistent to be human.

FUNCTION onAdPodComplete(session, pod):
  // Check for unnaturally consistent ad interaction timings
  LET skip_timestamps = session.getInteractionTimestamps("skip")
  IF count(skip_timestamps) > 2:
    LET time_differences = calculateDifferences(skip_timestamps)
    LET variance = calculateVariance(time_differences)
    // Low variance indicates robotic, consistent skip timing
    IF variance < THRESHOLD_LOW_VARIANCE:
      session.flag("Robotic Skip Pattern")
      return

  // Check for impossibly high completion rates across many pods
  LET completion_rate = session.getMetric("ad_completion_rate")
  LET pod_count = session.getMetric("total_pods_viewed")
  IF pod_count > 10 AND completion_rate == 100%:
    session.flag("Unnatural Ad Completion Rate")

Example 2: Competitive Exclusion Violation

This logic is used to identify ad servers or publishers that fail to properly implement competitive separation rules within an ad pod. If a user is served ads from direct competitors (e.g., Coke and Pepsi) within the same pod, it may indicate a misconfigured ad system or even a deliberate attempt to manipulate ad placements. Monitoring this helps ensure brand safety.

FUNCTION onAdPodReceived(pod):
  // IAB category codes are used to identify competitor ads
  LET ad_categories = pod.getAdCategories() // e.g., ["Automotive", "Fast Food", "Automotive"]
  LET unique_categories = unique(ad_categories)

  IF count(ad_categories) != count(unique_categories):
    // This simple check finds duplicate categories, but more advanced logic is needed
    FOR category in unique_categories:
      IF count(ad_categories, category) > 1:
        // More specific check for known competitor categories
        IF isCompetitivePair(pod.getAdsByCategory(category)):
           log_alert("Competitive Exclusion Violation", pod.source)

Example 3: Pod Stacking and Frequency Abuse

This technique detects when a single user session is subjected to an unusually high frequency of ad pods in a short time, a practice known as “ad stacking” or “pod stacking.” This can be a sign of fraudulent activity where a publisher tries to generate more impressions than legitimate viewing patterns would allow. The logic tracks the time between mid-roll pods to identify unnaturally short intervals.

FUNCTION onMidRollPodStart(session, pod):
  LET current_time = now()
  LET last_pod_time = session.getProperty("last_mid_roll_timestamp")

  IF last_pod_time IS NOT NULL:
    LET time_since_last_pod = current_time - last_pod_time
    // Set a minimum acceptable time between mid-roll ad pods
    IF time_since_last_pod < MIN_INTERVAL_SECONDS:
      session.flag("Pod Stacking Anomaly")
      log_fraud_event(session.user_id, "High Frequency Pods")

  session.setProperty("last_mid_roll_timestamp", current_time)

📈 Practical Use Cases for Businesses

Example 1: Competitive Exclusion Rule

// This pseudocode prevents ads from rival brands appearing in the same ad pod.
FUNCTION buildAdPod(request):
  LET pod = createEmptyPod(duration=120)
  LET available_ads = getEligibleAds(request.targeting)
  LET pod_categories = []

  FOR ad in available_ads:
    IF ad.category NOT IN pod_categories AND NOT isCompetitor(ad.category, pod_categories):
      addAdToPod(pod, ad)
      pod_categories.add(ad.category)
      IF pod.isFull():
        break

  RETURN pod

Example 2: Frequency Capping Across a Pod

// This logic limits how many times a single user sees the same ad creative within a viewing session.
FUNCTION onAdRequest(user_profile, request):
  LET creative_view_counts = user_profile.getCreativeViewCounts()
  LET pod_ads = selectAdsForPod(request)
  LET filtered_ads = []

  FOR ad in pod_ads:
    // Check if the creative has reached its frequency cap for this user.
    IF creative_view_counts.get(ad.creative_id, 0) < MAX_VIEWS_PER_USER:
      filtered_ads.add(ad)
      user_profile.incrementCreativeViewCount(ad.creative_id)

