Why Your Site Has Spam Traffic from China and Singapore

For many businesses, the holidays are when things start looking up for the year. Black Friday was named as such because, historically, it was when many businesses made enough sales that their running budgets finally pushed into the black. So, to an extent, it's not uncommon to see a big surge in traffic to your site to accompany the surge in sales.

While it sounds good, that surge in traffic hides a serious problem.

More Traffic is Better, Right?

The trouble is, a lot of that traffic in recent years isn't exactly what you might call "real". There are a ton of posts on Reddit, on the Google support forums, on various SEO forums, and elsewhere centered on the surge in invalid traffic around the holidays. One estimate places holiday traffic from last year at 57% fake. Bots, scrapers, LLMs, crawlers, and more all saturate the metrics.

And that's after the filtering for bots that identify themselves, bots that are already flagged, and other filters.

I've seen it too; a few of my clients have seen a surge in traffic recently. It has a few key characteristics:

• It shows up in Google Analytics, but not the Google Search Console, meaning it's direct traffic (or at least doesn't come with referral data attached.)
• It largely comes from countries you don't normally do business with, such as China, Singapore, Brazil, Vietnam, Nigeria, and others. Why these locations? Places like China and Singapore are VPN exit points and datacenter locations where bots can operate with impunity.
• It doesn't provide value to you. It doesn't render ads (or is filtered by ad networks), it doesn't make purchases through affiliate links, and it doesn't make purchases through your store.

But it's not obviously bot traffic. Headless browsers, app users, and natural-looking activity are harder to filter without doing something drastic like cutting off an entire country.

Only when you have large data samples can you identify patterns. As one marketing agency put it:

"But here's what gave them away - they're TOO consistent. Like, a human might spend 15 seconds reading a product description, or 45 seconds, or 2 minutes if they're really interested. These things spent 11-13 seconds on EVERY product description. Every single time. Across hundreds of sessions.

 

They scroll at exactly 3.2 pages per second. Every time. Humans don't do that. We scroll fast, slow down, scroll back up because we missed something, whatever.

 

One bot kept adding the same $47 item to cart, waiting exactly 4 minutes, then abandoning it. Did this like 30 times a day across different "sessions." Why? No idea. Probably gaming some metric somewhere."

It sure lends credence to the Dead Internet Theory. If you aren't familiar, the Dead Internet Theory was a conspiracy theory around a decade ago, positing that the majority of internet traffic was bots; bots making sites viewed by bots, with humans not really participating. Back then, it was kind of laughable, but now? With LLMs that can make bots look a lot more human, with filters that don't filter, with as much as 75% of referrals from major social media sites identified as fake… it looks a lot less like a conspiracy.

"But if it's all fake, just ignore it. Filter it out and move on with your life." Would that it were so simple.

The Real Cost of Fake Traffic

Despite identifiable patterns in sufficiently large data sets, filtering this kind of bad traffic is a lot more difficult than it seems. There aren't really valid ways to filter traffic based on a precise time spent on site. You can filter IPs, but that doesn't always catch even a majority of the bad traffic.

It makes sense when you think about where this traffic is coming from. In your analytics, it might be "small towns in Europe," "Apartments in Singapore," or what have you. In reality, it's compromised smart lightbulbs and malware-infested smart TVs and botnets made out of Bluetooth-connected toasters and AI-enabled bidets and whatever other tech garbage people are buying. And, of course, phones and laptops and tablets and PCs.

It doesn't help that Windows 10 hit end of service, leaving millions without further security updates, while Windows 11 breaks feature after feature chasing the AI and vibe-coded dream (and who out there believes that Windows Defender was left untouched when everything else is undermined?)

There are more advanced ways to handle this kind of traffic, like honeypots, but this isn't the kind of thing your average small business owner is going to set up.

All of this comes with a lot of costs, both real and implicit.

It makes analytics worthless. If somewhere from 30% to 80% of the traffic on your site looks good but isn't, what's the point of the analytics? Your conversion rates drop to tiny percentages because of all the traffic that doesn't convert because it isn't real. Your analyzed geographic value and demographics all skew to unreality. Every derived metric, from bounce rates to engagement rates, ends up off-target.

How do you make data-driven decisions when your data is unreliable?

It can slow down your site for real visitors. While your blog and homepage might work fine, storefront pages tend to be heavier and more prone to slowing down under stress. These bots aren't just landing on blog posts and leaving; they're going to product pages, they're adding things to carts and abandoning them, they're taking any action a real user would up to the point where they'd buy, and backing out.

And that's not counting the ones that do try to make purchases. You know, the ones that are trying to use stolen credit cards and personal information, and can get your entire business nuked by the payment processors.

It saturates paid ads and eats up ad spend for nothing. While a lot of the traffic is direct traffic, some of it is eating up ads as well. They do their Google searches, find your ads, and click on them. You pay for the traffic that does nothing for you.

It inflates all kinds of numbers. Investors might think it looks good to see a big spike in growth, but it's nothing. It's cardboard cutouts populating the stands at the Super Bowl. Those seats could have gone to real people.

