Archives: Glossary Terms

How Cost per lead Works

[Ad Traffic Source] → [Website Visit] → [Lead Form Submission] → +-------------------------+
                                                            │ CPL Calculation & Analysis  │
                                                            └────────────┬────────────┘
                                                                         ↓
                                                      ┌──────────────────────────────────┐
                                                      │ Is CPL anomalously low or high?  │
                                                      │  (Compared to benchmarks/history)│
                                                      └────────────┬────────────┘
                                                                   |
                                      ┌───────────(Yes)────────────┤
                                      ↓                            ↓
                          +---------------+          +-------------------+
                          │ Flag as Fraud │          │ Accept as Valid   │
                          └───────────────┘          └───────────────────┘

🧠 Core Detection Logic

Example 1: CPL Threshold Monitoring

This logic automatically flags campaigns where the Cost per Lead deviates significantly from a predefined range. It is a first-line defense to catch low-quality traffic from bot farms that generate a high volume of cheap, fake leads, or unexpectedly expensive but fraudulent sources.

FUNCTION checkCplThreshold(campaign):
  SET min_cpl = 5.00
  SET max_cpl = 150.00
  
  current_cpl = campaign.totalSpend / campaign.leadCount

  IF current_cpl < min_cpl OR current_cpl > max_cpl:
    FLAG campaign AS 'CPL Anomaly'
    SEND alert("Campaign " + campaign.name + " has a CPL of " + current_cpl)
  ELSE:
    MARK campaign AS 'CPL Within Range'
  END IF
END FUNCTION

Example 2: Lead Submission Velocity Analysis

This logic analyzes the time between a user clicking an ad and submitting a lead form. Bots can often fill and submit forms in seconds, a behavior highly uncharacteristic of genuine human users. A suspiciously short duration is a strong indicator of automated fraud.

FUNCTION checkSubmissionSpeed(lead):
  SET min_human_time = 5 // Minimum time in seconds for a human
  
  time_diff = lead.submission_timestamp - lead.click_timestamp
  
  IF time_diff < min_human_time:
    FLAG lead AS 'Fraudulent: Submission Too Fast'
    RETURN False
  ELSE:
    FLAG lead AS 'Valid Submission Time'
    RETURN True
  END IF
END FUNCTION

Example 3: Geo-Mismatch Detection

This logic compares the geolocation of the IP address that generated the click with the geographic information entered into the lead form (e.g., country, city, or postal code). A mismatch suggests the lead data is fabricated or stolen, a common tactic in lead generation fraud.

FUNCTION checkGeoMismatch(lead):
  ip_location = getLocation(lead.ip_address)
  form_location = lead.form_data.country

  IF ip_location.country != form_location:
    FLAG lead AS 'Fraudulent: Geo Mismatch'
    log("IP Country: " + ip_location.country + ", Form Country: " + form_location)
    RETURN False
  ELSE:
    FLAG lead AS 'Valid Geo'
    RETURN True
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Budget Shielding – Automatically flags and blocks traffic from sources that deliver abnormally cheap (and likely fake) leads, preventing wasted ad spend and protecting marketing ROI.
• Sales Funnel Integrity – Ensures that only leads with a plausible cost profile enter the sales pipeline, preventing sales teams from wasting time and resources on bot-generated contacts or fabricated information.
• Improved Analytics Accuracy – By filtering out fraudulent conversions, CPL analysis helps maintain clean data, allowing businesses to make more accurate decisions based on genuine user engagement and campaign performance.
• Affiliate Fraud Detection – Monitors the CPL from different affiliate partners to identify those who may be using fraudulent methods like bots or incentivized clicks to generate low-quality leads for a commission.

Example 1: Lead Data Pattern Rule

This logic checks for suspicious patterns in the submitted lead data itself. For example, multiple leads using slightly varied but similar names or disposable email addresses from the same IP block can be flagged, as this often points to a bot or a human click farm working from a script.

FUNCTION detectLeadStuffing(new_lead, recent_leads):
  suspicion_score = 0
  
  FOR each existing_lead IN recent_leads:
    // Check if same IP submitted another lead recently
    IF new_lead.ip_address == existing_lead.ip_address:
      suspicion_score += 3

    // Check for disposable email domain
    IF isDisposableEmail(new_lead.email):
      suspicion_score += 5
      
    // Check for gibberish name
    IF looksLikeGibberish(new_lead.name):
      suspicion_score += 4
  
  IF suspicion_score > 7:
    FLAG new_lead as "High-Risk: Potential Lead Stuffing"
  END IF
END FUNCTION

Example 2: Conversion Pacing Anomaly

This rule monitors the rate at which leads are generated. A sudden, unnatural spike in lead velocity, especially outside of typical peak business hours, is a strong indication of an automated bot attack. This logic helps catch fraud in real-time before a significant portion of the budget is wasted.

FUNCTION checkConversionPacing(campaign_id):
  // Get leads from the last 10 minutes
  leads_now = getLeadCount(campaign_id, last_10_mins)
  // Get leads from the previous 10-minute interval
  leads_before = getLeadCount(campaign_id, previous_10_mins)
  
  // Alert if lead volume suddenly triples
  IF leads_now > (leads_before * 3) AND leads_now > 10:
    ALERT("Sudden spike in lead volume detected for campaign " + campaign_id)
    PAUSE_CAMPAIGN(campaign_id)
  END IF
END FUNCTION

🐍 Python Code Examples

This Python function calculates the Cost per Lead for a campaign and flags it if the CPL falls outside a normal, expected range. This helps automatically detect campaigns affected by either cheap bot traffic or other forms of inefficient, fraudulent activity.

def analyze_cpl(total_cost, num_leads):
    """
    Analyzes the Cost Per Lead (CPL) and flags it if outside a predefined range.
    """
    if num_leads == 0:
        return "No leads generated."

    cpl = total_cost / num_leads
    MIN_CPL_THRESHOLD = 5.0
    MAX_CPL_THRESHOLD = 200.0

    if cpl < MIN_CPL_THRESHOLD:
        return f"Warning: CPL is suspiciously low at ${cpl:.2f}. Possible bot activity."
    elif cpl > MAX_CPL_THRESHOLD:
        return f"Warning: CPL is unexpectedly high at ${cpl:.2f}. Review traffic sources."
    else:
        return f"CPL is within the normal range at ${cpl:.2f}."

# Example usage:
campaign_spend = 1000
fraudulent_leads = 500
print(analyze_cpl(campaign_spend, fraudulent_leads))

This code snippet filters incoming leads based on a list of known fraudulent IP addresses and disposable email providers. It is a fundamental step in pre-qualifying leads and preventing common types of submission fraud from polluting a company's database.

import re

def is_lead_valid(lead_data):
    """
    Checks if a lead comes from a blacklisted IP or a disposable email address.
    """
    BLACKLISTED_IPS = {"10.0.0.1", "192.168.1.101"}
    DISPOSABLE_DOMAINS = {"tempmail.com", "10minutemail.com"}

    ip_address = lead_data.get("ip")
    email = lead_data.get("email")

    if ip_address in BLACKLISTED_IPS:
        print(f"Blocking lead from blacklisted IP: {ip_address}")
        return False
    
    domain = re.search(r"@([w.-]+)", email)
    if domain and domain.group(1) in DISPOSABLE_DOMAINS:
        print(f"Blocking lead from disposable email: {email}")
        return False

    return True

# Example usage:
good_lead = {"ip": "8.8.8.8", "email": "test@example.com"}
bad_lead = {"ip": "10.0.0.1", "email": "fraud@tempmail.com"}

print(f"Good lead is valid: {is_lead_valid(good_lead)}")
print(f"Bad lead is valid: {is_lead_valid(bad_lead)}")

Types of Cost per lead

• Static CPL Analysis – This method involves setting fixed minimum and maximum CPL thresholds. If a campaign's CPL goes above or below this static range, it's flagged for review. It’s best for catching obvious anomalies but can be inflexible to market changes.
• Dynamic CPL Benchmarking – Unlike static analysis, this approach compares a campaign's CPL to a rolling average of its own historical performance or to similar active campaigns. This allows the system to adapt to natural fluctuations while still catching sharp, uncharacteristic deviations indicative of fraud.
• Source-Segmented CPL – Here, CPL is analyzed separately for each traffic source, affiliate, or ad placement. This granular view helps pinpoint exactly which segments are delivering fraudulent or low-quality leads, allowing for precise blocking without disrupting well-performing sources.
• Behavioral-Qualified CPL – This advanced type calculates the cost for leads that have also passed a behavioral check, such as time on page, mouse movement analysis, or honeypot field validation. It distinguishes the cost of a "real" lead from a merely submitted one, providing a truer performance metric.
• Geo-Correlated CPL – This method evaluates CPL in conjunction with geographic data. It flags campaigns where the cost per lead is unusually low for a high-value region or, conversely, too high for a region known for low-quality traffic, helping to detect geo-masking and other location-based fraud.

How Cost per order Works

[Ad Campaign] → [Click/Impression] → [User Session] → [Conversion/Order]
      │                  │                   │                    │
      └──────────────────┼───────────────────┼────────────────────┘
                         │                   │
                         ▼                   ▼
                  +-------------------+   +--------------------+
                  │   Data Collector  │   │  CPO Calculation   │
                  │ (IP, UA, Time)    │   │ (Total Ad Spend /  │
                  │                   │   │   Total Orders)    │
                  +-------------------+   +--------------------+
                         │                   │
                         └───────►+------------------+◄───────┘
                                  │  Anomaly Engine  │
                                  │(Rule & Behavior  │
                                  │    Analysis)     │
                                  +------------------+
                                          │
                                          ▼
                                +-------------------+
                                │   Fraud Signal    │
                                │  (Block/Alert)    │
                                +-------------------+

🧠 Core Detection Logic

Example 1: CPO Anomaly Thresholds

This logic automatically flags ad campaigns where the Cost per order deviates significantly from an established benchmark. It helps catch widespread issues like bot attacks that generate many low-quality orders or click fraud campaigns that drain budgets without converting, causing CPO to skyrocket.

// Rule: Flag campaigns with abnormal CPO
FUNCTION check_cpo_anomaly(campaign_id):
  
  // Define historical or expected CPO for the campaign
  expected_cpo = get_historical_cpo(campaign_id)
  current_cpo = calculate_current_cpo(campaign_id)

  // Define acceptable deviation thresholds
  UPPER_THRESHOLD = 2.5 // 150% increase
  LOWER_THRESHOLD = 0.3 // 70% decrease

  // Check for significant CPO spikes (potential click fraud)
  IF current_cpo > (expected_cpo * UPPER_THRESHOLD):
    FLAG_CAMPAIGN(campaign_id, "High CPO Alert: Possible Click Fraud")
  
  // Check for significant CPO drops (potential fake orders)
  ELSE IF current_cpo < (expected_cpo * LOWER_THRESHOLD):
    FLAG_CAMPAIGN(campaign_id, "Low CPO Alert: Possible Fake Order Bot")
  
END FUNCTION

Example 2: Geographic CPO Mismatch

This logic compares the geographic location of the click (where the ad was served) with the location of the order's billing or shipping address. A high number of orders from a campaign targeting one country with billing addresses from another can indicate sophisticated proxy or VPN-based fraud.