  RETURN filtered_ads

🐍 Python Code Examples

This code simulates checking an incoming ad pod for duplicate creatives. Fraudulent or poorly configured systems might serve the same ad multiple times in a single break, and this function helps detect such cases by checking the creative IDs within a list of ads.

def check_for_duplicate_creatives(ad_pod):
    """
    Analyzes an ad pod to detect duplicate creative IDs.
    Args:
        ad_pod (list): A list of dictionaries, where each dict represents an ad.
    Returns:
        bool: True if duplicates are found, False otherwise.
    """
    creative_ids = [ad.get('creative_id') for ad in ad_pod]
    return len(creative_ids) != len(set(creative_ids))

# Example Usage
pod_with_duplicates = [
    {'ad_id': '123', 'creative_id': 'A'},
    {'ad_id': '456', 'creative_id': 'B'},
    {'ad_id': '789', 'creative_id': 'A'} # Duplicate creative
]
print(f"Pod has duplicates: {check_for_duplicate_creatives(pod_with_duplicates)}")

This script demonstrates a basic implementation of a competitive exclusion rule. It prevents ads from specified competitor categories (e.g., two different car companies) from being included in the same ad pod, which is a crucial feature for maintaining brand safety and advertiser satisfaction.

def apply_competitive_exclusion(ad_pod, new_ad, competitor_map):
    """
    Checks if a new ad belongs to a category that competes with ads already in the pod.
    Args:
        ad_pod (list): The list of ads currently in the pod.
        new_ad (dict): The new ad to be potentially added.
        competitor_map (dict): A map defining competitive categories.
    Returns:
        bool: True if the ad can be added, False otherwise.
    """
    new_ad_category = new_ad.get('category')
    for existing_ad in ad_pod:
        existing_ad_category = existing_ad.get('category')
        if new_ad_category in competitor_map.get(existing_ad_category, []):
            return False
    return True

# Example Usage
competitors = {'automotive': ['automotive_luxury'], 'soda': ['juice']}
pod = [{'ad_id': '111', 'category': 'automotive'}]
new_ad_ok = {'ad_id': '222', 'category': 'soda'}
new_ad_bad = {'ad_id': '333', 'category': 'automotive_luxury'}

print(f"Can add second ad: {apply_competitive_exclusion(pod, new_ad_ok, competitors)}")
print(f"Can add third ad: {apply_competitive_exclusion(pod, new_ad_bad, competitors)}")

Types of Ad podding

How Ad publisher Works

USER VISIT --> [Publisher Website] --> Ad Request ---+
                                                    |
                                          +---------v---------+
                                          | Ad Security       |
                                          | System            |
                                          +----+--------------+
                                               |
                                     +---------v---------+
                                     | Analysis Engine   |
                                     | (Rules & Models)  |
                                     +---------+---------+
                                               |
                                     Is Request Valid?
                                    /                 
                                  YES                  NO
                                 /                      
                      +----------v+                  +----v-----+
                      | Serve Ad  |                  | Block &  |
                      | to User   |                  | Log      |
                      +-----------+                  +----------+

🧠 Core Detection Logic

Example 1: Repetitive Action Analysis

This logic identifies non-human behavior by tracking the frequency of clicks from a single source within a short time frame. It’s a fundamental technique to catch basic bots or click farms programmed to perform repetitive actions. This check typically happens at the ad server or a dedicated anti-fraud layer before the click is billed.

