Monthly active users

What is Monthly active users?

Monthly active users (MAU) is a metric counting unique users who engage with a property within a 30-day period. In fraud prevention, it establishes a baseline of normal, legitimate user activity. By analyzing deviations from this baseline, it helps identify suspicious traffic patterns indicative of click fraud.

How Monthly active users Works

Incoming Traffic (Clicks/Impressions)
           β”‚
           β–Ό
+---------------------+
β”‚   Data Collection   β”‚
β”‚ (IP, User Agent,   β”‚
β”‚ Timestamp, Action)  β”‚
+---------------------+
           β”‚
           β–Ό
+--------------------------------+
β”‚      User Identification       β”‚
β”‚  (Device ID, User Cookie,      β”‚
β”‚     or Fingerprinting)         β”‚
+--------------------------------+
           β”‚
           β–Ό
+--------------------------------+
β”‚     Monthly Active User        β”‚
β”‚          (MAU) Database        β”‚
β”‚      (List of Unique Users     β”‚
β”‚       in the last 30 days)     β”‚
+--------------------------------+
           β”‚
           β”œβ”€ Legitimate User ─────> Counted in MAU, Traffic Allowed
           β”‚
           └─ New/Unseen User
                       β”‚
                       β–Ό
            +---------------------+
            β”‚  Behavioral Analysis  β”‚
            β”‚  (Frequency,          β”‚
            β”‚   Patterns, Heuristics) β”‚
            +---------------------+
                       β”‚
                       β”œβ”€ Anomaly Detected (Bot/Fraud) ──> Block & Report
                       β”‚
                       └─ Human-like Behavior ──────────> Add to MAU, Traffic Allowed

Analyzing Monthly Active Users (MAU) to protect against ad fraud is a process of separating legitimate human users from bots or fraudulent actors by tracking unique, recurring engagement over a 30-day period. This method establishes a baseline of expected user behavior, making it easier to spot anomalies that signal automated or malicious activity.

Data Collection and User Identification

The process begins the moment a user interacts with an ad or website. The system collects critical data points for each interaction, including the user’s IP address, device type, operating system, browser (user agent), and the specific action taken (e.g., click, impression, conversion). To track users accurately over time, the system assigns a unique identifier. This can be a cookie stored in the browser, a device ID from a mobile app, or a more sophisticated device fingerprint created by combining various hardware and software attributes. This ensures that a returning user is recognized, even if their IP address changes.

MAU Baselining and Validation

The system maintains a database of all unique users who have engaged with the property in the last 30 daysβ€”the MAU list. When a new interaction occurs, the system checks if the user’s identifier is already on this list. If the user is a known active user, their traffic is typically considered legitimate and allowed to pass. If the user is new or hasn’t been seen in the last 30 days, they are subjected to further scrutiny to validate their authenticity before being added to the active user list.

Fraud Detection and Filtering

For new or unverified users, the system applies a series of fraud detection rules. It analyzes the frequency of their clicks, the time between actions, and other behavioral patterns. For example, an abnormally high number of clicks from a single new user in a very short period is a strong indicator of bot activity. If the user’s behavior matches known fraud patterns or violates predefined thresholds, the system flags the traffic as fraudulent, blocks it from affecting the campaign, and reports the incident. Legitimate new users are added to the MAU database, refining the baseline for future analysis.

ASCII Diagram Breakdown

  • Incoming Traffic: Represents the raw flow of clicks and impressions from ad networks that need to be analyzed.
  • Data Collection: This stage captures essential attributes of each traffic event, such as IP address and user agent, which serve as the raw data for analysis.
  • User Identification: This is where a unique identity is assigned to the visitor using cookies or fingerprinting, allowing the system to distinguish between different users.
  • Monthly Active User (MAU) Database: A list of all unique users identified as legitimate within the past 30 days. It acts as a “allowlist” of trusted visitors.
  • Behavioral Analysis: New, unrecognized users are sent here for deeper inspection. Their click frequency and interaction patterns are compared against heuristic rules to detect non-human behavior.
  • Anomaly Detected (Bot/Fraud): If the analysis flags the user as suspicious, their traffic is blocked, preventing ad spend waste and data contamination.
  • Human-like Behavior: If the new user passes the analysis, they are added to the MAU database and their traffic is allowed.