// Rule: Detect geo-mismatch between ad click and order
FUNCTION check_geo_mismatch(order_id):

  order_data = get_order_details(order_id)
  click_data = get_click_source(order_data.click_id)

  ad_target_country = click_data.geo_country
  order_billing_country = order_data.billing_country

  IF ad_target_country != order_billing_country:
    // Increase fraud score for this order
    order_data.fraud_score += 25
    LOG_ALERT("Geo Mismatch", order_id, ad_target_country, order_billing_country)

  RETURN order_data.fraud_score

END FUNCTION

Example 3: Affiliate CPO Monitoring

This logic is used to monitor the quality of traffic from different affiliate partners. Affiliates driving traffic with an unusually low CPO might be using fraudulent methods (like cookie stuffing or fake orders) to generate commissions. This helps ensure that partners are driving real, valuable customers.

// Rule: Monitor CPO per affiliate channel
FUNCTION monitor_affiliate_cpo(affiliate_id, time_window):
  
  affiliate_spend = get_affiliate_payout(affiliate_id, time_window)
  affiliate_orders = get_affiliate_orders(affiliate_id, time_window)
  
  IF affiliate_orders > 0:
    affiliate_cpo = affiliate_spend / affiliate_orders
  ELSE:
    RETURN // Not enough data

  // Get average CPO across all non-affiliate channels
  benchmark_cpo = get_benchmark_cpo()

  // Flag if affiliate CPO is suspiciously low
  IF affiliate_cpo < (benchmark_cpo * 0.25): // 75% lower than average
    FLAG_AFFILIATE(affiliate_id, "Suspiciously Low CPO")
    
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Budget Protection – Automatically pause or issue alerts for ad campaigns where the CPO skyrockets, indicating that the budget is being wasted on non-converting, fraudulent clicks.
• Affiliate Fraud Detection – Identify affiliate partners who are driving traffic with an abnormally low CPO, which often points to fake or incentivized orders used to generate unearned commissions.
• ROAS Integrity – Ensure Return on Ad Spend (ROAS) calculations are accurate by using CPO analysis to filter out fake orders, providing a true picture of campaign profitability and preventing investment in fraudulent channels.
• Channel Optimization – By comparing the CPO across different marketing channels (e.g., social, search, display), businesses can confidently allocate budget to channels that deliver real customers, not just fraudulent traffic.

Example 1: High CPO Pacing Rule

This rule automatically pauses a campaign if its CPO exceeds a predefined threshold within a short time frame, preventing rapid budget drain from a click fraud attack.

// Logic to protect campaign budget from high CPO
FUNCTION check_campaign_pacing(campaign_id):

  hourly_spend = get_hourly_spend(campaign_id)
  hourly_orders = get_hourly_orders(campaign_id)
  
  IF hourly_orders == 0 AND hourly_spend > 50.00:
    PAUSE_CAMPAIGN(campaign_id, "High Spend, Zero Orders")
    RETURN

  current_cpo = hourly_spend / hourly_orders
  max_cpo_target = get_max_cpo(campaign_id)

  IF current_cpo > (max_cpo_target * 3):
    PAUSE_CAMPAIGN(campaign_id, "CPO exceeds 3x target")
    
END FUNCTION

Example 2: New Customer CPO vs. Returning Customer CPO

This logic segments CPO analysis to differentiate between acquiring new customers and sales from existing ones. A sudden, drastic change in the CPO for new customers can be an early indicator of fraud targeting acquisition-focused campaigns.

// Logic to analyze CPO by customer type
FUNCTION analyze_customer_cpo(campaign_id):
  
  // Calculate CPO for new customers
  new_customer_spend = get_spend_for_new_customers(campaign_id)
  new_customer_orders = get_orders_from_new_customers(campaign_id)
  new_customer_cpo = new_customer_spend / new_customer_orders

  // Calculate CPO for returning customers
  returning_spend = get_spend_for_returning(campaign_id)
  returning_orders = get_orders_from_returning(campaign_id)
  returning_cpo = returning_spend / returning_orders

  // Compare with historical benchmarks
  IF new_customer_cpo > get_historical_new_cpo() * 2.0:
    FLAG_FOR_REVIEW(campaign_id, "New Customer CPO Spike")
    
END FUNCTION

🐍 Python Code Examples

This Python function calculates the Cost Per Order from a dictionary of campaign data. It helps establish a baseline performance metric which can be used to spot anomalies indicative of fraud.

def calculate_cpo(campaign_data):
    """Calculates Cost Per Order (CPO) for a campaign."""
    total_cost = campaign_data.get("total_cost", 0)
    total_orders = campaign_data.get("total_orders", 0)

    if total_orders == 0:
        return float('inf')  # Return infinity if no orders to avoid division by zero

    cpo = total_cost / total_orders
    return cpo

# Example
campaign_A = {"total_cost": 500, "total_orders": 10}
print(f"Campaign A CPO: ${calculate_cpo(campaign_A):.2f}")

This code snippet demonstrates a simple rule-based filter to identify potentially fraudulent campaigns. It flags campaigns with a CPO that is unrealistically low (suggesting fake orders) or excessively high (suggesting click fraud).

def flag_suspicious_campaigns(campaigns, historical_avg_cpo):
    """Flags campaigns with CPO outside of normal bounds."""
    suspicious_campaigns = []
    
    # Define thresholds based on historical average
    # A CPO less than 20% of average could be fake orders
    # A CPO more than 300% of average could be click fraud
    LOWER_BOUND = historical_avg_cpo * 0.20
    UPPER_BOUND = historical_avg_cpo * 3.0

    for cid, data in campaigns.items():
        cpo = calculate_cpo(data)
        if cpo < LOWER_BOUND:
            suspicious_campaigns.append((cid, "Suspiciously Low CPO"))
        elif cpo > UPPER_BOUND:
            suspicious_campaigns.append((cid, "Excessively High CPO"))
            
    return suspicious_campaigns

# Example
all_campaigns = {
    "campaign_1": {"total_cost": 1000, "total_orders": 50}, # CPO = $20
    "campaign_2": {"total_cost": 1000, "total_orders": 2},  # CPO = $500 (High)
    "campaign_3": {"total_cost": 1000, "total_orders": 500} # CPO = $2 (Low)
}
historical_cpo = 25.0
print(flag_suspicious_campaigns(all_campaigns, historical_cpo))

Types of Cost per order

• Blended vs. Channel-Specific CPO – Blended CPO averages costs across all campaigns, while channel-specific CPO breaks it down by source (e.g., Google Ads, Facebook). In fraud detection, a stable blended CPO can hide a fraudulent channel, making channel-specific analysis essential for isolating suspicious activity.
• New vs. Returning Customer CPO – This type segments the cost to acquire an order from a new customer versus a repeat customer. Fraudsters often mimic new users, so a sudden, drastic change in the new customer CPO is a strong indicator of an attack on acquisition campaigns.
• Gross vs. Net CPO – Gross CPO is calculated before accounting for returns or cancelled orders, while Net CPO is calculated after. A large discrepancy between Gross and Net CPO can signal fraudulent orders that are placed and then quickly cancelled, a common tactic in some affiliate fraud schemes.
• Real-Time CPO Monitoring – This isn't a different calculation but a method of application. By tracking CPO on a minute-by-minute or hourly basis, systems can detect sudden spikes or drops that indicate flash events of click fraud or bot attacks, enabling a much faster response.

How Cost per sale Works

+---------------------+      +----------------------+      +-----------------+
|   Ad Campaign Data  |----->|  CPS Analysis System |----->|  Fraud Signals  |
| (Clicks, Cost, IPs) |      | (Monitors Metrics)   |      | (High CPS, etc) |
+---------------------+      +----------------------+      +-----------------+
          |                                                       |
          |                                                       ▼
          |                                             +--------------------+
          └-------------------------------------------->|  Block & Optimize  |
                                                        | (Update Blacklists, |
                                                        |   Adjust Bids)     |
                                                        +--------------------+

🧠 Core Detection Logic

Example 1: High CPS Threshold Alert

This logic automatically flags traffic sources that exceed a predefined Cost per Sale limit. It’s a frontline defense to catch campaigns or publishers that are generating high costs without any corresponding sales, a strong indicator of bot traffic or click farms that mimic clicks but not purchases.

FUNCTION check_cps_threshold(campaign):
  // Set a maximum acceptable CPS, e.g., $200
  MAX_ALLOWED_CPS = 200

  // Calculate current CPS
  current_cps = campaign.total_cost / campaign.total_sales

  // Check if sales are zero and cost is significant
  IF campaign.total_sales == 0 AND campaign.total_cost > 50:
    TRIGGER_ALERT(campaign.id, "High cost with zero sales")
    RETURN "FRAUDULENT"

  // Check if CPS exceeds the allowed threshold
  IF current_cps > MAX_ALLOWED_CPS:
    TRIGGER_ALERT(campaign.id, "CPS exceeds threshold")
    RETURN "FRAUDULENT"

  RETURN "LEGITIMATE"

Example 2: Session Analysis for Non-Converting IPs

This logic scrutinizes the behavior of users from IP addresses that have a history of clicks but no sales. It analyzes session duration and page interactions. Abnormally short sessions or a lack of meaningful engagement (like scrolling or adding to cart) from costly IPs helps confirm they are non-human visitors.

FUNCTION analyze_session_behavior(ip_address):
  // Get historical data for the IP
  clicks = GET_CLICKS_BY_IP(ip_address)
  sales = GET_SALES_BY_IP(ip_address)
  session_duration = GET_AVG_SESSION_DURATION(ip_address)

  // If IP has many clicks but no sales, it's suspicious
  IF clicks > 20 AND sales == 0:
    // If average session is less than 2 seconds, flag as bot
    IF session_duration < 2:
      BLOCK_IP(ip_address)
      RETURN "BOT_DETECTED"

  RETURN "OK"

Example 3: Geo-Mismatch Detection

This logic flags transactions where the IP address location is vastly different from the shipping or billing address provided during a sale. While not directly a CPS metric, it protects the integrity of sales data used to calculate CPS, ensuring fraudulent or synthetic sales don't mask high CPS from invalid traffic sources.

FUNCTION verify_geo_mismatch(transaction):
  // Get IP geolocation and customer shipping country
  ip_location = GET_GEOLOCATION(transaction.ip_address)
  shipping_country = transaction.shipping_address.country

  // Compare the two locations
  IF ip_location.country != shipping_country:
    // Flag for manual review or automated rejection
    FLAG_FOR_REVIEW(transaction.id, "IP country and shipping country mismatch")
    RETURN "SUSPICIOUS"

  RETURN "VERIFIED"

📈 Practical Use Cases for Businesses

• Campaign Shielding – Automatically block traffic sources with excessively high Cost per Sale, protecting ad budgets from being wasted on publishers or placements that deliver clicks but never actual customers.
• Affiliate Fraud Detection – Monitor affiliate-driven traffic to identify partners who generate a large volume of costly clicks without any sales, which is a common sign of affiliate-generated click fraud.
• ROI Optimization – By focusing ad spend on channels and keywords with a low and efficient CPS, businesses can improve their return on investment and ensure marketing funds are directed toward profit-generating activities.
• Data Integrity – Ensure that performance analytics are clean and reliable by filtering out non-converting fraudulent traffic. This leads to more accurate insights and better strategic decisions.