FUNCTION repetitiveClickFilter(clickEvent):
  // Define time window and click threshold
  TIME_WINDOW = 60 // seconds
  MAX_CLICKS = 5

  // Get user identifier (IP address or device ID)
  user_id = clickEvent.ip_address

  // Retrieve user's click history from cache
  click_history = cache.get(user_id)

  // Filter history for recent clicks
  recent_clicks = filter(click_history, c -> c.timestamp > NOW - TIME_WINDOW)

  // Check if click count exceeds the limit
  IF count(recent_clicks) >= MAX_CLICKS:
    // Flag as fraudulent and block
    RETURN {is_fraud: TRUE, reason: "Repetitive clicks from same IP"}
  ELSE:
    // Add current click to history and allow
    cache.append(user_id, clickEvent)
    RETURN {is_fraud: FALSE}

Example 2: User-Agent and Header Validation

This method inspects the technical information sent by the user’s browser or device. Bots often use outdated, generic, or inconsistent user-agent strings that don’t match known legitimate browser signatures. This server-side check is effective for filtering out low-sophistication automated traffic.

FUNCTION headerValidation(request):
  user_agent = request.headers['User-Agent']
  
  // List of known fraudulent or suspicious user-agent strings
  BLACKLIST = ["DataCenterBrowser/1.0", "HeadlessChrome", "BotAgent/2.1"]

  // Check against blacklist
  FOR signature in BLACKLIST:
    IF signature IN user_agent:
      RETURN {is_fraud: TRUE, reason: "Blacklisted user-agent"}

  // Check for inconsistencies (e.g., a mobile UA on a desktop OS)
  is_mobile_ua = "Mobi" in user_agent
  os_header = request.headers['Sec-CH-UA-Platform']
  
  IF is_mobile_ua AND os_header == ""Windows"":
      RETURN {is_fraud: TRUE, reason: "User-agent and platform mismatch"}

  RETURN {is_fraud: FALSE}

Example 3: Behavioral Heuristics (Time-to-Click)

This logic analyzes the time elapsed between an ad being displayed (impression) and the user clicking on it. Clicks that occur almost instantaneously are physically impossible for a human to perform and are a strong indicator of an automated script. This helps distinguish real user engagement from bot activity.

FUNCTION timeToClickAnalysis(impressionEvent, clickEvent):
  MIN_TIME_THRESHOLD = 0.5 // seconds, plausible minimum for human interaction

  // Calculate time difference
  time_diff = clickEvent.timestamp - impressionEvent.timestamp

  // Check if the time difference is impossibly short
  IF time_diff < MIN_TIME_THRESHOLD:
    RETURN {is_fraud: TRUE, reason: "Click occurred too fast after impression"}
  ELSE:
    RETURN {is_fraud: FALSE}

📈 Practical Use Cases for Businesses

• Budget Protection – By scrutinizing publisher traffic, businesses can block payments for fake clicks and impressions, directly preventing the waste of advertising funds on traffic that has no potential to convert.
• Data Integrity – Filtering fraudulent activity from publishers ensures that campaign analytics (like CTR and conversion rates) are accurate, allowing marketers to make better decisions based on real user engagement.
• Return on Ad Spend (ROAS) Improvement – Ensuring ads are shown to real humans on legitimate publisher sites means that the budget is spent on potential customers, leading to more efficient campaigns and a higher ROAS.
• Publisher Quality Control – Ad networks and exchanges use traffic analysis to continuously vet publishers, removing those who consistently provide low-quality or fraudulent traffic, thereby cleaning up the entire ad ecosystem.

Example 1: Publisher Geofencing Rule

This pseudocode demonstrates a common rule applied by advertisers to reject traffic from publishers located in regions outside the campaign's target market. This is a simple yet effective way to prevent paying for clicks that have zero geographic relevance.

// Rule: Block clicks from publishers in non-targeted countries

FUNCTION checkPublisherGeo(publisher, campaign):
  
  // Get the list of countries the campaign is targeting
  allowed_countries = campaign.geo_targets // e.g., ["US", "CA", "GB"]
  
  // Get the publisher's registered country
  publisher_country = publisher.country // e.g., "RU"
  
  // Check if the publisher's country is in the allowed list
  IF publisher_country NOT IN allowed_countries:
    // Reject the click and log the reason
    log("Blocked click from non-targeted publisher country: " + publisher_country)
    RETURN FALSE
  ELSE:
    // Allow the click
    RETURN TRUE

Example 2: Session Scoring Logic

This logic scores traffic from a publisher based on multiple risk factors. Instead of a simple block/allow decision, it assigns a fraud score. Publishers consistently sending high-scoring (high-risk) traffic can be automatically deprioritized or flagged for manual review.