🧠 Core Detection Logic

Example 1: High-Frequency Click Analysis

This logic identifies non-human traffic by detecting an abnormally high number of clicks from a single user (identified by a cookie or device fingerprint) within a short timeframe. It’s a core component of real-time bot detection, as automated scripts often generate clicks far faster than a human can.

FUNCTION check_click_frequency(user_id, current_timestamp):
  // Define time window and click threshold
  TIME_WINDOW = 60 // seconds
  MAX_CLICKS_PER_WINDOW = 5

  // Get user's click history
  user_clicks = get_clicks_for_user(user_id)

  // Filter clicks within the last minute
  recent_clicks = filter_clicks_by_time(user_clicks, current_timestamp - TIME_WINDOW)

  // Check if click count exceeds the threshold
  IF count(recent_clicks) > MAX_CLICKS_PER_WINDOW:
    RETURN "FRAUDULENT"
  ELSE:
    RETURN "VALID"
  ENDIF

Example 2: New User IP and User-Agent Mismatch

This logic flags new users whose IP address geolocation does not align with their device’s language or timezone settings. This is often used to catch sophisticated bots that use proxies to mask their origin, as the device-level settings may still reveal the mismatch.

FUNCTION validate_new_user_geo(ip_address, device_language, device_timezone):
  // Get location info from IP
  ip_geo_country = get_country_from_ip(ip_address)

  // Get expected country from device settings
  expected_country_from_lang = get_country_from_language(device_language)
  expected_country_from_zone = get_country_from_timezone(device_timezone)

  // Check for mismatches
  IF ip_geo_country != expected_country_from_lang AND ip_geo_country != expected_country_from_zone:
    RETURN "SUSPICIOUS"
  ELSE:
    RETURN "VALID"
  ENDIF

Example 3: MAU Population Anomaly

This logic monitors the overall growth rate of the Monthly Active Users list. A sudden, massive spike in “new” unique users, especially from a single traffic source or campaign, can indicate a large-scale bot attack rather than genuine organic growth. It helps detect coordinated fraud that might otherwise go unnoticed at the individual user level.

FUNCTION check_mau_growth_rate(new_users_today, traffic_source):
  // Get historical average new users for this source
  historical_avg = get_historical_avg_new_users(traffic_source)
  standard_deviation = get_standard_deviation(traffic_source)

  // Define anomaly threshold (e.g., 3 standard deviations above average)
  anomaly_threshold = historical_avg + (3 * standard_deviation)

  // Check if today's new user count is an outlier
  IF new_users_today > anomaly_threshold:
    // Trigger alert for manual review of the traffic source
    log_alert("Unusual MAU growth from source: " + traffic_source)
    RETURN "ANOMALY_DETECTED"
  ELSE:
    RETURN "NORMAL_GROWTH"
  ENDIF

πŸ“ˆ Practical Use Cases for Businesses

  • Campaign Shielding: Actively filters out bot clicks and other forms of invalid traffic from paid campaigns in real time, ensuring that the ad budget is spent on reaching genuine potential customers and not wasted on fraudulent interactions.
  • Analytics Purification: By preventing fake users from contaminating traffic data, businesses can ensure their analytics dashboards reflect true user engagement. This leads to more accurate insights into customer behavior, conversion rates, and campaign performance.
  • Return on Ad Spend (ROAS) Improvement: Blocking fraudulent clicks directly improves ROAS by lowering the cost per acquisition (CPA). With a cleaner traffic stream, conversion rates increase, and marketing budgets become more efficient, leading to higher overall profitability.
  • Competitor Sabotage Prevention: Identifies and blocks malicious clicking activity from competitors who aim to exhaust a business’s advertising budget prematurely. This protects a company’s market presence and ensures its ads remain visible to actual customers.

Example 1: Geolocation Mismatch Rule

This rule is used to block traffic where the user’s IP address location is inconsistent with the campaign’s target geography, a common sign of proxy or VPN usage by bots.

RULE "Geo-Mismatch"
WHEN
  user.ip_geolocation.country IS_NOT "USA"
  AND campaign.target_country IS "USA"
THEN
  ACTION block_traffic
  REASON "Traffic origin outside of campaign target area"
END

Example 2: Session Behavior Scoring

This logic assigns a risk score to a user session based on behavior. A session with zero mouse movement, instant clicks, and no time spent on the landing page would receive a high fraud score and be blocked.

