Click Spam
What it detects
Click spam is a broad-based fraud technique where malicious apps or websites generate clicks in the background without user interaction. Common methods include invisible iframes, background processes, and cookie dropping — all designed to place a click before an organic conversion occurs.
How it works
Integr8 analyzes session characteristics to identify click spam signals:
- Zero or near-zero session time: Clicks recorded with no measurable user session indicate automated generation.
- Abnormal CTIT distribution: Legitimate install times cluster within predictable ranges. Click spam produces a flat or bimodal CTIT distribution spread across hours or days.
- Click-to-conversion ratio: A high ratio of clicks from a source with few matching conversions flags that source as a spam generator.
The filter evaluates these signals in combination. A single signal may not trigger a block, but multiple concurrent signals raise the fraud score above the block threshold.
Configuration
Navigate to Fraud Prevention > Click Fraud > Click Spam to configure this filter.
| Parameter | Default | Range | Description |
|---|---|---|---|
min_session_time | 0 sec | 0–60 sec | Minimum session time to consider a click valid |
ctit_max | 24 h | 1–168 h | Maximum allowed Click-To-Install Time |
threshold_percentage | 80% | 1–100% | Percentage of traffic with long session time before blocking |
min_conversion_count | 50 | 10–10,000 | Minimum conversions required before filter activates |
lookback_window | 7 days | 12 h–30 days | Time window for calculating session time distribution |
scope | SubID | SubID, Publisher | Aggregation key for analysis |
block_mode | Block | Block, Flag | Action taken when threshold is exceeded |
What happens when triggered
When a click source is identified as spam:
- Block mode: Subsequent clicks from that source are rejected. Conversions that arrive after a blocked click do not receive attribution.
- Flag mode: Clicks are recorded with
fraud_reason: click_spam. You can audit flagged traffic in Reports > Click Reports.
Start with Flag mode for at least a week before switching to Block mode. Review flagged traffic to confirm the filter is not catching legitimate publisher traffic with naturally long session times.
Related filters
- Click Flooding — detects high-volume click attacks from single sources
- Low Session Time Anomaly — flags sessions with abnormally short engagement time