Example 1: Publisher Blacklisting Rule

This pseudocode automatically identifies and blocks low-quality publishers in a display or affiliate campaign based on their sales performance.

FUNCTION monitor_publisher_performance(publisher_id):
  data = GET_PUBLISHER_DATA(publisher_id)

  cost = data.total_cost
  sales = data.total_sales

  // If publisher has cost money but generated zero sales after enough data
  IF cost > 100 AND sales == 0:
    BLACKLIST_PUBLISHER(publisher_id)
    LOG_EVENT("Publisher blacklisted due to zero sales and high cost.")

Example 2: Keyword Performance Scorer

This logic helps businesses identify which keywords are attracting genuine buyers versus those attracting bots by scoring them based on their CPS.

FUNCTION score_keyword_quality(keyword):
  stats = GET_KEYWORD_STATS(keyword)
  cps = stats.total_cost / stats.total_sales

  // Define quality thresholds
  IF cps < 50:
    RETURN "HIGH_QUALITY"
  ELSE IF cps >= 50 AND cps < 150:
    RETURN "MEDIUM_QUALITY"
  ELSE:
    // Flag for review or pausing if CPS is too high
    RETURN "LOW_QUALITY"

🐍 Python Code Examples

This Python function simulates checking the Cost per Sale for a list of ad campaigns. It identifies campaigns where costs are high but no sales have been made, a strong indicator of potential click fraud, and flags them for review.

def evaluate_campaign_cps(campaigns_data):
    suspicious_campaigns = []
    for campaign in campaigns_data:
        name = campaign.get("name")
        cost = campaign.get("cost", 0)
        sales = campaign.get("sales", 0)

        # Rule: If cost is significant but there are no sales, it's a red flag.
        if cost > 50 and sales == 0:
            print(f"ALERT: Campaign '{name}' has ${cost} cost but 0 sales.")
            suspicious_campaigns.append(name)
        # Rule: Calculate CPS only if there are sales to avoid division by zero.
        elif sales > 0:
            cps = cost / sales
            print(f"INFO: Campaign '{name}' has a CPS of ${cps:.2f}.")
            # You could add another rule here to flag excessively high CPS.

    return suspicious_campaigns

# Example Data
campaigns = [
    {"name": "Summer Sale", "cost": 1200, "sales": 15},
    {"name": "Publisher X Traffic", "cost": 250, "sales": 0},
    {"name": "Keyword Group B", "cost": 30, "sales": 0},
]
evaluate_campaign_cps(campaigns)

This script analyzes a list of click events to detect abnormally high click frequency from a single IP address within a short time frame. This is a common technique to identify non-human bot activity designed to waste an advertiser's budget.

from collections import defaultdict

def detect_frequent_clicks(click_log, time_window_seconds=60, click_threshold=10):
    ip_clicks = defaultdict(list)
    flagged_ips = set()

    for click in click_log:
        ip = click["ip"]
        timestamp = click["timestamp"]
        ip_clicks[ip].append(timestamp)

        # Remove clicks older than the time window
        relevant_clicks = [t for t in ip_clicks[ip] if timestamp - t <= time_window_seconds]
        ip_clicks[ip] = relevant_clicks

        if len(relevant_clicks) > click_threshold:
            if ip not in flagged_ips:
                print(f"FRAUD DETECTED: IP {ip} exceeded {click_threshold} clicks in {time_window_seconds}s.")
                flagged_ips.add(ip)

    return list(flagged_ips)

# Example Data (timestamps are simple integers for demonstration)
click_stream = [
    {"ip": "1.2.3.4", "timestamp": 1}, {"ip": "1.2.3.4", "timestamp": 2},
    {"ip": "5.6.7.8", "timestamp": 5}, {"ip": "1.2.3.4", "timestamp": 10},
    {"ip": "1.2.3.4", "timestamp": 12}, {"ip": "1.2.3.4", "timestamp": 15},
    {"ip": "1.2.3.4", "timestamp": 20}, {"ip": "1.2.3.4", "timestamp": 25},
    {"ip": "1.2.3.4", "timestamp": 30}, {"ip": "1.2.3.4", "timestamp": 35},
    {"ip": "1.2.3.4", "timestamp": 40}, {"ip": "1.2.3.4", "timestamp": 45},
]
detect_frequent_clicks(click_stream)

Types of Cost per sale

• Threshold-Based CPS – This method involves setting a maximum acceptable CPS value for a campaign. If the actual CPS exceeds this predefined threshold, the traffic source is automatically flagged or blocked, providing a simple yet effective defense against budget-draining, non-converting traffic.
• Segment-Based CPS – Here, CPS is analyzed across different user segments, such as geography, device type, or time of day. This helps identify fraud concentrated in specific areas, like bots operating from data centers in a particular country or running only during off-peak hours.
• Behavioral-CPS Correlation – This approach combines CPS data with user behavior metrics like session duration or pages per visit. A high CPS paired with poor engagement (e.g., immediate bounces) strengthens the evidence that the traffic is fraudulent and not composed of genuine, interested users.
• Historical CPS Benchmarking – This method compares the current CPS of a traffic source against its own historical performance. A sudden, unexplained spike in CPS from a previously reliable source can indicate that the source has been compromised or is now sending lower-quality, potentially fraudulent traffic.

How Cost per view Works

[Ad Request] → [Data Collection] → [Feature Extraction] → [Risk Analysis] → [Decision] → [Action]
      │                  │                   │                  │               │            └─ Allow (Valid View)
      │                  │                   │                  │               └─ Block/Flag (Fraudulent)
      │                  │                   │                  └─ High Risk Score
      │                  │                   └─ Behavioral & Technical Patterns
      └─ User/Bot Initiates View

🧠 Core Detection Logic

Example 1: High-Frequency View Capping

This logic prevents a single user or bot from generating an unnaturally high number of views in a short period. It works by tracking views per IP address or device ID and blocking further billable views once a set threshold is exceeded. This is a frontline defense against simple bot attacks.

FUNCTION checkViewFrequency(user_id, time_window, max_views):
  views = getViewsForUser(user_id, time_window)
  IF count(views) > max_views:
    RETURN "BLOCK_VIEW"
  ELSE:
    RETURN "ALLOW_VIEW"

Example 2: Data Center Traffic Blocking

Legitimate ad views typically come from residential or mobile IP addresses, not from servers in data centers. This logic checks the viewer’s IP address against a known database of data center IP ranges. If a match is found, the view is flagged as fraudulent because it’s highly likely to be non-human traffic.

FUNCTION isDataCenterIP(ip_address):
  datacenter_ips = getDatacenterIPList()
  IF ip_address IN datacenter_ips:
    RETURN TRUE
  ELSE:
    RETURN FALSE

// Main Logic
IF isDataCenterIP(viewer_ip):
  markViewAsFraudulent("Data Center Origin")

Example 3: Behavioral Anomaly Detection

This logic analyzes how a user interacts with the ad and the page. Bots often exhibit non-human behavior, such as zero mouse movement, instant clicks, or watching videos for the exact minimum duration required for payment. If a session lacks these human-like interaction signals, it is flagged as suspicious.

FUNCTION analyzeBehavior(session_data):
  // Check for mouse movement if on desktop
  IF session_data.device_type == "desktop" AND session_data.mouse_events == 0:
    RETURN "SUSPICIOUS"
  
  // Check if view duration is exactly the minimum required
  IF session_data.view_duration == minimum_payable_duration:
    RETURN "SUSPICIOUS"

  RETURN "NORMAL"

📈 Practical Use Cases for Businesses

• Campaign Budget Protection – Ensures advertising funds are spent on real human viewers, not wasted on automated bots or fraudulent click farms, directly maximizing ROI.
• Data Integrity for Analytics – By filtering out fake views, businesses can trust their campaign metrics (like view-through rates and engagement), leading to more accurate performance analysis and smarter optimization decisions.
• Lead Quality Improvement – Prevents fraudulent or bot-driven traffic from polluting lead generation funnels, ensuring that sales teams engage with genuine prospects and not fake submissions tied to invalid views.
• Brand Safety Assurance – Blocks ads from running on low-quality or non-compliant sites often used in fraud schemes, protecting brand reputation from association with inappropriate content.

Example 1: Geolocation Mismatch Rule

This logic prevents fraud from masked locations by comparing the IP address’s country with the user’s reported browser/device language and timezone settings. A mismatch suggests the use of a proxy or VPN to circumvent targeting.

FUNCTION validateGeoMismatch(ip_geo, device_timezone, browser_lang):
  // Example: IP is in Vietnam, but timezone is America/New_York
  IF ip_geo.country != timezoneToCountry(device_timezone):
    RETURN "FLAG_FOR_REVIEW"
  
  // Example: IP is in Germany, but browser language is Chinese (and not a common multi-lingual scenario)
  IF ip_geo.country == "DE" AND browser_lang == "zh-CN":
    RETURN "FLAG_FOR_REVIEW"

  RETURN "PASS"

Example 2: Session Scoring Logic

This logic aggregates multiple risk signals into a single score to make a more nuanced decision. Instead of relying on one factor, it combines data points like IP reputation, device anomalies, and behavioral patterns to determine if a view is fraudulent.

FUNCTION calculateSessionScore(view_data):
  score = 0
  
  IF isDataCenterIP(view_data.ip):
    score = score + 50
  
  IF hasHeadlessBrowserSignature(view_data.user_agent):
    score = score + 30
    
  IF behaviorIsRobotic(view_data.events):
    score = score + 20

  IF score > 75:
    RETURN "BLOCK_FRAUD"
  ELSE:
    RETURN "ALLOW"

🐍 Python Code Examples

This function simulates checking if a view request originates from a known data center IP address, a common sign of non-human traffic. Blocking these IPs is a fundamental step in preventing large-scale automated fraud.

