Click Fraud Detection Software
How to read and use the Click Detail Report

The Click Detail Report is the advertiser's best tool for analyzing campaign traffic from search engines, and other PPC and advertising programs. In order to effectively use the report, the market must learn the meaning of the report fields and the various flag codes generated by the ClickHawk analysis engine.

It is important to realize that proper analysis of click traffic includes considering all of the factors associated with a given click, and not just a single flag or problem. Often, there are legitimate explanations for a single problem, so it is important to take into consideration the big picture, and look for certain tell-tale combinations of flags that together indicate possible click fraud, robot traffic, or other problems.

Flag Key Codes and detailed definitions.

M, M - Multiple Clicks from the same IP address
This IP has clicked multiple time in this report period. Orange indicates 2 to 5 clicks, Red indicates over 5 clicks. Note that multiple clicks from the same IP do not always indicate a problem. ISPs and businesses often use the same IP address for more than one user.

ISPs, especially dial-up providers, dynamically assign IP addresses from a pool to each user as they log in, so in a given day, several different users may be online at different times using the same IP. However, a user's IP address remains the same throughout their session, so multiple clicks from this IP during that are close together in time are most likely to be the same person.

Businesses often use a common gateway to the internet for all of their employees, such as a proxy sever or router. In this case, each user has a their own IP address behind the gateway, but all users will be seen as the same IP address to all external servers. So, while it is possible that two clicks from the same IP address on the same day are from different individuals within the same company, it is relatively unlikely, and much more likely to be the same person.

If the Unique ID field is present, you can use that to distinguish unique users sharing the same IP address.

Mu, Mu - Multiple Clicks from the same User ID
This unique user has clicked multiple time in this report period. Orange indicates 2 clicks, Red indicates over 2 clicks. The Unique User ID is useful in distinguishing multiple users sharing the same IP address, and also likely fraud cases in which the same user is clicking multiple times from different IP addresses. The first time a user clicks one of your links, he/she is assigned a unique user ID by the ClickHawk system and a browser cookie is used to store this ID. Of course, if a user's browser is set not to accept cookies the user ID would not be saved and although this is very rare, it is a good reason to use the Unique ID in combination with all other report fields and flags when making your assessment of a possible problem.

R - No Referring URL
No Referrer. Referring URL not found in header. When a visitor to a web site clicks a link on that site, certain information is sent to the destination server that is not visible to the user. This is the "header" and it is part of every single HTTP request an internet user makes. One field in the header is known as the "Referrer" and contains the URL of the exact page on which the user clicked the link to your site. If the Referrer field is missing, this may indicate that the click link was either entered directly into the browser command line or generated by a robot or some other automated program, rather than a person actually clicking on your ad link.

More notes on Referring URL
: Some browsers can be configured not to send the referring URL, but this is very uncommon. Clicks on an ad link sent in an email will also result in no referring URL. Ads served through a third party ad serving system often obscure the referring URL, depending on how they are served. In this case, the true referrer can only be obtained at the impression level. As always, the lack of a referring URL should not be used alone to make a problem assessment, but in conjunction with the presence, or lack thereof, of other flags and alerts.

P - Proxy Server

User appears to be connecting via a proxy server. Proxy servers are computers that sit between the end user's and the internet. Instead of connection directly to the internet, each and every request to and from the end user's machine and the web server goes through the proxy server. Proxy users add a degree of anonymity for web users as they hide the user's tru IP address and location. Some corporations, universities,  and other organizations, use proxy servers to connect their internal intranets to the internet. However, many proxy servers are "open", meaning that anyone can connected to other web sites through the proxy server, and the web sites will see the IP address of the proxy server, not the end user.

The proxy server flag alone does indicate a problem, but combined with other flags or suspicious data, can increase the evidence that a problem exists.

C - Crawler, Spider, or Robot
User agent is an automated program. Not a human visitor. Advertisers should not be billed for traffic from a web crawler or search engine spider. These programs are used by search engines, ISPs, corporations, and now even individual users, to index and store (cache) web pages. They work by loading known URLs and then following all links on every page they arrive on. When the "follow" an advertiser's paid link, a click is recorded, but these clicks should not be billed to the advertiser.