FUNCTION calculate_session_score(session_data):
  score = 0
  IF session_data.mouse_events < 2:
    score += 40
  ENDIF
  IF session_data.time_on_page < 1: // less than 1 second
    score += 50
  ENDIF
  IF session_data.is_from_datacenter_ip:
    score += 60
  ENDIF

  // If score exceeds threshold, block user
  IF score > 90:
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"
  ENDIF

Example 3: Device Signature Match

This rule identifies and blocks traffic from devices with known fraudulent signatures (e.g., outdated browsers, mismatched user agents, or emulator characteristics).

RULE "Suspicious Device Signature"
WHEN
  user.device_signature.is_emulator IS TRUE
  OR user.http_headers['User-Agent'] MATCHES_ANY ["OutdatedBotBrowser/1.0", "FraudulentUserAgentString"]
THEN
  ACTION block_traffic
  REASON "Device characteristics match known fraud patterns"
END

🐍 Python Code Examples

This Python function simulates checking for rapid, successive clicks from the same IP address, a common indicator of a simple bot. It helps block basic automated scripts by tracking click timestamps within a defined interval.

# Dictionary to store click timestamps for each IP
ip_click_log = {}
from collections import deque
import time

def is_rapid_fire_click(ip_address, max_clicks=5, time_window=10):
    """Checks if an IP has too many clicks in a short time window."""
    current_time = time.time()
    
    if ip_address not in ip_click_log:
        ip_click_log[ip_address] = deque()

    # Remove clicks older than the time window
    while ip_click_log[ip_address] and ip_click_log[ip_address] < current_time - time_window:
        ip_click_log[ip_address].popleft()
    
    # Add the new click
    ip_click_log[ip_address].append(current_time)
    
    # Check if the number of clicks exceeds the max
    if len(ip_click_log[ip_address]) > max_clicks:
        print(f"Fraudulent activity detected from IP: {ip_address}")
        return True
        
    return False

# Example Usage
is_rapid_fire_click("123.45.67.89") # Returns False
# Simulate 6 quick clicks
for _ in range(6):
    is_rapid_fire_click("123.45.67.89") # Final call returns True

This script filters incoming traffic by inspecting the User-Agent string. It helps in blocking traffic from known bots or suspicious clients that do not conform to standard browser patterns, thereby filtering out low-quality traffic.

def filter_suspicious_user_agents(user_agent_string):
    """Blocks traffic from known suspicious user agents."""
    suspicious_ua_list = [
        "bot", "spider", "crawler", "headlesschrome"
    ]
    
    ua_lower = user_agent_string.lower()
    
    for suspicious_ua in suspicious_ua_list:
        if suspicious_ua in ua_lower:
            print(f"Blocking suspicious User-Agent: {user_agent_string}")
            return True # Block the request
            
    return False # Allow the request

# Example Usage
filter_suspicious_user_agents("Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)") # Returns True
filter_suspicious_user_agents("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36") # Returns False

Types of Monthly active users

  • Segmented MAU Analysis: This approach breaks down monthly active users into segments based on criteria like traffic source, geography, or device type. It helps pinpoint fraud by revealing anomalies within specific segments, such as a disproportionately high number of new users from a single, low-quality publisher.
  • Behavioral MAU Cohorts: Users are grouped into cohorts based on their on-site actions (e.g., pages visited, session duration, conversion events). A cohort of “active” users with near-zero session times and no post-click activity is a strong indicator of sophisticated bot traffic that mimics unique user counts.
  • Returning vs. New MAU Ratio: This method monitors the ratio of new users to returning users within the monthly active count. A sudden and drastic shift in this ratio, such as an explosion of new users with no history, can signal a large-scale bot attack designed to inflate traffic numbers.
  • Cross-Device MAU Identification: This technique uses device fingerprinting and user logins to identify a single unique user across multiple devices (desktop, mobile, tablet). It prevents fraudsters from appearing as multiple “monthly active users” simply by switching devices to generate invalid clicks.

