What you never knew about Bad Bots – Detection, Source & Fixing

What you never knew about Bad Bots – Detection, Source & Fixing

19th July 2018 0 By Fernando

The internet is an awesome place where one can get practically any form of information and make almost every kind of transaction possible. But it can also be a malicious place. Everyone is trying to make money off one another. One of the problems one faces on the internet is bad bots. It is no longer news that Bots visits on websites are now almost more than that of humans. Some have actually called the problem an evolution. The damages are limitless and incapacitating. Every web developer is aware of DDos attacks, ad fraud, data and content theft, and a lot more. Consequently, websites invest thousands of dollars on tools to detect them while not developers are getting all the more smarter and develop them in a way that they are able to bypass most deterring solutions a website has put up. When they get past the solutions put up against them, you will begin losing money as a site owner. The visits paid to your website by bad bots are counted as visit which you have to pay for. The alarming thing about it all is that they can make up to 50% of the traffic to your site and that will translate into a lot of money paid for nothing by you. This article is a comprehensive insight into everything you need to know about bad bots which includes how to detect them, their source and how to fix them.

What are bots

These are automated programmes designed to mimic humans on the internet. Originally, they are designed to assist humans on the internet and make the rendering of online services more used friendly and satisfying. However, today, the internet is crawling with thousands of them. In fact, the internet presence has been said to be made up of 60% bots. This increase should be alarming at least for the reason that the internet was designed for humans and service providers need to understand human behaviour and activity over the internet in order to better service us which is what bots were meant for in the first place. But not all bots are bad. They are categorized into two: good and bad bots. The difference is simply in their functions. While good bots like Googlebot, Apple’s Siri and Microsoft’s Cortana, which, with the help of an AI, help optimize user’s online experience. Facebook too uses bots to capture the first first paragraph of a post or image when you share them on your news feed. Also, the good bots deployed all over the internet help detect illegal contents like when a user plagiarizes another person’s content without properly crediting them or just generally improper content. This type of good bots is referred to as copyright bots. Other kinds of good bots include data bots which provide the owner with almost real time update on news, weather, and so on, spider bots like Google’s Googlebots which focuses on search engines and crawls on websites.

However, bad bots, which are the ones causing all the maybe the internet has been going mad about,  crawl from site to site gaining unauthorized access to content and selling them, which is illegal. The programmers of bots do not just sell the information got through the use of bots but use them to gain an edge over their

competition. The use of bad bots are limitless and include fraud, spam, data mining, data harvesting and so much more. As at 2016, the percentage of traffic bots rose to 26%. These are called click bots and they are known to click on ads making the report that marketers get from their ad campaign to be false. It also cause the loss of huge money to advertisers using the pay per click system of advertising since they pay once there is a click on their ads. Judging from amount of money spent on say Google AdWords, click bots pose a huge problem to digital marketing.

Origins of bad bots

About 60% percent of web traffic today is by bots and the speed with which they are crawling over the internet and how exponential their growth is, is a cause for alarm. Of that 60%, 30% is from just a year influx of them alone. While there are good bots, most of them are significantly deadly to every member of the online community except the programmer of the bot or the organization financing it for whom it is design to do their will. In fact, some organizations and countries are breeding grounds for malicious bots. According to Distil Networks 2015 Bad Bot Landscape Report, USA and America are really the countries to stay away from as much of bad bots originate from there. A measure that most websites take is to build a fence that words off activities from countries they have no business in to reduce the amount of bad bots they’d have to deal with. United states comes on top of the list of countries where most bad bots originate from. In fact, US covers 50% of the world’s internet bot while China is topping with not traffic at 30.64% which is not surprising since the three mobile carriers with the highest number of traffic bots are all located in China.

At any rate, it is impossible to track down the originators of malicious bots since they make sure to remain anonymous always. No wonder why they have been able to wreck the amount and kinds of havoc they have been wrecking. Bad bots perform the exact tasks for which they have been designed like spying, data theft and a whole lot more.

How can they hurt you

Brendan Wilde, Head of Marketing at Domains4less carefully explains it: “The scariest thing about bad bots is that they can mimic human behaviour so much. Currently, advanced bots can laid external resources which means that they will be able to be attributed as humans in tools which include Google Analytics. The very advanced ones will make it impossible for you to detect they are bots no matter the solutions you have put up which is why they will be able to hurt you in the worst ways possible”.

Over 40% of the bots out there are capable of mimicking human behaviours and the more they are able to, the more web application and web security tools they are able to break through. They are able to detect the vulnerabilities of your website and through it, obtain unauthorized access to your content. Wilde stated that just a few years ago, the bots present were only able to some level of data mining, web scraping, spam and a few others. But today, bad bots have got so complicated that they are able to pull off very smart interactions like account take over, API scrapping, brute force account login, sophisticated fraud and even capable of detecting and using vulnerabilities in cloud infrastructure. Only a few strong cloud computing sites have been able to shield themselves from bad bot crawlings and attacks.

Bots are capable of turning your system virtually into a zombie by choking up your server. What is more, they are able to crawl through hundreds of websites in just a short while, combing through and stealing unauthorized files from them. These attacks may not be random so you can’t think you will fall a victim only once. Scrapper bots grab your RSS so they know anytime you publish a new content and they can strike you again. You can consequently suffer heavy penalties from Google for content duplication without realizing you are under a bot attack. Bot attacks are now affecting healthcare, real estate, transportation and a whole lot of industries.

