: Does loading Google Analytics from external .js file prevent spam referrers? I was thinking of loading Google Analytics from external file. My question is: Can it prevent spam referrer bots?

@XinRu657

What you need to understand about the spam is that most of it in my opinion is not coming from your website. Making it impossible for you to do anything about it besides maybe adding filters which change every day. On your website you run analytics.js which uses the measurement protocol.

The most of the spammers aren't touching your website at all if you checked the web server logs you wouldn't find any sign of most of them. What they are doing is using the measurement protocol to randomly insert data into ALL google analytics web properties.

A Google Analytics web property looks something like his UA-0000000-1 they are just scanning though all web properties from UA-0000000-1 to UA-9999999-1 and inserting data. It doesn't matter to them if the account exists or not they just insert it.

How I know this is how its working is I have a application Google analytics account that is getting pageviews instead of screenviews. Note this application isn't even live it was a dummy one I created a year ago for testing. So it shouldn't be getting any hits at all.

I also have an old website account that no longer exists the domain isn't even hosted anymore and its also getting hits. The only way for that to happen is if they where going directly though the measurement protocol.

The only way I have found to avoid spam is to create a second web property UA-0000000-2 currently they are only inserting into UA-0000000-1

Google is working on the issue.

Vote Up Vote Down

@Harper822

I'm gonna have to say no as well because bots are capable of identifying external resources required to load a web page, and if a spammer really wanted to, he could download all resources attached to the page and with enough knowledge, he could possibly execute the javascript.

If you want to collect data only from real users, you can try any of the following:


block known IP addresses spammers use.
Try to create an advanced server side script that renames the javascript file everytime the webpage is accessed yet the script remains accessible. The logic is almost similar to building a captcha based verification system.
Make access to the script file only for users who login to special sections of your site.
Modify the javascript code itself to the point where the bots can't figure out how to hack or access it.

Vote Up Vote Down