πŸ›‘οΈ Common Detection Techniques

  • IP Reputation Analysis: This technique checks the user’s IP address against global blacklists of known proxies, VPNs, and data centers. It effectively blocks traffic from sources commonly used by bots to mask their origin and automate fraudulent clicks.
  • Behavioral Heuristics: The system analyzes user interaction patterns, such as click frequency, mouse movements, and session duration. Actions that are too fast, too repetitive, or lack human-like randomness are flagged as bot activity.
  • Device Fingerprinting: This method collects a unique set of attributes from a user’s device (e.g., OS, browser, screen resolution) to create a persistent identifier. It helps detect when a single entity attempts to pose as multiple unique users to commit fraud.
  • Geographic and Contextual Mismatch: This technique flags traffic as suspicious if there are inconsistencies between the user’s IP location, language settings, and the context of the ad campaign. For example, a click from a datacenter in one country on an ad targeting a different country is a strong red flag.
  • Honeypot Traps: Invisible links or buttons (honeypots) are placed on a webpage where no real user would click. Automated bots that crawl and click everything on a page will interact with these traps, instantly revealing themselves as non-human traffic.

🧰 Popular Tools & Services

Tool Description Pros Cons
ClickCease Provides real-time click fraud detection and automated blocking for PPC campaigns on platforms like Google and Facebook. It focuses on blocking bots and competitor clicks to protect ad spend. User-friendly interface, effective bot blocking, supports multiple ad platforms, and offers detailed reporting. Primarily focused on PPC, may have fewer features for full-funnel or mobile app fraud.
TrafficGuard An enterprise-level solution offering full-funnel ad fraud prevention across multiple channels, including PPC, mobile, and affiliate marketing. It uses machine learning for real-time detection and prevention. Comprehensive multi-channel protection, granular invalid traffic identification, surgical approach to minimize false positives. May be more complex and expensive than solutions designed for small businesses.
Lunio Delivers enterprise-grade bot protection by analyzing traffic quality from impression to conversion. It’s designed to secure large-scale ad funnels with advanced analytics. Strong bot detection, end-to-end funnel protection, deep analytics on traffic quality. Some users report issues with the user interface and navigation. It may be more suited for larger enterprises.
ClickGUARD A specialized tool for Google Ads that offers real-time monitoring, advanced detection algorithms (IP analysis, device fingerprinting), and highly customizable blocking rules. Seamless Google Ads integration, granular control with custom rules, detailed analytics on fraud patterns. Platform support is more limited compared to multi-channel solutions.

πŸ“Š KPI & Metrics

Tracking key performance indicators (KPIs) is critical when using user analysis for fraud protection. It’s essential to measure not only the accuracy of the detection system in identifying fraudulent activity but also its impact on business outcomes like budget savings and campaign efficiency. These metrics help ensure the system is effective without inadvertently blocking legitimate customers.

Metric Name Description Business Relevance
Fraud Detection Rate The percentage of total fraudulent clicks successfully identified and blocked by the system. Measures the core effectiveness of the fraud prevention tool in catching invalid traffic.
False Positive Rate The percentage of legitimate user clicks that are incorrectly flagged as fraudulent. A high rate indicates the system is too aggressive, potentially blocking real customers and losing revenue.
Cost Per Acquisition (CPA) Reduction The decrease in the average cost to acquire a customer after implementing fraud protection. Directly shows the financial ROI by demonstrating how eliminating wasted ad spend makes customer acquisition more efficient.
Clean Traffic Ratio The proportion of total traffic that is deemed valid and human after filtering. Provides insight into the overall quality of traffic sources and helps optimize media buying decisions.
Conversion Rate Uplift The percentage increase in conversion rates after filtering out non-converting fraudulent traffic. Highlights the positive impact of clean data on campaign performance and optimization efforts.

These metrics are typically monitored through real-time dashboards that visualize traffic patterns, fraud rates, and campaign performance. Automated alerts are often configured to notify administrators of sudden spikes in fraudulent activity or other anomalies. This continuous feedback loop allows for the ongoing optimization of fraud filters and traffic rules to adapt to new threats while maximizing the reach to genuine users.

πŸ†š Comparison with Other Detection Methods

Detection Accuracy and Speed

MAU analysis provides high accuracy for detecting coordinated fraud and identifying returning legitimate users. However, it can be slower in processing new, unseen traffic, which requires deeper behavioral analysis. In contrast, signature-based filtering is extremely fast for known threats but completely ineffective against new or zero-day bots. Behavioral analytics offers high accuracy against sophisticated bots by focusing on interaction patterns but can be computationally intensive and slower than simple rule-based systems.

Scalability and Resource Use

Signature-based detection is highly scalable and uses minimal resources as it involves simple pattern matching. Rule-based systems are also quite scalable but can become complex to manage as the number of rules grows. MAU analysis requires significant database resources to store and query unique user identifiers and their activity history, making it more resource-intensive. Full behavioral analysis is often the most resource-heavy, as it requires processing large streams of interaction data in real time.