# List of known data center IP prefixes (for demonstration)
DATACENTER_IP_PREFIXES = {"192.168.1.", "10.0.0.", "172.16."}

def block_datacenter_traffic(viewer_ip: str) -> bool:
    """Returns True if the IP address belongs to a known data center."""
    for prefix in DATACENTER_IP_PREFIXES:
        if viewer_ip.startswith(prefix):
            print(f"Blocking fraudulent view from data center IP: {viewer_ip}")
            return True
    print(f"Allowing valid view from IP: {viewer_ip}")
    return False

# Example usage
block_datacenter_traffic("10.0.0.125")
block_datacenter_traffic("8.8.8.8")

This code analyzes a list of view timestamps for a specific user to detect abnormally high frequency, which often indicates bot activity. Setting a reasonable limit on views per minute helps filter out automated scripts.

from collections import deque

# Stores timestamps of recent views per user
view_history = {}

def is_hyper_frequency_view(user_id: str, timestamp: float, max_views: int = 10, window_sec: int = 60) -> bool:
    """Checks for too many views from one user in a short time window."""
    if user_id not in view_history:
        view_history[user_id] = deque()

    # Remove old timestamps
    while view_history[user_id] and view_history[user_id] < timestamp - window_sec:
        view_history[user_id].popleft()

    # Add current view
    view_history[user_id].append(timestamp)

    if len(view_history[user_id]) > max_views:
        print(f"Fraudulent high-frequency detected for user: {user_id}")
        return True
    
    return False

# Example usage
import time
is_hyper_frequency_view("user-123", time.time()) # Returns False
# Simulate 15 quick views
for _ in range(15):
    is_hyper_frequency_view("user-123", time.time()) # Will eventually return True

Types of Cost per view

• Real-Time Filtering – This is the most common type, where each view request is analyzed and validated for legitimacy in milliseconds before the ad is served. It prevents fraud by blocking bots and invalid traffic sources from ever registering a billable view.
• Post-View Analysis – In this method, views are initially recorded and then analyzed in batches after they occur. Suspicious patterns are identified, and the advertiser is credited back for fraudulent views. It’s less immediate but useful for detecting complex, slow-moving fraud schemes.
• Behavior-Based CPV – This type focuses heavily on user interaction signals rather than just technical data. A view is only considered valid if accompanied by human-like behavior, such as mouse movements, scrolling, or non-linear interactions, effectively filtering out simple bots that just load a page.
• Viewability-Adjusted CPV – Here, the cost is tied not just to the view starting but to the ad meeting a viewability standard (e.g., 50% of pixels on screen for at least two seconds). This protects against fraud where an ad is loaded but never actually seen by a human.

How CPM Works

Incoming Ad Traffic → [+ Data Collection] → [🧠 CPM Analysis Engine] → [Decision Logic] ┬─ Legitimate → Allow
                                │                     │                   └─ Fraudulent  → Block
                                └─────────────────────┴─────────────────────────────────────┘
                                                      ↓
                                                [Reporting]

🧠 Core Detection Logic

Example 1: High-Frequency Click Velocity

This logic identifies non-human, automated clicking by flagging IP addresses or devices that generate an unrealistic number of clicks in a short period. It is a fundamental check to catch simple bots and click farms that aim to deplete budgets quickly.

FUNCTION check_click_velocity(ip_address, click_timestamp):
  time_window = 60 // seconds
  max_clicks = 5

  // Get recent click timestamps for the given IP
  recent_clicks = get_clicks_for_ip(ip_address, within=time_window)

  // Add current click to the list
  add_click_record(ip_address, click_timestamp)

  // Check if click count exceeds the threshold
  IF count(recent_clicks) > max_clicks:
    RETURN "FRAUDULENT"
  ELSE:
    RETURN "VALID"
  END IF

Example 2: Inconsistent Client Headers

This rule detects sophisticated bots that try to impersonate real users but fail to provide a consistent set of technical attributes. For instance, a bot might claim to be an iPhone via its User-Agent string but report a screen resolution typical of a desktop monitor.

FUNCTION check_header_consistency(headers):
  user_agent = headers.get("User-Agent")
  screen_resolution = headers.get("Screen-Resolution")

  is_mobile_agent = contains(user_agent, ["iPhone", "Android"])
  is_desktop_resolution = screen_resolution.width > 1200

  // If the User-Agent claims to be mobile but resolution is for desktop
  IF is_mobile_agent AND is_desktop_resolution:
    RETURN "FRAUDULENT"
  END IF

  // Other checks for inconsistencies can be added here

  RETURN "VALID"

Example 3: Data Center IP Anomaly

This logic blocks traffic originating from data centers (e.g., cloud hosting providers) instead of residential or mobile networks. While some data center traffic is legitimate (like corporate VPNs), it’s a very strong indicator of bot activity since most real consumers don’t browse from servers.

FUNCTION check_data_center_ip(ip_address):
  // List of known IP ranges belonging to data centers and hosting providers
  data_center_ranges = load_data_center_ips()

  FOR range in data_center_ranges:
    IF ip_address in range:
      RETURN "FRAUDULENT" // IP is from a known data center
    END IF
  END FOR

  RETURN "VALID"

📈 Practical Use Cases for Businesses

• Campaign Budget Protection – Prevents ad spend from being wasted on automated bots and fraudulent clicks, ensuring that marketing funds are spent on reaching real potential customers and not on fake interactions.
• Data Integrity for Analytics – Filters out invalid traffic before it contaminates marketing analytics platforms. This provides a clear and accurate picture of genuine user engagement, conversion rates, and overall campaign performance.
• Improved Return on Ad Spend (ROAS) – By ensuring ads are shown to and clicked by real humans, CPM directly improves campaign efficiency. This leads to higher quality traffic, better lead generation, and an increased return on ad spend.
• Lead Generation Shielding – Blocks bots from filling out lead-generation forms with fake or stolen information. This saves sales teams time and resources by ensuring they only follow up on leads from genuinely interested prospects.

Example 1: Geofencing Rule

This pseudocode demonstrates how a business can apply a geofencing rule to block clicks from locations outside its target market, a common tactic to filter out traffic from click farms located in specific countries.

FUNCTION apply_geo_filter(click_data):
  allowed_countries = ["US", "CA", "GB"]
  click_country = get_country_from_ip(click_data.ip_address)

  IF click_country NOT IN allowed_countries:
    // Log and block the click as it is outside the target geo-fence
    log_event("Blocked click from outside target area", click_data)
    RETURN "BLOCK"
  ELSE:
    RETURN "ALLOW"
  END IF

Example 2: Session Interaction Scoring

This example shows a simplified scoring system that evaluates the authenticity of a user session. Clicks from sessions with very low scores are flagged as likely being automated or fraudulent.

FUNCTION score_session_authenticity(session_events):
  score = 0
  min_score_threshold = 20

  // Award points for human-like interactions
  IF session_events.has_mouse_movement:
    score += 15
  END IF

  IF session_events.scroll_depth > 30: // Scrolled more than 30%
    score += 10
  END IF

  IF session_events.time_on_page > 5: // Spent more than 5 seconds
    score += 5
  END IF

  // Return final decision based on score
  IF score < min_score_threshold:
    RETURN "FLAG_AS_FRAUD"
  ELSE:
    RETURN "SESSION_IS_VALID"
  END IF

🐍 Python Code Examples

This Python function simulates the detection of high-frequency clicks from a single IP address within a specific time window. It maintains a simple in-memory dictionary to track click timestamps and flags an IP if it exceeds a defined threshold, a common method for catching basic bot attacks.

from collections import defaultdict
import time

CLICK_HISTORY = defaultdict(list)
TIME_WINDOW = 60  # seconds
CLICK_THRESHOLD = 10

def is_suspiciously_frequent(ip_address):
    """Checks if an IP has an abnormal click frequency."""
    current_time = time.time()
    
    # Filter out timestamps older than the time window
    CLICK_HISTORY[ip_address] = [t for t in CLICK_HISTORY[ip_address] if current_time - t < TIME_WINDOW]
    
    # Add the new click timestamp
    CLICK_HISTORY[ip_address].append(current_time)
    
    # Check if the number of clicks exceeds the threshold
    if len(CLICK_HISTORY[ip_address]) > CLICK_THRESHOLD:
        print(f"Flagged IP: {ip_address} for high frequency.")
        return True
        
    return False

# --- Simulation ---
# is_suspiciously_frequent("192.168.1.100") # Returns False
# for _ in range(15): is_suspiciously_frequent("192.168.1.101") # Will return True after 11th call

This code provides a simple way to filter traffic based on suspicious User-Agent strings. By maintaining a blocklist of signatures associated with known bots, scrapers, and non-browser clients, it can quickly identify and block traffic that is not from a typical web user.

SUSPICIOUS_USER_AGENTS = [
    "python-requests", 
    "scrapy", 
    "headlesschrome", # Note: Can be legitimate, but often used by bots
    "bot",
    "crawler"
]

def filter_by_user_agent(user_agent_string):
    """Filters traffic based on a blocklist of User-Agent signatures."""
    ua_lower = user_agent_string.lower()
    
    for signature in SUSPICIOUS_USER_AGENTS:
        if signature in ua_lower:
            print(f"Blocked User-Agent: {user_agent_string}")
            return False # Block request
            
    return True # Allow request

# --- Simulation ---
# filter_by_user_agent("Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...") # Returns True
# filter_by_user_agent("python-requests/2.25.1") # Returns False

Types of CPM

• Signature-Based CPM

  This type functions like an antivirus program by identifying threats using a predefined database of known fraudulent signatures. These signatures include blacklisted IP addresses, device IDs, and user-agent strings associated with bots. It is fast and effective against common, previously identified threats.

• Heuristic-Based CPM

  This method uses rule-based logic and established thresholds to flag suspicious activity. For example, it might set rules like "block any IP that clicks more than 10 times in one minute" or "flag sessions with zero mouse movement." It is effective at catching behavior that is clearly not human.

• Behavioral AI-Based CPM

  This is the most advanced type, leveraging machine learning to build a baseline of normal human behavior. It then detects fraud by identifying anomalies and deviations from that baseline, such as unusual navigation patterns or impossible sequences of actions. This allows it to adapt and catch new, previously unseen types of fraud.

• Hybrid CPM

  A hybrid model combines signature-based, heuristic, and behavioral AI approaches to create a multi-layered defense. It uses signatures for known threats, heuristics for obvious rule violations, and AI for sophisticated attacks. This layered approach provides the most comprehensive and resilient form of traffic protection.

How Cross device Works

User Interaction
 │
 ├─ Device A (Mobile) ─────► Data Collector ◄───── Device B (Desktop) ◄── User Interaction
 │     │ (IP, User Agent)            │                  │ (IP, User Agent)
 │     └─────────────────────────────┤──────────────────┘
 │                                   │
 │                           ┌───────▼───────┐
 │                           │ Cross-Device  │
 │                           │  ID Graph     │
 │                           └───────┬───────┘
 │                                   │
 │                           ┌───────▼───────┐
 │                           │ Unified User  │
 │                           │   Profile     │
 │                           └───────┬───────┘
 │                                   │
 │                         ┌─────────▼─────────┐
 │                         │ Fraud Detection   │
 │                         │      Engine       │
 │                         └─────────┬─────────┘
 │                                   │
 └────────────────► [Legitimate/Fraudulent] ◄─────────────── Analysis & Action

🧠 Core Detection Logic

Example 1: Cross-Device Velocity Check

This logic detects when a single unified user generates an impossibly high number of clicks across their different devices in a short period. It helps prevent bots that use multiple device signatures from the same network to rapidly deplete an ad budget. It sits within the real-time traffic filtering layer.

FUNCTION on_new_click(click_event):
  user_id = get_unified_user_id(click_event.device_id)
  
  IF user_id IS NOT NULL:
    current_time = now()
    time_window = 10_SECONDS 
    click_limit = 5

    recent_clicks = get_clicks_for_user(user_id, within_last=time_window)
    
    IF count(recent_clicks) > click_limit:
      FLAG_AS_FRAUD(user_id)
      BLOCK_IP(click_event.ip_address)
      log("Fraud Detected: High velocity cross-device clicks for user " + user_id)
    ELSE:
      record_click(user_id, click_event)
  END IF
END FUNCTION

Example 2: Geographic & Network Inconsistency

This logic flags a user profile as fraudulent if it exhibits activity from geographically distant locations or disparate networks simultaneously. For example, a click from a mobile device in one country and a desktop in another within seconds. This is a strong indicator of proxy abuse or a compromised user profile being used by a botnet.