O - Browser Cookies Disabled
There are three possible explanations for a browser not accepting cookies. The user's browser does not support cookies; the user has intentionally disabled cookies; this click is from an automated program that does not support cookies. All of these scenarios are rare and any click with this flag deserves further scrutiny. These days, it is next to impossible to surf the web with cookies completely disabled, as virtually every web site makes use of cookies for one purpose or another, from simply maintaining browser sessions, to remembering login information, to user specific preferences and settings. Many sites will not even work correctly with cookies disabled. Note that in order for this flag to be set, the user's cookies must be completely disabled. For example, in Internet Explorer, this would be the highest setting ("Block All Cookies").

With cookies disabled, it is impossible to set the Unique ID field for this user. For this reason, it is important to watch for multiple clicks from the same IP address that are also flagged for No Cookies. In these cases, examination of other fields, such as Browser and Operatiing System, can help distinguish a unique or repeat clicker even without the unique ID present.

W, W - Browser Window Size Alert
A common click fraud technique involves automatically opening your web site in an invisible browser window or frame. Scripts on the abusers web page, or other methods, may simulate clicks on your paid link for every visitor to their web site (or every nth visitor), even if the visitor does not click the link. In the case of an invisible window, the user will never even be aware that their browser connected with your site (through the paid link). In the case of a small window, the user may see the window appear briefly and then disappear; again, recording a paid click on your link. This scheme is difficult to detect with other methods because the users are all real, the browsers are real browsers, and the IP addresses and Unique IDs are different, as they would be for legitimate traffic.

CF, CP - Captcha Validation Fail or Pass
Another great feature of ClickHawk is the ability to set a "trap" for robots, crawlers, and other non-human visitors. CAPTACH is actually an acronym for "Completely Automated Public Turing test to Tell Computers and Humans Apart". You have undoubtedly run into Captcha validations many times. They present code (made of of letters and numbers) in the form of an image, not text. The characters are skews, deformed, or misaligned and designed to be unreadable to the automated programs crawl the web clicking on all links and submitting all forms they encounter.

ClickHawk users can optional set a Captcha screen on suspect IP address or User ID. Once activated, clicks from that IP or ID will go to an intermediary validation page first before being redirected to the advertiser's landing page. It is important to note that whether or not the correct code is entered, the visitor is always redirected to your landing page after the Captcha test. The pass or fail is recorded for the advertiser's use but is transparent to the end user. Click here to see an example of the ClickHawk Captcha validation page.


Other things to watch for on the Click Detail Report

The Flags column in the Click Detail Report gives advertisers the convenience of being able to quickly scan over a long page with a lot of data by highlighting possible problems. Upon more detailed analysis, there may be items of concern in other fields of the report that are not flagged. Here are a few examples:

Ineffective Geographic Targeting
If you are paying for traffic restricted to a specific geographic region, ClickHawk will be an invaluable tool in determining whether or not you are getting what you are paying for. Always scan the Country field of the Click Detail Report for billed clicks from countries other than the ones you are targeting. Note that no system is 100% accurate, including the search engines and ClickHawk, so you are not necessarily looking for one or two stray clicks, but rather significant percentages of clicks from inappropriate locations.

NOTE: You can also audit your State and City targeting (US only), using the Geographic Details report.

Incorrect Keyword Targeting
In most cases, the full page URL of the page from which the click-through came can be viewed by hovering over the Domain field in the report. You can view the actual page your ad was on by clicking the Domain. You will usually see the keywords of the search query embedded in the URL. Do they match your target list?

Incorrect Content or Contextual Targeting
As with Keywords, the full referring URL can be useful in checking the specific pages your ads are running on when you are using Content targeting (eg Google AdSense, Kanoodle, etc..). Is this the page you want your ad on? In some cases, advertiser can be quite surprised at where they are running. In other cases, in which the pages are all good, the advertiser gains peace-of-mind about the spend on this placement where their otherwise may have been uncertainty.


In summary, it is essential to use all available flags and other data when making your assessment of a click's validity. In general, the more flags, the more likely you have a problem. Certain combinations of flags can indicate the high likelihood a problem exists, and most individual flags should at least be considered a cause for further investigtion.


Home | Products | Login | Support | FAQ | About | Privacy | Contact

Copyright 2006-2012 IAT, Inc., -
Google™ and AdSense™ are trademarks of Google, Inc.