// Rule: Score publisher traffic based on risk signals

FUNCTION scorePublisherSession(session):
  
  score = 0
  
  // Signal 1: Is the IP from a data center?
  IF isDataCenterIP(session.ip_address):
    score += 40
    
  // Signal 2: Is the user agent a known bot?
  IF isKnownBot(session.user_agent):
    score += 50
    
  // Signal 3: Is there no mouse movement?
  IF session.mouse_events_count == 0:
    score += 10
    
  // If score exceeds a threshold, flag the publisher
  IF score > 75:
    flagPublisherForReview(session.publisher_id, "High fraud score: " + str(score))
    
  RETURN score

🐍 Python Code Examples

This Python function simulates detecting abnormally frequent clicks from a single IP address. By tracking click timestamps, it can flag IPs that exceed a reasonable click threshold within a defined time window, a common sign of bot activity from a compromised publisher.

from collections import defaultdict
import time

# Store click timestamps for each IP
ip_clicks = defaultdict(list)
CLICK_LIMIT = 10
TIME_PERIOD = 60  # seconds

def is_click_fraud(ip_address):
    """Checks if an IP has an abnormal click frequency."""
    current_time = time.time()
    
    # Remove old timestamps that are outside the time period
    ip_clicks[ip_address] = [t for t in ip_clicks[ip_address] if current_time - t < TIME_PERIOD]
    
    # Add the new click
    ip_clicks[ip_address].append(current_time)
    
    # Check if the click count exceeds the limit
    if len(ip_clicks[ip_address]) > CLICK_LIMIT:
        print(f"Fraud detected for IP: {ip_address}. Too many clicks.")
        return True
        
    return False

# --- Simulation ---
# Legitimate clicks
for _ in range(5):
    is_click_fraud("192.168.1.1")
    time.sleep(1)

# Fraudulent burst of clicks
for _ in range(15):
    is_click_fraud("10.0.0.5")

This script filters traffic based on suspicious User-Agent strings. Publishers sending traffic from data centers or using non-standard browser identifiers can be identified and blocked, helping to eliminate non-human traffic sources from ad campaigns.

def filter_suspicious_user_agents(request_data):
    """Identifies requests from suspicious user agents."""
    user_agent = request_data.get('user_agent', '').lower()
    
    # Common signatures of bots or non-human traffic
    suspicious_signatures = ['bot', 'headless', 'spider', 'crawler', 'python-requests']
    
    for signature in suspicious_signatures:
        if signature in user_agent:
            print(f"Suspicious User-Agent blocked: {request_data.get('user_agent')}")
            return False # Block request
            
    return True # Allow request

# --- Simulation ---
legit_request = {'ip': '8.8.8.8', 'user_agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'}
bot_request = {'ip': '1.2.3.4', 'user_agent': 'My-Cool-Bot/1.0'}

filter_suspicious_user_agents(legit_request)
filter_suspicious_user_agents(bot_request)

Types of Ad publisher

• Click Farms - These are low-wage workers hired to manually click on ads. This type of fraud is harder to detect than bots because it involves real human interaction, but traffic often originates from specific geographic locations and exhibits unnatural engagement patterns.
• Botnets - Networks of compromised computers or servers are programmed to generate fraudulent clicks or impressions automatically. This allows for large-scale fraud that can mimic human behavior by rotating IPs and user agents, though patterns can be detected with advanced analysis.
• Ad Stacking - A fraudulent publisher loads multiple ads on top of each other in a single ad slot. While only the top ad is visible to the user, impressions are counted for all of them. This technique inflates impression counts to generate more revenue from advertisers.
• Domain Spoofing - This occurs when a low-quality or fraudulent publisher impersonates a legitimate, premium website to trick advertisers into buying their ad space at a higher price. This misleads advertisers about where their ads are actually being shown.
• Pixel Stuffing - A publisher places one or more ads inside a 1x1 pixel, making them invisible to the human eye but still registering an impression. This is a common way to generate a high volume of fraudulent impressions without impacting the user experience.