FUNCTION analyze_user_session(user_id):
  session_events = get_events_for_user(user_id, last_minutes=1)

  locations = []
  networks = []

  FOR event IN session_events:
    locations.add(get_geolocation(event.ip_address))
    networks.add(get_network_provider(event.ip_address))
  END FOR

  // Check for impossible travel
  IF distance_between(locations) > 500_MILES:
    FLAG_AS_FRAUD(user_id, reason="Impossible geographic jump")
    
  // Check for simultaneous use of residential and datacenter IPs
  IF "Datacenter" IN networks AND "Residential" IN networks:
    FLAG_AS_FRAUD(user_id, reason="Mixed network profile")

END FUNCTION

Example 3: Unified Behavioral Anomaly Detection

This example scores a user based on their combined behavior across devices. A legitimate user might research on mobile and convert on desktop. A bot might exhibit robotic, repetitive patterns across all devices, such as clicking the exact same coordinates on an ad regardless of device type or screen size. This logic is used in post-click analysis.

FUNCTION calculate_behavior_score(user_id):
  score = 100
  events = get_all_events_for_user(user_id)
  
  // Penalize for non-human screen interaction
  click_positions = [event.click_xy for event in events]
  IF standard_deviation(click_positions) < 2_PIXELS:
    score = score - 40 // Clicks are always in the same spot

  // Penalize for lack of journey diversity
  page_views = {event.page_url for event in events}
  IF len(page_views) == 1 AND len(events) > 10:
    score = score - 30 // Repetitively hitting the same page

  // Penalize for mismatched user agents
  user_agents = {event.user_agent for event in events}
  IF has_conflicting_os_versions(user_agents):
    score = score - 20 // e.g., Profile shows iOS 14 and iOS 16 simultaneously

  IF score < 50:
    MARK_AS_SUSPICIOUS(user_id)
    
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects advertising budgets by identifying and blocking invalid traffic from coordinated, multi-device bot attacks before they can exhaust campaign funds. This ensures ad spend is directed toward genuine human users.
• Data Integrity for Analytics – Ensures that marketing analytics and user behavior data are clean and accurate. By filtering out fraudulent cross-device interactions, businesses can make better strategic decisions based on real user journeys, not bot-inflated metrics.
• Return on Ad Spend (ROAS) Optimization – Improves ROAS by preventing wasted ad spend on fraudulent clicks and conversions. Cross-device intelligence ensures that attribution models accurately reflect the customer journey, allowing for smarter budget allocation to the most effective channels and devices.
• Lead Generation Quality Control – Safeguards lead generation forms from being spammed by bots operating across multiple IPs and devices. This ensures that the sales pipeline is filled with genuine prospects, not fake leads that waste sales and marketing resources.

Example 1: Blocking Fraudulent User Profiles

This logic automatically adds a user's entire device cluster to an advertising platform's exclusion list once their fraud score crosses a certain threshold, preventing any of their associated devices from seeing future ads.

FUNCTION manage_user_profile(user_id, fraud_score):
  threshold = 75
  
  IF fraud_score > threshold:
    // Fetch all device IDs linked to this fraudulent user
    device_ids_to_block = get_all_devices_for_user(user_id)
    
    // Add each device to the ad platform's exclusion list
    FOR device_id IN device_ids_to_block:
      ad_platform_api.add_to_exclusion_list(device_id)
    END FOR
    
    log("User profile " + user_id + " and all associated devices blocked.")
  END IF
END FUNCTION

Example 2: Geofencing with Cross-Device Consistency

This pseudocode enforces a geofencing rule that considers the user's entire device profile. If any device in the user's cluster appears outside the target region, the user is invalidated, preventing VPN or proxy abuse where a user spoofs their location on only one device.

FUNCTION validate_geofence(user_id, target_country_code="US"):
  is_valid = True
  devices = get_all_devices_for_user(user_id)
  
  FOR device IN devices:
    device_ip = get_latest_ip(device.id)
    device_country = get_geolocation(device_ip).country_code
    
    IF device_country != target_country_code:
      is_valid = False
      log("User " + user_id + " failed geofence. Device " + device.id + " is in " + device_country)
      break // No need to check other devices
  END IF
  
  RETURN is_valid
END FUNCTION

🐍 Python Code Examples

This Python function simulates checking for abnormally high click frequency from a single unified user ID. It reads a list of click events (which could be sourced from a database or log stream) and flags users who exceed a defined click threshold within a specific time window.

from collections import defaultdict
from datetime import datetime, timedelta

def detect_high_frequency_clicks(clicks, time_window_seconds=60, click_threshold=10):
    """
    Analyzes a list of clicks to find users with high cross-device click frequency.
    
    Args:
      clicks: A list of dicts, e.g., [{'user_id': 'user-A', 'timestamp': '...'}, ...]
    """
    user_clicks = defaultdict(list)
    fraudulent_users = set()

    # Group clicks by user
    for click in clicks:
        user_clicks[click['user_id']].append(datetime.fromisoformat(click['timestamp']))

    # Analyze each user's click timestamps
    for user_id, timestamps in user_clicks.items():
        timestamps.sort()
        if len(timestamps) > click_threshold:
            for i in range(len(timestamps) - click_threshold):
                # Check if X clicks occurred within the time window
                if timestamps[i + click_threshold] - timestamps[i] < timedelta(seconds=time_window_seconds):
                    fraudulent_users.add(user_id)
                    print(f"Fraud Alert: User {user_id} exceeded click threshold.")
                    break # Move to the next user
    
    return list(fraudulent_users)

This code example demonstrates how to filter traffic based on suspicious device attributes associated with a user profile. It checks if a user is simultaneously associated with both mobile and desktop user agents that are known to be used by bots, or if they have an unusually high number of distinct device profiles.

def filter_suspicious_device_profiles(user_profiles):
    """
    Filters user profiles based on suspicious cross-device attributes.
    
    Args:
      user_profiles: A dict, e.g., {'user-A': {'devices': ['device1', 'device2']}, ...}
    """
    suspicious_users = []
    
    # Example list of known bot user agents
    BOT_USER_AGENTS = ["headless-chrome/bot", "PhantomJS/2.1.1"]

    for user_id, profile_data in user_profiles.items():
        device_count = len(profile_data.get('devices', []))
        user_agents = profile_data.get('user_agents', [])

        # Rule 1: Too many devices linked to one user
        if device_count > 5:
            suspicious_users.append(user_id)
            print(f"Suspicious: User {user_id} has {device_count} devices.")
            continue

        # Rule 2: Presence of known bot user agents
        if any(bot_ua in user_agents for bot_ua in BOT_USER_AGENTS):
            suspicious_users.append(user_id)
            print(f"Suspicious: User {user_id} has a known bot user agent.")
            continue
            
    return suspicious_users

Types of Cross device

• Deterministic Matching
  This method links devices with 100% certainty by using personally identifiable information (PII) like an email or phone number that a user provides to log into services on multiple devices. It is highly accurate but has a limited scale as it depends on users being logged in.
• Probabilistic Matching
  This method uses statistical analysis of thousands of non-personal data points—such as IP address, device type, operating system, and browsing behavior—to infer that multiple devices likely belong to the same user. It offers greater scale but is less accurate than deterministic matching.
• Hybrid Matching
  This approach combines deterministic and probabilistic methods to improve both accuracy and scale. It uses a core set of accurate, deterministic matches to "train" and validate the algorithms used for broader probabilistic matching, creating a more robust and reliable identity graph for fraud detection.
• Device Fingerprinting
  This technique creates a unique signature for a device by collecting a combination of its attributes (e.g., browser version, installed fonts, screen resolution). In cross-device analysis, these fingerprints are used as data points to help link activity from anonymous browsers back to a unified user profile.

How Daily active users Works

Incoming Traffic (Clicks/Impressions)
         │
         ▼
+---------------------+      +---------------------+      +---------------------+
│   Data Collection   │ ---> │  User Aggregation   │ ---> │   DAU Monitoring    │
│ (IP, UA, Timestamp) │      │ (Group by User ID)  │      │ (Establish Baseline)│
+---------------------+      +---------------------+      +---------------------+
         │                                                        │
         │                                                        ▼
         └───────────────────────────┐                +---------------------+
                                     │                │   Anomaly Detection │
                                     ▼                │  (Spikes, Geo, etc) │
                           +---------------------+      +---------------------+
                           │  Behavioral Analysis│      │     Scoring &       │
                           │  (Session, Events)  │ ---> │     Flagging        │
                           +---------------------+      +---------------------+
                                                                  │
                                                                  ▼
                                                          +---------------------+
                                                          │ Action/Alert      │
                                                          │ (Block, Review)   │
                                                          +---------------------+

🧠 Core Detection Logic

Example 1: DAU Spike from New Geolocation

This logic identifies a sudden surge in daily active users originating from a geographic location that is not typically a source of traffic. It’s effective against botnets that use servers in specific, often unusual, countries to launch attacks. This check runs by comparing the daily user count per country against historical averages.

FUNCTION check_geo_dau_anomaly(today_dau_by_country, historical_avg_by_country):
  FOR country, daily_count IN today_dau_by_country.items():
    avg_count = historical_avg_by_country.get(country, 0)
    
    IF daily_count > (avg_count * 5) AND daily_count > 1000:
      // High confidence anomaly if count is 5x the average and over a minimum threshold
      FLAG_AS_FRAUD(country, "Unusual DAU spike")
    ELSE IF avg_count == 0 AND daily_count > 500:
      // Flag new countries with significant user counts
      FLAG_AS_FRAUD(country, "New significant DAU source")
  ENDFOR
END FUNCTION

Example 2: High DAU with Abnormally Low Session Duration

This heuristic flags traffic as fraudulent when a high number of daily active users corresponds with extremely short session durations. Legitimate users spend time on a site, whereas bots often “bounce” immediately after the click registers. This logic is crucial for detecting non-sophisticated bot traffic.

FUNCTION check_session_duration_anomaly(daily_active_users, avg_session_duration):
  
  // Historical average DAU is, for example, 10,000
  // Historical average session duration is, for example, 120 seconds
  
  IF daily_active_users > 20000 AND avg_session_duration < 5:
    // If DAU doubles but average time on site is less than 5 seconds
    TRIGGER_ALERT("High DAU, Low Engagement Anomaly")
    RETURN "FRAUD_DETECTED"
  ENDIF

  RETURN "NORMAL"
END FUNCTION

Example 3: Mismatched DAU and Conversion Rate

This logic detects fraud by identifying a major discrepancy between the number of active users and the conversion rate. If the DAU count triples overnight but the number of sign-ups or sales remains flat, it suggests the new users are not genuine and are likely bots with no purchase intent.

