Does blocking an IP address help with click fraud?

Many click fraud platforms rely (to some extent) on blocking a suspect IP address from seeing further ads.

Let’s take a look at some of the reasons why IP addresses alone are not the answer, and what can be done instead.

IP addresses change fairly often

We recently wrote about a 2020 study Don’t Count Me Out: On the Relevance of IP Address in the Tracking Ecosystem which analyzed 34,488 unique public IP addresses collected from 2,230 users over a period of 111 days.

The study found that:

87% of visitors retain at least one IP address for more than a month and 45% of ISPs allow keeping the same IP address for more than 30 days.

So we know that IPs are still somewhat sticky.

However, 77% of the IPs analyzed were retained for a period of less than a week. So there is still a very good chance that a visitor hitting your site through one IP address today may have a different IP address tomorrow.

Blocking a suspect IP address could still prove useful, especially for particular types of click fraud (friendly fraud, competitor clicks, accidental clicks, and others).

But we can see from the IP address study that it’s unlikely to be useful over longer periods.

Botnets and click farms use 1000s of real residential IPs

Botnets and click farms have ‘solved’ the IP address problem. Here’s how they do it:

• Botnets generally run on hacked/virus infected devices in the real world. I.e. on people’s homes and offices. So they already hide behind a vast number of real residential IP addresses, in amongst genuine internet traffic.
• Click farms, although generally based in data centers, route their own traffic through similar residential IPs via “proxies”. Sometimes these proxies themselves run on real-world devices, so the IP address advantage is often the same as for botnets.
  

So it’s clear botnets and click farms have their own advantage here. This is to be expected, the sort of people that run click farms are going to try and cover their tracks as best as they can.

Although, all is not lost. Hacked devices and proxies still fall under the IP cycling rules that the ISP imposes on them, they can’t evade that.

Alternative approaches to IP address blocking

Device fingerprinting

Instead of trying to connect repeat visitors together using the IP address only, there are more sophisticated methods you can use to recognize the same visitor repeatedly clicking on your ads.

By using browser fingerprinting (sometimes known as device fingerprinting), 100s of data points can be analyzed along with behavioral signals, to link two separate visits together, even if they’re using completely different IP addresses.

In fact, device fingerprinting can be used to recognize the same visitor even when the user switches on VPN software or uses incognito/private browsing to try to hide the fact they keep clicking your ads.

Audience pixel exclusion

Most major advertising platforms, including Google and Meta Ads, support exclusion audiences. You can read about audience exclusion at Google Ads and Meta Ads (login required).

This is where a suspect browsing session can be added to an “audience list”, which stops that browser from receiving further ad impressions thereafter.

It has a couple of advantages over IP-only blocking:

• The visitor stays in the audience regardless of changes to their IP address.
• The audience list can persist across multiple devices as long as the visitor can be identified by the ad network (i.e. if the person is logged into Google, or even if they’ve previously been logged into Google).
  

The downside here is that audience lists need to be a minimum size on some networks, so if you don’t have enough ad traffic, you may not be able to maintain a large enough exclusion audience size for it to come into effect.

This is a great time to mention Hitprobe, our own click fraud software solution. Hitprobe supports IP blocking, audience exclusion, AND domain name exclusion that we’ll come onto next.

Blocking click fraud at the source

Another important way to analyze your ad traffic is to look at the referrer. I.e. the domain name or URL where the traffic is coming from.

For Google Search ads on Google.com, this is not going to be helpful. But if you run those same ads on Google’s search partners, or run other Google campaign types such as Display or Performance Max, it’s a great idea to look at the quality of the traffic by referrer domain and exclude the domains that consistently provide bad quality traffic.

Some click fraud tools such as Hitprobe run this analysis in near real-time (as soon as a click comes in), and can block a referrer domain within seconds of the first click.

If you’re not using click fraud software, you’ll be able to see the referrer domain through your web logs or analytics software, and can then manually exclude placements in Google Ads.

Final thoughts — to IP block or not?

To sum things up, YES, it is still useful to exclude suspect IPs from your ad campaigns.

But reduce the expiry time for these blocks from somewhere between a week and a month. Don’t block IPs permanently. This will also help you to fall within the IP blocking limit of your ad platform (Google allows for up to 500 IPs at a time to be blocked).

And use IP blocking as part of a wider strategy. Make sure your click fraud software also supports audience and domain exclusion, and provides good analytics to help you to identify worrying patterns in the traffic you’re receiving.