How Ad revenue Works

[Incoming Traffic] → +-----------------------+ → +-----------------------+ → +-----------------+ → [Action]
                     │   Initial Analysis    │   │  Behavioral Scoring   │   │  Threat Database  │   └─ Block
                     │  (IP, User-Agent)     │   │ (Heuristics, Patterns)│   │   (Known Frauds)  │   └─ Allow
                     +-----------------------+   +-----------------------+   +-----------------+

🧠 Core Detection Logic

Example 1: Session Velocity Analysis

This logic tracks the frequency and speed of actions within a single user session to detect non-human behavior. It is applied post-click to analyze patterns and identify bots that generate an impossibly high volume of clicks faster than a human could, helping to invalidate fraudulent traffic before it is billed.

function checkSessionVelocity(session) {
  const CLICK_THRESHOLD = 5; // Max clicks
  const TIME_WINDOW_MS = 10000; // In 10 seconds

  let recentClicks = session.clicks.filter(c => 
    (Date.now() - c.timestamp) < TIME_WINDOW_MS
  );

  if (recentClicks.length > CLICK_THRESHOLD) {
    return "FRAUDULENT";
  }
  return "VALID";
}

Example 2: Geographic Mismatch Detection

This logic compares the geographic location of a user’s IP address with the location reported by their browser or device. Significant discrepancies often indicate the use of a proxy or VPN to mask the true origin, a common tactic in click fraud. This check is performed in real-time before an ad is served.

function checkGeoMismatch(ipInfo, browserInfo) {
  const ipCountry = ipInfo.country;
  const browserCountry = browserInfo.locale.country;
  
  if (ipCountry !== browserCountry) {
    // Add tolerance for known CDNs or corporate networks
    if (!isToleratedMismatch(ipInfo)) {
      return "SUSPICIOUS";
    }
  }
  return "OK";
}

Example 3: Bot-Trap Interaction

This method involves placing invisible “honeypot” elements on a webpage that are hidden from human users but detectable by automated scripts. If a “user” interacts with this invisible trap (e.g., clicks a 1×1 pixel link), they are immediately identified as a bot. This is a proactive, real-time detection technique.

// HTML element (invisible to users)
// <a id="bot-trap" href="#" style="position:absolute;left:-9999px;"></a>

// Detection Logic
let isBot = false;
document.getElementById("bot-trap").addEventListener("click", function() {
  isBot = true;
  // Flag this session ID as a bot for blocking
  blockSession("current_session_id");
});

📈 Practical Use Cases for Businesses

Example 1: Geofencing Rule

This pseudocode demonstrates a rule that blocks traffic from locations outside the campaign’s target geography, a common method to filter out clicks from irrelevant regions or known click farms.

// Define target regions for the campaign
TARGET_COUNTRIES = ["US", "CA", "GB"];

function filterByGeo(request) {
  user_country = getCountryFromIP(request.ip);

  if (TARGET_COUNTRIES.includes(user_country)) {
    return "ALLOW_TRAFFIC";
  } else {
    // Block traffic from non-target countries
    return "BLOCK_TRAFFIC";
  }
}

Example 2: Traffic Source Scoring

This logic scores incoming traffic based on the referring domain. Traffic from known, reputable sources gets a positive score, while traffic from suspicious or unlisted referrers gets a negative score, helping to block low-quality sources.