FUNCTION check_dau_conversion_mismatch(dau_today, conversions_today, dau_avg, conversion_avg):

  dau_increase_factor = dau_today / dau_avg
  conversion_change_factor = conversions_today / conversion_avg

  // If DAU increases by more than 100% (doubles)
  IF dau_increase_factor > 2.0:
    // But conversion rate change is minimal (e.g., less than 10%)
    IF conversion_change_factor < 1.1:
      // This indicates the new users are not converting, a strong sign of fraud
      MARK_TRAFFIC_AS_SUSPICIOUS("DAU spike without corresponding conversion lift")
    ENDIF
  ENDIF

END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Protects active advertising campaigns from budget drain by identifying and blocking traffic from sources that exhibit anomalous DAU spikes or suspicious behavioral patterns, ensuring ads are shown to real potential customers.
• Analytics Purification – Ensures marketing analytics are based on real human interactions by filtering out bot-driven traffic. This leads to more accurate metrics like conversion rate and customer lifetime value, enabling better strategic decisions.
• Return on Ad Spend (ROAS) Improvement – By preventing payment for fake clicks and ensuring budgets are spent on users with genuine interest, analyzing DAU for fraud directly boosts the efficiency and profitability of advertising investments.
• Bot-Free User Metrics – Helps businesses report on and understand their true user base by distinguishing between legitimate daily active users and automated bots, which is crucial for valuation, strategy, and product development.

Example 1: Campaign-Level DAU Threshold

This pseudocode sets a hard limit on the number of new daily users a specific campaign can generate from a single publisher. If a publisher suddenly sends an abnormally high number of "users," their traffic is throttled or blocked to prevent budget exhaustion from a suspected bot attack.

// Logic to protect a specific ad campaign
PUBLISHER_DAILY_CAP = 5000
publisher_dau_counts = get_daily_user_counts_by_publisher(campaign_id = 'summer_sale')

FOR publisher, count IN publisher_dau_counts.items():
    IF count > PUBLISHER_DAILY_CAP:
        // Block new traffic from this publisher for the rest of the day
        block_publisher(publisher_id = publisher)
        log_event("Publisher exceeded daily user cap, traffic blocked.")
    ENDIF
ENDFOR

Example 2: User-Agent Anomaly Detection

This logic analyzes the distribution of user-agent strings within the daily active user pool. A sudden shift, such as a huge percentage of users having an outdated or rare user-agent, indicates an attack from a bot farm that hasn't bothered to diversify its device signatures.

// Check for suspicious user-agent distributions among daily users
FUNCTION analyze_user_agent_distribution(daily_active_users_list):
    ua_counts = count_user_agents(daily_active_users_list)
    total_users = len(daily_active_users_list)

    FOR ua_string, count IN ua_counts.items():
        percentage = (count / total_users) * 100

        // If one specific, non-standard user-agent accounts for over 30% of traffic
        IF is_suspicious_ua(ua_string) AND percentage > 30:
            FLAG_TRAFFIC_SOURCE(ua_string, "Dominant suspicious user-agent")
            break
        ENDIF
    ENDFOR
END FUNCTION

🐍 Python Code Examples

This Python code demonstrates a simple way to detect a fraudulent surge in daily active users by checking if the count exceeds a dynamic threshold based on the historical average and standard deviation.

import numpy as np

# Historical DAU data for the last 30 days
historical_dau = #...and so on

def detect_dau_spike(today_dau, history):
    """Flags today's DAU if it's a statistical outlier."""
    if not history:
        return False
    
    avg = np.mean(history)
    std_dev = np.std(history)
    threshold = avg + (3 * std_dev) # 3 standard deviations above the mean

    if today_dau > threshold:
        print(f"FRAUD ALERT: DAU of {today_dau} exceeds threshold of {threshold:.0f}")
        return True
    
    print(f"NORMAL: DAU of {today_dau} is within normal range.")
    return False

# Simulate a normal day and a fraud day
normal_day_users = 10800
fraud_day_users = 25000

detect_dau_spike(normal_day_users, historical_dau)
detect_dau_spike(fraud_day_users, historical_dau)

This example filters incoming clicks based on IP reputation. It simulates checking each user's IP address against a known blocklist of suspicious IPs, a common first line of defense in click fraud prevention.

# A pre-defined set of known fraudulent IP addresses
IP_BLOCKLIST = {"1.2.3.4", "5.6.7.8", "9.10.11.12"}

def filter_suspicious_ips(click_events):
    """Filters out clicks from known bad IPs."""
    legitimate_clicks = []
    fraudulent_clicks = 0

    for event in click_events:
        if event['ip_address'] in IP_BLOCKLIST:
            fraudulent_clicks += 1
        else:
            legitimate_clicks.append(event)
    
    print(f"Blocked {fraudulent_clicks} fraudulent clicks.")
    print(f"Allowed {len(legitimate_clicks)} legitimate clicks.")
    return legitimate_clicks

# Simulate a stream of incoming click events
clicks = [
    {'user_id': 'a', 'ip_address': '123.45.67.89'},
    {'user_id': 'b', 'ip_address': '1.2.3.4'}, # Fraudulent IP
    {'user_id': 'c', 'ip_address': '98.76.54.32'},
    {'user_id': 'd', 'ip_address': '5.6.7.8'}  # Fraudulent IP
]

filter_suspicious_ips(clicks)

This code analyzes session behavior to identify bots. It flags users with an unusually high number of clicks but an extremely low session duration, which is characteristic of non-human click automation.

def analyze_session_behavior(user_sessions):
    """Identifies suspicious behavior based on click count and session time."""
    for user_id, data in user_sessions.items():
        clicks = data['click_count']
        duration = data['session_duration_sec']
        
        # Rule: More than 10 clicks in less than 5 seconds is suspicious
        if clicks > 10 and duration < 5:
            print(f"SUSPICIOUS BEHAVIOR: User {user_id} had {clicks} clicks in {duration}s.")
        else:
            print(f"NORMAL BEHAVIOR: User {user_id} had {clicks} clicks in {duration}s.")

# Simulate user session data for the day
sessions = {
    'user_A': {'click_count': 3, 'session_duration_sec': 180},
    'user_B': {'click_count': 15, 'session_duration_sec': 3}, # Bot-like behavior
    'user_C': {'click_count': 1, 'session_duration_sec': 95}
}

analyze_session_behavior(sessions)

Types of Daily active users

• Monetizable DAU (mDAU) – This refers to unique, authenticated users who can be shown ads. Filtering for mDAU is critical for fraud prevention as it separates legitimate, logged-in users from unidentified traffic or bots that cannot be monetized, providing a cleaner baseline for analysis.
• Segmented DAU – This is the analysis of daily active users broken down by specific attributes such as geographic region, traffic source, or device type. This is vital for pinpointing fraud, as an attack often originates from a single, anomalous segment (e.g., all from one country or one mobile carrier).
• Validated DAU – This counts only those daily users who have passed an additional verification step, such as a CAPTCHA or multi-factor authentication. This type of DAU is considered highly trustworthy and helps establish a fraud-free benchmark to compare against total traffic.
• New vs. Returning DAU – Fraud detection systems often analyze new and returning users separately. A sudden, massive spike in "new" DAU with low engagement is a classic sign of a bot attack, whereas a steady ratio of new to returning users indicates healthy, organic growth.

How Dashboard Metrics Works

Incoming Ad Traffic → [Data Collection] → [Metric Analysis Engine] → [Decision Logic] → Output
      │                       │                      │                     │
      │                       │                      │                     └─┬─> [Block/Flag Traffic]
      │                       │                      │                       └─> [Allow Traffic]
      │                       │                      │
      └───────────────────────┴──────────────────────┴──────────────────────> [Real-time Dashboard]

🧠 Core Detection Logic

Example 1: Click Frequency Throttling

This logic prevents a single user or bot from clicking an ad excessively in a short period. It is a fundamental defense against basic click-bombing attacks by setting a hard limit on allowed click frequency from any single source.

// Define click frequency limits
max_clicks = 5
time_window_seconds = 60
ip_click_log = {}

FUNCTION onAdClick(request):
    ip = request.getIPAddress()
    current_time = now()

    // Initialize or clean up old click records for the IP
    IF ip not in ip_click_log:
        ip_click_log[ip] = []
    
    ip_click_log[ip] = [t for t in ip_click_log[ip] if current_time - t < time_window_seconds]

    // Check if click count exceeds the limit
    IF len(ip_click_log[ip]) >= max_clicks:
        RETURN "BLOCK_CLICK"
    ELSE:
        // Log the new click and allow it
        ip_click_log[ip].append(current_time)
        RETURN "ALLOW_CLICK"

Example 2: Geo-Mismatch Detection

This logic checks for inconsistencies between a user’s stated location (e.g., from a language setting or profile) and their technical location (derived from their IP address). It helps catch fraud where attackers use proxies or VPNs to appear as if they are in a high-value geographic target area.

FUNCTION analyzeTraffic(click_data):
    ip_address = click_data.getIP()
    user_profile_country = click_data.getProfileCountry()
    
    // Use a geo-IP lookup service
    ip_geo_country = geoLookup(ip_address)

    // Compare the IP-based country with the user's profile country
    IF ip_geo_country != user_profile_country:
        // Flag for review or apply a higher fraud score
        click_data.setFraudScore(click_data.getFraudScore() + 20)
        RETURN "FLAG_AS_SUSPICIOUS"
    ELSE:
        RETURN "VALID_GEOGRAPHY"

Example 3: Session Behavior Analysis

This logic evaluates the time between critical user actions, such as the time from an ad click to an install or the time from landing on a page to completing a form. Unusually short or impossibly fast session durations are strong indicators of non-human (bot) activity.

FUNCTION evaluateSession(session_events):
    click_time = session_events.find("ad_click").timestamp
    install_time = session_events.find("app_install").timestamp

    // Calculate time delta in seconds
    click_to_install_time = install_time - click_time

    // Bots often have an impossibly short install time
    IF click_to_install_time < 10: // 10 seconds is a common minimum threshold
        session_events.markAs("FRAUDULENT")
        RETURN "BOT_BEHAVIOR_DETECTED"
    ELSE:
        RETURN "HUMAN_BEHAVIOR_CONFIRMED"

📈 Practical Use Cases for Businesses

Businesses use dashboard metrics to translate raw traffic data into actionable fraud prevention strategies, directly impacting campaign efficiency and budget allocation.

• Campaign Shielding – Actively monitor metrics like click-through rate and conversion rate per source to identify and block low-quality or fraudulent publishers in real time, preserving the ad budget for legitimate channels.
• Lead Quality Assurance – Analyze post-click engagement metrics, such as time-on-page and form completion speed, to filter out fake leads generated by bots. This ensures the sales team receives genuinely interested prospects, improving efficiency.
• ROAS Optimization – By separating invalid traffic from genuine users, businesses get a clear and accurate picture of their Return on Ad Spend (ROAS). This allows them to reallocate funds from fraudulent sources to high-performing campaigns with confidence.
• Geographic Targeting Enforcement – Use geo-location metrics to ensure ad spend is concentrated on targeted regions. By flagging and blocking clicks from outside the target area, businesses avoid paying for irrelevant traffic from click farms or VPNs.

Example 1: Publisher Fraud Scoring Rule

This pseudocode demonstrates a system that scores publishers based on their traffic quality metrics. Publishers with consistently high bounce rates and low conversion rates are flagged, and their traffic can be automatically deprioritized or blocked.