Spamming bots

You should be on the look out for this kind of bots because they are a lot of nuisance and they are extremely common since they are easy and affordable to obtain. Their pattern is to fill up your website with improper content and codes. They target visitors to redirect them to malware infested websites. They commonly attack popular website in order to fill them up with malicious data. All these will result in the consumption of your resources. They are able to scout and comb through newsrooms, chat rooms, web posts, forums and pick up email addresses because they are programmed to be able to recognize them.

There are many kinds of spamming bots (spambots). They are known with what they are used for like twitter bots which is able to make automated tweets, retweet and even reply to tweets. It can be directed to retweet any tweet with a certain hashtag and reply in a certain way. Some other spamming bots are designed to attack forums like blogs, guestbooks, and so on. They submit fake details and begin sending out hyperlinks in order to boost search engine rankings of the websites of their programmer. What website owners do is to employ the use of CAPTCHA to discourage spam bots. This is never a foolproof solution where these bots are, of course. There are also anti spam programme websites can use to block mails from a particular bot source. Whether a programmer is using spam bots to send inappropriate content to inboxes, for advertising, for filling up a mailing list, spreading of virus, their damages can cost you millions in cash, ranking and content. The worst case scenario when you are besieged by spamming bots is that your website can be blacklisted causing you to lose years of credible content marketing and branding.

Detecting bad bots


Bots can be in your system and crawling all over your website without your knowing. This is actually what makes them very dangerous, apart from their ability to imitate human behaviour. However, there are ways you can detect their presence and then take the necessary actions. But preventing them from penetrating your system is often the best thing to aim at since they are capable of causing you great damage long before you think of detecting them. Invest in antivirus and make sure they are always up to date. Take advantage of every security protocol available on your iOS,  or web hosting platforms. Bot detecting will require manual efforts and bot detections tools that make use of algorithms. The manual methods are quite demanding in terms of time resources in coding and they are hardly able to keep up with bot activities on your system.

The method with which to detect bots on your website will depend on the type of not you are trying to deal with. Traffic bots for instance, will require your scraping and analyzing your content and when you find them in unknown locations, will indicate you are being attacked by bots. You also analyze traffics to your website and logins. Several unnatural attempts or visits from a particular location is always indicative of bot traffic.

Since it is a trend they have got on top of, you should learn how to detect bots from publishers otherwise you will be paying a lot of money with no conversion to show for it. Develop some tricks you can use like a not trap. To do this, create a landing page with a tiny image link which would be invisible to human eyes. Place it towards to closing part of your page so that actual people don’t accidentally click on it. It has to be shifted to the left hand side and in such a way that no one will be able to see it and click on it. Any click on the landing page is from a bot and you can quickly blacklist it if its placement is not profitable to you.

If you want to detect when a not is scanning through your website for vulnerabilities, check for IP addresses accessing your page systematically. Bots aiming to commit ad frauds would be loading pages of different websites with fake ads. Then they will be redirecting visitors to fake websites so their programmers can earn from the search keywords.

How to fix bot attack

The first step to dealing with a bot attack is to detect them which is not as easy as it might appear. Now having detected the presence of bad bots on your system, there are steps you can and should take to mitigate the situation. If a bot is causing a website error, you can fix the error easily. If not, the error can continue spiking up resource consumption. Of course, normal website visit can cause these kinds of errors, but in the event that they are triggered by bots, you should have them fixed quickly to avoid it getting worse.

Another important method of fixing bot attack is through the reduction of crawling rates of both good and bad bots. It will not stop crawlers from crawling through your site but it will reduce the amount of times they do thereby reducing the level of your resources they take up. To regulate crawl rate ok Google, go to the search console by logging onto it, on the home page, click on the website you want and click on the gear button. Once there, click on the site setting where you will find the crawl rate section. Select the crawl rate perfect for you. On, all you need to do is log onto the webminster, click on the site of your choice, expand the Configure My Site button, then click on crawl control. From there you can select the perfect time for you so that Bing can reduce the service load.

You can also invest in a Web Application Firewall which is capable of differentiating between a human traffic and a bot traffic. It is able to do this by analyzing the origin of a request, the kind of request, and the behaviour of the visitor. If it suspects that the traffic is from a bot, it will deny it access to your website.


Over 50% of the traffic your site will be getting at any time would be from bots. Today, 53% percent of bad bots are now able to load external resources like JavaScript. This means that bots will begin to be seen as humans in Google analytics. The level of damage this can and is already doing to industries are unprecedented. It means that the information provided them through these analytic tools would not reflect market reality and the decisions they make are based almost entirely on them. Consequently, it is capable of crippling these industry. We are already seeing it happening in transportation, entertainment, real estate, and so on. While you are going to be wary of them and put up measures to avoid their attacks, you should not block every bot from crawling through your website. The good ones, like Googlebot helps in making sure your website is found during searches. Also, the use of CAPTCHA, though helpful in preventing bot attacks, can reduce the number of real visitors on your website since it takes time to get through. Mitigating the damages of bad  bots and putting up preventive measures are expensive. But the damages they are capable of doing to your website and brand, is much more expensive.