// Predefined scores for different traffic sources
SOURCE_SCORES = {
  "google.com": 10,
  "facebook.com": 10,
  "suspicious-domain.xyz": -20,
  "anonymous-proxy.net": -50
};

function scoreTrafficSource(request) {
  let referrer = getReferrer(request.headers);
  let score = SOURCE_SCORES[referrer] || 0; // Default score is 0

  if (score < -10) {
    return "BLOCK_TRAFFIC";
  }
  return "ALLOW_TRAFFIC";
}

🐍 Python Code Examples

This code simulates checking for abnormally high click frequency from a single IP address. If an IP exceeds a certain number of clicks within a short time frame, it is flagged as suspicious, which helps identify automated bot activity.

from collections import defaultdict
import time

CLICK_LOG = defaultdict(list)
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 15 # max clicks in window

def is_click_fraud(ip_address):
    """Checks if an IP has excessive click frequency."""
    current_time = time.time()
    
    # Filter out old timestamps
    CLICK_LOG[ip_address] = [t for t in CLICK_LOG[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add new click timestamp
    CLICK_LOG[ip_address].append(current_time)
    
    # Check if threshold is exceeded
    if len(CLICK_LOG[ip_address]) > CLICK_THRESHOLD:
        print(f"Fraud Detected: IP {ip_address} exceeded {CLICK_THRESHOLD} clicks in {TIME_WINDOW}s.")
        return True
    return False

# Simulation
is_click_fraud("192.168.1.100") # Returns False
# Simulate rapid clicks
for _ in range(20):
    is_click_fraud("203.0.113.55")

This example demonstrates how to filter incoming web traffic based on a blocklist of known bot user-agents. Requests from user-agents matching the list are immediately discarded, preventing them from consuming ad resources.

BOT_USER_AGENTS = {
    "Googlebot", # Example of a good bot to allow
    "AhrefsBot",
    "SemrushBot",
    "BadBot/1.0",
    "FraudulentScanner/2.1"
}

ALLOWED_BOTS = {"Googlebot"}

def filter_by_user_agent(request_headers):
    """Filters traffic based on user agent blocklist."""
    user_agent = request_headers.get("User-Agent", "Unknown")
    
    # Check if the user agent belongs to a known bot
    for bot_ua in BOT_USER_AGENTS:
        if bot_ua in user_agent and bot_ua not in ALLOWED_BOTS:
            print(f"Blocking known bot: {user_agent}")
            return False # Block request
            
    return True # Allow request

# Simulation
headers_bot = {"User-Agent": "Mozilla/5.0 (compatible; BadBot/1.0;)"}
headers_human = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..."}

filter_by_user_agent(headers_bot) # Returns False
filter_by_user_agent(headers_human) # Returns True

Types of Ad revenue

• Real-Time Filtering – This method analyzes traffic signals the moment a visitor lands on a page, before an ad is served. It uses data like IP reputation, device fingerprint, and user-agent to make an instant decision to block or allow the ad request, preventing fraud before it happens.
• Post-Click Analysis – This type of protection evaluates clicks after they have already occurred. By analyzing patterns, conversion rates, and session behavior associated with clicks from a specific source, it identifies anomalous activity and allows advertisers to request refunds for traffic deemed fraudulent after the fact.
• Behavioral Heuristics – This approach focuses on how a user interacts with a site. It detects non-human patterns like impossibly fast clicking, lack of mouse movement, or perfect linear scrolling. This is effective against sophisticated bots that can mimic basic human characteristics but fail to replicate nuanced behavior.
• IP-Based Blocking – One of the most fundamental methods, this involves maintaining and using blacklists of IP addresses known to be sources of fraud. This includes data center IPs, proxies, and IPs previously flagged for suspicious activity. It's a straightforward way to block known bad actors from seeing ads.
• Signature-Based Detection – This technique identifies bots by looking for unique identifiers or "signatures" in their code or behavior. Much like antivirus software, it scans incoming traffic for patterns matching a database of known fraudulent scripts, making it highly effective against recognized threats but less so against new ones.