FUNCTION assessPublisher(publisher_id, metrics):
    // Get key performance metrics for the publisher
    bounce_rate = metrics.getBounceRate()
    conversion_rate = metrics.getConversionRate()
    
    fraud_score = 0
    
    IF bounce_rate > 90:
        fraud_score += 40
        
    IF conversion_rate < 0.1:
        fraud_score += 50

    IF fraud_score > 75:
        // Automatically add publisher to a blocklist
        blocklist.add(publisher_id)
        RETURN "PUBLISHER_BLOCKED"
    ELSE:
        RETURN "PUBLISHER_OK"

Example 2: Session Anomaly Detection Logic

This example outlines logic to identify suspicious user sessions. A session with an extremely high number of page views in a very short time is indicative of a scraper bot, not a real user. This helps protect website content and ensures analytics reflect human engagement.

FUNCTION analyzeSession(session_data):
    page_views = session_data.countPageViews()
    session_duration_seconds = session_data.getDuration()
    
    // Avoid division by zero
    IF session_duration_seconds == 0:
        RETURN "INVALID_SESSION"

    // Calculate pages per second
    pages_per_second = page_views / session_duration_seconds
    
    // A human can't browse more than 1 page per second on average
    IF pages_per_second > 1.0:
        session_data.markAsBot()
        RETURN "SESSION_FLAGGED_AS_BOT"
    ELSE:
        RETURN "SESSION_IS_VALID"

🐍 Python Code Examples

Example 1: Detect Abnormal Click Frequency

This script analyzes a list of click events to identify IP addresses with an unusually high frequency of clicks within a defined time window, a common sign of bot activity.

from collections import defaultdict

def detect_frequent_clicks(clicks, time_limit_seconds=60, click_threshold=10):
    ip_clicks = defaultdict(list)
    fraudulent_ips = set()

    for click in clicks:
        ip = click['ip']
        timestamp = click['timestamp']
        
        # Remove clicks older than the time limit
        ip_clicks[ip] = [t for t in ip_clicks[ip] if timestamp - t <= time_limit_seconds]
        
        # Add current click
        ip_clicks[ip].append(timestamp)
        
        # Check if threshold is exceeded
        if len(ip_clicks[ip]) > click_threshold:
            fraudulent_ips.add(ip)
            
    return list(fraudulent_ips)

# Example usage:
# clicks = [{'ip': '1.2.3.4', 'timestamp': 1677611000}, {'ip': '1.2.3.4', 'timestamp': 1677611001}, ...]
# print(detect_frequent_clicks(clicks))

Example 2: Filter by User-Agent Blacklist

This code checks incoming traffic against a blacklist of known non-human or suspicious user-agent strings. It’s a simple yet effective way to block outdated bots and known bad actors.

def filter_by_user_agent(traffic_log, blacklist):
    legitimate_traffic = []
    blocked_traffic = []

    for request in traffic_log:
        user_agent = request.get('user_agent', '').lower()
        is_blacklisted = False
        for blocked_ua in blacklist:
            if blocked_ua.lower() in user_agent:
                is_blacklisted = True
                break
        
        if is_blacklisted:
            blocked_traffic.append(request)
        else:
            legitimate_traffic.append(request)
            
    return legitimate_traffic, blocked_traffic

# Example usage:
# blacklist = ["DataScraper/1.0", "BadBot", "HeadlessChrome"]
# traffic = [{'user_agent': 'Mozilla/5.0...'}, {'user_agent': 'DataScraper/1.0...'}]
# clean, blocked = filter_by_user_agent(traffic, blacklist)
# print(f"Blocked Requests: {len(blocked)}")

Types of Dashboard Metrics

• Behavioral Metrics – These metrics focus on user actions and engagement patterns after a click. They include metrics like session duration, bounce rate, pages per visit, and conversion rates. Anomalies here, such as near-instant bounces or zero time on site, often indicate non-human traffic.
• Network and Technical Metrics – This category includes data points derived from the technical properties of a connection. Key examples are IP address reputation, user-agent string analysis, device fingerprinting, and geographic location. These are crucial for identifying traffic originating from data centers, proxies, or known fraudulent sources.
• Time-Based Metrics – This type analyzes the timing of interactions. Metrics such as Click-to-Install Time (CTIT), click frequency, and time between actions are used to spot impossibly fast or unnaturally rhythmic patterns that are hallmarks of automated scripts and bots.
• Source-Based Metrics – These metrics evaluate the performance and quality of traffic from specific sources, such as publishers, ad placements, or campaigns. By monitoring metrics like Invalid Traffic (IVT) rates and Return on Ad Spend (ROAS) per source, advertisers can quickly cut funding to fraudulent channels.

How Data driven attribution Works

Raw Traffic Data → [Data Collection Engine] → User & Event Attributes → [Attribution & Scoring Model] → Fraud Score → [Action Engine] → Allow / Block
      │                                             (IP, UA, Timestamps)          │ (ML & Heuristics)                     │ (Thresholds)
      └───────────────────────────────────────────────────────────────────────────┴───────────────────────────────────────┘
                                                     Feedback Loop to Refine Model

🧠 Core Detection Logic

Example 1: Repetitive Action Throttling

This logic identifies non-human velocity by tracking the frequency of clicks or events from a single IP address or device fingerprint. A data-driven model establishes a baseline for normal frequency, and any source exceeding this dynamic threshold in a short time window is flagged as a likely bot.

FUNCTION check_click_velocity(request):
  ip = request.ip_address
  timestamp = request.timestamp

  // Retrieve past click times for this IP
  click_history = get_clicks_for_ip(ip)

  // Count clicks in the last 60 seconds
  recent_clicks = count_clicks_since(timestamp - 60, click_history)

  // Threshold determined by attribution model
  VELOCITY_THRESHOLD = 15 

  IF recent_clicks > VELOCITY_THRESHOLD:
    RETURN "BLOCK"
  ELSE:
    record_click(ip, timestamp)
    RETURN "ALLOW"

Example 2: Session Behavior Analysis

This logic analyzes the sequence of actions within a user session to assess its authenticity. A data-driven approach learns that legitimate users often browse before converting, while fraudulent sessions might show an immediate, direct click on a high-value ad with no prior engagement on the site.

FUNCTION analyze_session_behavior(session):
  session_duration = session.end_time - session.start_time
  page_views = session.page_view_count
  conversion_click = session.conversion_event

  // Flag sessions that are too short but result in a conversion
  IF conversion_click AND session_duration < 2_seconds AND page_views <= 1:
    session.fraud_score = 0.95
    RETURN "FLAG_AS_SUSPICIOUS"

  // Check for lack of interaction
  IF session.mouse_movement_events == 0 AND session_duration > 10_seconds:
    session.fraud_score = 0.80
    RETURN "FLAG_AS_SUSPICIOUS"

  RETURN "LOOKS_NORMAL"

Example 3: Cross-Campaign Anomaly Detection

Data-driven attribution connects user activity across different ad campaigns or properties. If the same device ID or IP address group consistently clicks on unrelated ads in a coordinated, machine-like pattern, the model flags this as a probable botnet or organized fraud operation.

FUNCTION check_cross_campaign_fraud(click_event):
  device_id = click_event.device_id
  current_campaign = click_event.campaign_id
  
  // Get history of campaigns this device has interacted with
  campaign_history = get_campaign_interactions(device_id)

  // If device clicks on more than 5 different campaigns in 1 minute
  IF count_unique(campaign_history.last(60_seconds)) > 5:
    increase_fraud_score(device_id, 0.5)
    log_alert("Coordinated behavior detected for device: " + device_id)
    RETURN "HIGH_RISK"
  
  RETURN "LOW_RISK"

📈 Practical Use Cases for Businesses

• Budget Protection: Data-driven attribution identifies and blocks invalid traffic sources in real-time, preventing ad spend waste on fraudulent clicks and ensuring that the budget is allocated to channels that reach genuine customers.
• Data-Driven Channel Optimization: By filtering out bot traffic, businesses get a clean, accurate view of campaign performance. This allows them to use attribution data to confidently invest more in high-performing channels that drive real conversions and ROI.
• Conversion Fraud Prevention: The system protects against fake form submissions, sign-ups, or app installs by analyzing the entire user journey leading to a conversion. It flags conversions originating from low-quality, suspicious traffic sources as fraudulent.
• Improved ROAS Measurement: Clean data leads to an accurate Return on Ad Spend (ROAS) calculation. Businesses can measure the true impact of their marketing efforts without metrics being skewed by invalid clicks and non-human interactions.

Example 1: Geolocation Mismatch Filter

This logic prevents fraud from sources that fake their location to match campaign targeting rules. It compares the IP address’s reported location with other signals to verify authenticity.

FUNCTION validate_geolocation(click):
  ip_geo = get_geo_from_ip(click.ip) 
  campaign_target_geo = click.campaign.target_country

  // Simple check for campaign compliance
  IF ip_geo.country != campaign_target_geo:
    RETURN "BLOCK_GEO_MISMATCH"

  // Advanced check for proxy/VPN usage
  IF is_known_proxy(click.ip) OR is_datacenter_ip(click.ip):
    RETURN "BLOCK_PROXY_DETECTED"
    
  RETURN "GEO_VALIDATED"

Example 2: Conversion Path Scoring

This example scores the plausibility of a conversion based on the preceding user journey. A conversion that follows an unnatural or minimal path (e.g., no page views, instant click) is assigned a high fraud score and invalidated.

FUNCTION score_conversion_path(session):
  score = 0
  
  // Penalize for short time-on-site before conversion
  IF session.time_on_site < 5_seconds:
    score += 40

  // Penalize for no mouse movement
  IF session.mouse_events_count == 0:
    score += 30

  // Penalize if referrer is missing or suspicious
  IF is_suspicious_referrer(session.referrer):
    score += 20
  
  // A score over 50 is considered fraudulent
  IF score > 50:
    RETURN "INVALID_CONVERSION"
  
  RETURN "VALID_CONVERSION"

🐍 Python Code Examples

This script simulates the detection of abnormal click frequency from a single IP address. Tracking clicks per IP within a short timeframe is a fundamental technique for identifying automated bot activity.

from collections import defaultdict
import time

CLICK_TIMESTAMPS = defaultdict(list)
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 20

def record_and_check_click(ip_address):
    """Records a click and checks if it exceeds the frequency threshold."""
    current_time = time.time()
    
    # Add current click timestamp
    CLICK_TIMESTAMPS[ip_address].append(current_time)
    
    # Remove old timestamps that are outside the time window
    CLICK_TIMESTAMPS[ip_address] = [t for t in CLICK_TIMESTAMPS[ip_address] if current_time - t < TIME_WINDOW_SECONDS]
    
    # Check if click count exceeds the threshold
    if len(CLICK_TIMESTAMPS[ip_address]) > CLICK_THRESHOLD:
        print(f"Fraud Alert: IP {ip_address} exceeded click threshold.")
        return False
        
    print(f"Click from {ip_address} recorded successfully.")
    return True

# Simulation
record_and_check_click("192.168.1.100") # Returns True
# Simulate 25 rapid clicks from another IP
for _ in range(25):
  record_and_check_click("203.0.113.55") # Will eventually return False

This function validates a request by checking its User-Agent string against a blocklist of known bot signatures. This helps filter out simple, non-sophisticated bots that do not attempt to hide their identity.