It doesn't have to reach the level of a DDoS to be harmful; even a second or two of delay can be enough to get a potential customer to back out. Of course, when the bots are adding and abandoning carts, you have a hard time even seeing the real ones in the mess.

Your data is being used. A lot of these bots aren't just there to skew your analytics and waste server resources. They're scraping every byte of your site, inside and out. Some use it to spin up their own clones and use it for phishing or scams. Some use it to train LLMs. Metadata, product descriptions, blog content, product images, landing pages, even your checkout process, it's all being weaponized.

It wastes a ton of your time dealing with it. Unless you're just ignoring it all, you have to try to take action to figure out what's real and what isn't. Every hour you spend agonizing over filters and studying analytics, every hour you spend tweaking firewall rules and developing reports, is time you could have spent in better ways if we didn't have to deal with the churning mass of fake traffic out there on the internet at large.

And all of this assumes you're either ignoring the traffic or recognizing it as falsified and trying to fight against it.

Now imagine you don't recognize it for what it is. Imagine you start to look into shipping to Singapore, Nigeria, or China. Imagine you invest in localized marketing based on that data. Imagine you use that traffic growth to win venture funding or take out loans to promote growth, only to find you're teetering on a house of cards where the cards at the bottom don't even exist.

So, What Do We Do?

What can we do about it?

If your initial impulse is to start banning bot IPs, you're already on the wrong track.

Bots use rotating IPs, and there are millions of them. Your blocklists won't be long enough before you hit the character limit to make a true impact.

And that's assuming you aren't blocking potentially-good IPs. Bots that use compromised computers from real people, bots that use VPNs and nodes that real people also use, and so on.

Sure, you could block entire regions. If you don't ship to China, Africa, or even Europe, block it all. But not everyone is that limited. If you sell online or digital services, or you can ship to overseas locations, that can burn real customers. Beyond that, it hinders any potential real growth into those markets.

It also might not even work. Some users report that they have regions blocked, but get traffic showing up from them regardless.

And what about informational pages and sites? Just because you don't sell to Brazil doesn't mean people in Brazil aren't interested in your information. Even basic metrics like backlinks and unlinked mentions disappear when you block regions.

How can you solve the problem more reliably? Can you solve the problem, or is this just the world we live in now?

One option is to wait. Ignore any metric that isn't the volume of sales, act as if we live in the Before Times when analytics didn't exist, and do your best with what you have until the big players like Google figure out a solution. The "traffic slipped through despite blocks" issue above, for example, Google is working on a long-term fix. Instead of playing whack-a-mole yourself, let the big companies do it for you.

Google also has a guide on ways to block unwanted traffic from appearing in analytics. Again, you'll probably have to change these rules every few days or weekly, but it can help.

You can try technical solutions.

Use big-name bot filtering and protection tools. Cloudflare is the biggest name (despite their recent issues). Sucuri is a powerful option for some WordPress filtering.

You can block countries entirely anyway. A lot of us aren't going to lose any real value out of doing so, at least not in the short term. Could it hurt long-term? Maybe, but so would completely invalid analytics.

You can set up analytics filters. Despite what I mentioned above, you can set up fairly narrow filters, and the right combination of country and user behavior segmentation can eliminate large swaths of bad traffic. Those behaviors will change every few days, though, so your filters will have to change too, and then you're back in the whack-a-mole mines.

Set up bot challenges like captchas and other limiters. You and I both know these can only do so much, and are easier to break than ever before, but they're better than nothing.

Will they work? Maybe, for a bit.

I also highly recommend being very, very careful with paid ads, especially social media ads and Google ads. A lot of this traffic can hit through ad vectors, and that's not just as skew to your analytics. It's a tangible monetary cost. Ideally, the ad networks would get their act together and block this traffic, but let's be honest. It's hard to keep on top of it, and the incentive is a little lacking when the money you lose is money going to their pockets.

Either be very proactive with filtering ad traffic, or just stop paid ads altogether. Maybe if enough people find they aren't valuable anymore, and the ad networks take enough of a hit, things will change.

If you're more technically oriented, you can set up a honeypot. A honeypot would be a page that only the fake traffic can access, and that real traffic can't see or wouldn't click on. You can then set up automation in a way that blocks traffic that lands there. Some of the big names like Sucuri already do something similar on their end (it's a big part of how blog comment spam is filtered, for example), and it won't catch everything, but it's worth investigating.

One of the biggest things to do is recognize that your data is likely unreliable if you're seeing these kinds of traffic sources. Talk to company leadership and, if possible, make sure to get buy-in to filter this data. I know a lot of larger companies reject the idea because it makes them look bad to see a sudden drop, and that's a problem with the fact that you can't retroactively filter the data, but at least then the problem moves from one of technical capability to one of leadership failure.

Try not to make any big decisions based on bad data, and hope the current wave of spam subsides as the big players move to more appropriately filter it. Until then, there's not a lot we small players can do but try to ride the wave.