Effectiveness Against Different Fraud Types

MAU analysis excels at identifying large-scale attacks that cause unnatural spikes in new user counts and helps in filtering out repeat offenders. Signature-based methods are best for blocking known, unsophisticated bots. Behavioral analytics is the most effective method against advanced bots that mimic human behavior, as it focuses on subtle interaction anomalies that MAU or signature systems might miss. CAPTCHAs are effective at stopping simple bots but can be defeated by more advanced automation and introduce friction for real users.

⚠️ Limitations & Drawbacks

While analyzing monthly active users is a powerful method for identifying legitimate traffic, it has several limitations in the context of real-time fraud detection. Its effectiveness can be hindered by sophisticated evasion techniques, data privacy regulations, and the high computational resources required for large-scale analysis.

  • High Resource Consumption: Maintaining and querying a large database of unique user fingerprints, cookies, and behavioral data for millions of monthly users can be computationally expensive and slow down real-time decision-making.
  • Difficulty with New Users: The model relies on historical data to build a baseline of trust. It inherently struggles to quickly and accurately classify brand-new, legitimate users, which can lead to false positives.
  • Vulnerability to Sophisticated Bots: Advanced bots can mimic human behavior, use residential proxies to appear as legitimate users, and clear cookies to appear as “new” users each time, making them difficult to distinguish from real people based on simple activity metrics.
  • Data Dependency and Quality: The accuracy of MAU analysis is highly dependent on the quality and volume of the data collected. Incomplete or biased data can lead to flawed models and poor detection rates.
  • Privacy Restrictions: Increasing privacy regulations (like GDPR and CCPA) and the phase-out of third-party cookies limit the ability to track users across different sessions, making it harder to build a persistent and accurate MAU list.
  • Doesn’t Stop Real-Time Fraud Instantly: Since MAU is a backward-looking metric calculated over 30 days, it is better for identifying patterns and cleaning data post-campaign rather than stopping a sudden, real-time fraud attack as it happens.

In scenarios requiring instant blocking of fast-moving, sophisticated attacks, hybrid strategies that combine MAU analysis with real-time behavioral heuristics and signature-based blocking are often more suitable.

❓ Frequently Asked Questions

How does MAU analysis handle users who clear their cookies?

When a user clears their cookies, they appear as a “new” user. Fraud prevention systems address this by using more robust device fingerprinting, which analyzes a combination of hardware and software attributes (like OS, browser, and installed fonts) to create a persistent ID that survives cookie deletion. This ensures a returning user is still recognized.

Can MAU-based fraud detection block legitimate users by mistake?

Yes, this is known as a “false positive.” It can happen if a legitimate user’s behavior accidentally triggers a fraud rule, such as logging in from an unusual location while traveling or using a corporate VPN that is on a blocklist. Good systems minimize this by using multiple data points for a decision and continuously refining their rules.

Is MAU analysis effective against click farms with real humans?

It can be challenging, but it is not impossible. While click farms use real people, their behavior often becomes programmatic and repetitive over time. An MAU system can detect anomalies like a large group of “new” users originating from the same niche IP block, exhibiting identical on-site behavior, and never converting, which helps identify and block them as a group.

How quickly can this method adapt to new types of bot attacks?

Adaptability depends on the system’s machine learning capabilities. Basic MAU systems with static rules are slow to adapt. However, advanced platforms use machine learning to continuously analyze new traffic patterns. When a new type of bot attack emerges, the system can identify the new pattern as an anomaly and update its blocking rules automatically, often within hours.

Does MAU analysis work for mobile in-app advertising fraud?

Yes, the principle is the same but the identifiers are different. Instead of cookies, mobile fraud detection relies on resettable device advertising IDs (like GAID for Android or IDFA for iOS). The system tracks these unique device IDs to count monthly active users and detects fraud by looking for signs like rapid app installs and uninstalls from the same device or traffic from device emulators.

🧾 Summary

Monthly Active Users (MAU) is a vital metric in digital advertising fraud prevention that establishes a behavioral baseline by tracking unique, engaged users over 30 days. Its primary role is to distinguish between legitimate human patterns and anomalous, high-frequency actions typical of bots. By analyzing deviations from this baseline, businesses can effectively identify and block fraudulent clicks, protecting ad budgets and ensuring data integrity.