KNOWN_BOT_AGENTS = [
    "Googlebot",
    "Bingbot",
    "AhrefsBot",
    "SemrushBot",
    "Python-urllib",
    "Scrapy"
]

def is_user_agent_a_bot(user_agent_string):
    """Checks if a user agent is in the known bot list."""
    if not user_agent_string:
        return True # Empty user agents are suspicious
        
    for bot_agent in KNOWN_BOT_AGENTS:
        if bot_agent.lower() in user_agent_string.lower():
            print(f"Detected known bot: {bot_agent}")
            return True
            
    return False

# Simulation
ua_real_user = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
ua_bot = "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"

print(f"Is real user a bot? {is_user_agent_a_bot(ua_real_user)}")
print(f"Is bot a bot? {is_user_agent_a_bot(ua_bot)}")

Types of Data driven attribution

• Rule-Based Attribution: This approach uses a predefined, static set of rules to flag suspicious activity (e.g., “block any IP that clicks more than 10 times in one minute”). It is fast and simple but is easily evaded by fraudsters who can adapt their behavior to stay just under the rule thresholds.
• Heuristic-Based Attribution: This method applies “rules of thumb” derived from observing common fraud patterns, such as unusual time-of-day activity, non-standard user agents, or improbable click-through rates. It is more flexible than rigid rules but can sometimes generate false positives by misinterpreting unconventional human behavior.
• Machine Learning (ML) Models: This type utilizes algorithms (like logistic regression or neural networks) trained on vast datasets of both clean and fraudulent traffic. It excels at identifying complex, evolving fraud patterns that simpler methods would miss, making it highly effective against sophisticated bots.
• Full Path Attribution Analysis: This model evaluates the entire sequence of user interactions leading up to a click or conversion event. It assigns fraud risk based on the journey’s overall plausibility, allowing it to detect anomalies like immediate clicks on a landing page without any exploration, which indicates non-human behavior.

How Data Enrichment Tools Works

+---------------------+      +----------------------+      +---------------------+      +-----------------+
|   Incoming Click    | →    |  Initial Data Grab   | →    |  Data Enrichment   | →    |  Risk Analysis  |
| (IP, User-Agent...) |      | (Timestamp, Geo...)  |      |  (Cross-Reference) |      |   (Scoring)     |
+---------------------+      +----------------------+      +---------------------+      +-----------------+
                                         │                       │                             │
                                         │                       │                             └─→ Valid? ─── YES ---> Allow
                                         │                       │
                                         └───────────────────────┼───────────────────────> Flagged? ── YES ---> Block/Review
                                                                 │
                                                         +------------------+
                                                         | External DBs     |
                                                         | (Threat Feeds,   |
                                                         |  IP Reputation)  |
                                                         +------------------+

🧠 Core Detection Logic

Example 1: IP Reputation and Proxy Detection

This logic checks an incoming click’s IP address against known blocklists and databases of data centers, VPNs, and proxies. It’s a foundational layer of traffic protection that filters out obvious non-human traffic from servers, which are often used for bot-driven ad fraud.

FUNCTION checkIpReputation(ip_address):
  // Query external threat intelligence databases
  is_known_bad = queryThreatFeed(ip_address)
  is_datacenter_ip = queryDatacenterDB(ip_address)
  is_proxy_or_vpn = queryProxyDB(ip_address)

  IF is_known_bad OR is_datacenter_ip OR is_proxy_or_vpn:
    RETURN "fraudulent"
  ELSE:
    RETURN "legitimate"
  END IF
END FUNCTION

Example 2: Session Heuristics and Behavior Rules

This logic analyzes user behavior within a session to identify patterns inconsistent with human interaction. It focuses on timing and frequency, such as an impossibly short time between viewing an ad and clicking it, or an excessive number of clicks from one user, which often indicate automated scripts.

FUNCTION analyzeSessionBehavior(session_data):
  // Calculate time-to-click in seconds
  time_to_click = session_data.click_timestamp - session_data.impression_timestamp
  click_frequency = getClickFrequency(session_data.user_id, last_60_seconds)

  // Rule 1: Time-to-click is too fast
  IF time_to_click < 1:
    RETURN "suspicious"

  // Rule 2: Click frequency is too high
  IF click_frequency > 10:
    RETURN "suspicious"

  RETURN "legitimate"
END FUNCTION

Example 3: Geo Mismatch Detection

This logic compares the geographical location derived from a user’s IP address with other location data, such as their browser’s language settings or timezone. A significant mismatch, like an IP in one country and a browser timezone from another, is a strong indicator of a user attempting to hide their true location, a common tactic in ad fraud.

FUNCTION checkGeoMismatch(ip_address, browser_timezone):
  // Enrich IP to get country
  ip_country = getCountryFromIP(ip_address)

  // Get expected timezones for that country
  expected_timezones = getTimezonesForCountry(ip_country)

  IF browser_timezone NOT IN expected_timezones:
    RETURN "fraud_indicator"
  ELSE:
    RETURN "consistent"
  END IF
END FUNCTION

📈 Practical Use Cases for Businesses

• Campaign Shielding – Data enrichment tools are used to build real-time exclusion lists, preventing bots and known fraudulent actors from ever seeing or clicking on ads. This proactively shields advertising budgets from being wasted on invalid traffic and improves campaign performance by focusing spend on genuine users.
• Lead Generation Filtering – For businesses running lead generation campaigns, these tools verify and score incoming leads based on enriched data like email validity and IP reputation. This ensures that the sales team spends time on legitimate prospects, not fake or bot-generated leads, increasing conversion rates.
• Analytics Purification – By filtering out invalid and bot traffic before it pollutes analytics platforms, data enrichment ensures that metrics like click-through rates, conversion rates, and user engagement are accurate. This gives businesses a true understanding of campaign performance and customer behavior, leading to better strategic decisions.
• Return on Ad Spend (ROAS) Optimization – Data enrichment helps identify and block the sources of fraudulent clicks, preventing budget drain. By reallocating spend from fraudulent channels to high-performing, legitimate ones, businesses can significantly improve their overall return on ad spend and achieve better marketing outcomes.

Example 1: Geofencing Rule

This pseudocode demonstrates a common use case where a business wants to ensure that clicks are coming from their target geographic regions. Data enrichment provides the accurate location of an IP address, allowing the system to enforce these campaign rules.

// Use Case: A campaign is targeted only to users in the United States and Canada.

FUNCTION enforceGeofence(click_data):
  target_countries = ["US", "CA"]

  // Enrich the IP address to get its country of origin
  click_country = getCountryFromIP(click_data.ip_address)

  IF click_country IN target_countries:
    // Allow the click
    RETURN "VALID"
  ELSE:
    // Block the click as it's outside the target area
    RETURN "INVALID_GEO"
  END IF
END FUNCTION

Example 2: Session Scoring Logic

This example shows how multiple data enrichment points can be combined into a risk score. A business can use this score to decide whether to trust a conversion, flag a user for review, or block them entirely, thereby protecting against sophisticated, multi-layered fraud.

// Use Case: Assign a fraud score to a user session based on multiple risk factors.

FUNCTION calculateSessionFraudScore(session_data):
  score = 0

  // Enrich IP and check if it is from a data center
  IF isDatacenterIP(session_data.ip_address):
    score = score + 40

  // Check for suspicious user agent
  IF isKnownBotUserAgent(session_data.user_agent):
    score = score + 30

  // Analyze click speed
  IF session_data.time_to_click < 2 seconds:
    score = score + 20

  // Analyze if email is disposable
  IF isDisposableEmail(session_data.email):
    score = score + 10

  RETURN score // Higher score means higher fraud risk
END FUNCTION

🐍 Python Code Examples

This code demonstrates how to filter a list of incoming clicks by checking each IP address against a predefined blocklist. This is a fundamental technique in fraud prevention to block traffic from known malicious sources.

# Example 1: Filtering a batch of clicks against a known fraudulent IP blocklist

FRAUDULENT_IPS = {"198.51.100.1", "203.0.113.10", "192.0.2.55"}

def filter_fraudulent_ips(clicks):
  clean_clicks = []
  for click in clicks:
    if click['ip_address'] not in FRAUDULENT_IPS:
      clean_clicks.append(click)
  return clean_clicks

# --- Simulation ---
incoming_clicks = [
  {'id': 1, 'ip_address': '8.8.8.8'},
  {'id': 2, 'ip_address': '203.0.113.10'}, # This one is fraudulent
  {'id': 3, 'ip_address': '1.1.1.1'}
]

valid_clicks = filter_fraudulent_ips(incoming_clicks)
print(f"Valid clicks after filtering: {valid_clicks}")

This example simulates the detection of abnormal click frequency from a single IP address within a short time frame. Systems use this logic to identify automated scripts or bots that generate a high volume of clicks, which is unnatural for a human user.

# Example 2: Detecting abnormal click frequency

from collections import defaultdict
import time

# Store click timestamps for each IP
clicks_log = defaultdict(list)
TIME_WINDOW_SECONDS = 60
CLICK_THRESHOLD = 15

def is_abnormal_frequency(ip_address):
  current_time = time.time()
  # Add current click time
  clicks_log[ip_address].append(current_time)

  # Remove clicks outside the time window
  valid_clicks = [t for t in clicks_log[ip_address] if current_time - t <= TIME_WINDOW_SECONDS]
  clicks_log[ip_address] = valid_clicks

  # Check if click count exceeds the threshold
  if len(valid_clicks) > CLICK_THRESHOLD:
    return True
  return False

# --- Simulation ---
ip_to_check = "192.168.1.100"
for _ in range(20):
  if is_abnormal_frequency(ip_to_check):
    print(f"Abnormal click frequency detected for IP: {ip_to_check}")
    break
  else:
    print(f"Click recorded for {ip_to_check}. Total clicks in window: {len(clicks_log[ip_to_check])}")

Types of Data Enrichment Tools

• IP Intelligence and Reputation – This type of enrichment focuses on the origin of the traffic. It appends data about an IP address, such as its geographical location, whether it is a known proxy or VPN, and if it belongs to a data center. This is foundational for identifying traffic that is intentionally hiding its origin or is not from a residential user.
• Device Fingerprinting – These tools collect a variety of attributes from a user's device and browser (e.g., screen resolution, operating system, fonts) to create a unique identifier. This helps detect when a single entity is attempting to mimic multiple users by slightly changing their attributes, a common bot tactic to evade simple IP-based tracking.
• User Behavior Analysis – This method enriches click data with behavioral context. It analyzes patterns like click frequency, mouse movements (or lack thereof), time spent on a page, and navigation paths. It identifies non-human or robotic behavior that deviates from typical user interaction patterns, providing a dynamic layer of fraud detection.
• Email and Phone Verification – In contexts like lead generation or sign-ups, these tools enrich the provided contact information. They check if an email address is valid, disposable, or associated with known social profiles. A lack of digital footprint or a disposable address is a strong indicator of a fake or low-quality lead.