Anatomy of an Invalid Traffic crackdown: what a Google IVT enforcement actually looks like
Most writing about Invalid Traffic comes from publishers explaining how to clean up. This post is from the other direction — what the enforcement notice triggers internally, and why the recommender system is the first place to look, not the last.
Most public writing about Invalid Traffic — the catch-all label Google applies to ad impressions and clicks it considers fraudulent or otherwise non-monetizable — is written from the recovery angle. Site got dinged, here are the steps to clean up, here are the policies to review. This post is from a different angle. It is what an IVT enforcement looks like from inside the publisher when the email arrives, and what the right internal response actually involves.
I covered the high-level story of this episode briefly in an earlier post. This is the deeper version — the actual mechanics of the investigation, the bot pattern we found, and the broader lesson about what optimization signals will and will not tell you.
What IVT actually means
Google distinguishes between General Invalid Traffic (GIVT) and Sophisticated Invalid Traffic (SIVT). GIVT is the easy stuff — known data center IPs, known bot user-agents, repetitive click patterns. Most publishers pass GIVT filters trivially because the well-known bot signatures get blocked at the demand-partner level before they ever reach the publisher's reporting.
SIVT is the hard category. It includes scripted browsers that mimic human behavior, low-fidelity user-agent rotation, click farms, and increasingly, machine-learning-driven simulated sessions. Google's SIVT detection runs across enormous traffic samples and looks for anomalies in conversion math, viewability distribution, time-on-page curves, and a long tail of other signals the company will not publish publicly for obvious reasons.
When you receive an enforcement notice, it almost always concerns SIVT. The notice itself is short and procedural: a portion of your traffic across a date range has been classified as invalid, a clawback is being applied, and you are responsible for ensuring future traffic meets policy. It does not tell you which traffic was invalid, or why. That is part of the design. Telling publishers the exact detection logic would help attackers more than it helps publishers.
The first instinct, and why it is wrong
The first instinct of every publisher who receives this notice is to blame their traffic sources. If you are syndicated across partner properties, you start auditing those partners. If you have organic traffic mixed with paid acquisition, you scrutinize the paid sources. If you have a self-serve developer program, you look at the riskiest developers. This is the wrong first move, because it assumes the problem is upstream of you.
The right first move is the opposite. Assume your own product changes are complicit. Pull the recent deploy log, the recent recommender changes, the recent monetization experiments, and ask: did anything I ship make my site more attractive to bots, or more rewarding for them?
We did the wrong thing first. We audited two of our largest syndication partners, found nothing alarming, and lost about four days before we pivoted. The pivot was triggered by a specific observation: the IVT incidence was not evenly distributed across our traffic sources. It was disproportionately concentrated in a small cohort of sessions that all had similar behavioral fingerprints — and those sessions were, on aggregate, getting boosted by our recommender.
The bot pattern
Once we looked, the pattern was almost embarrassing in retrospect. The bot sessions had four signatures that made them statistically obvious once isolated:
- · Perfect inter-event timing. The variance in delay between consecutive in-game actions was suspiciously low — humans have a long tail of pauses; these sessions did not.
- · Conversion-rate-too-high-to-be-real. Their click-through on the Switch Game prompt was over 90%, against a population average of about 25%. They never said no.
- · Zero rage-quit signals. No back-button mashing, no early game abandons, no settings-page visits. Real human players are mildly chaotic; these were not.
- · Uniform device profile within cohorts. Hundreds of sessions sharing rendering fingerprints that should have shown natural variance.
Any one of these would have been weak. Together, they were a clear signature. The infuriating part is that none of these are exotic signals. They are things any well-instrumented product analytics setup could capture. We had captured most of them — we just had not been looking at them through the lens of "is this a real user".
The recommender amplification loop
Here is the part that turned a small IVT incidence into a meaningful revenue clawback. Our recommender weighted, among other signals, engagement with the previous game and click-through on the Switch Game prompt. Bots, by their nature, were pinning those signals to ceiling. That meant the recommender increasingly treated bot-favored games as "working" and promoted them to more real users — which generated more sessions on those games, more ad impressions on those games, and a fraction of those impressions on bots themselves.
In other words, the recommender was not just failing to filter the bots. It was learning from them and using that learning to allocate more traffic in their direction. A small bot cohort was effectively steering the product roadmap, because we had built a feedback loop that did not distinguish their input from genuine user input.
This is the broader lesson buried inside every IVT story. Optimization signals are not neutral. They reward whoever can produce the signal cheapest. If you cannot distinguish a bot from a delighted user, your monetization machinery will treat them identically — and the cheaper one will eventually dominate.
What we shipped to recover
Three changes, deployed across roughly eight days. Each was small in isolation. Together they re-shaped how the product responded to engagement signals.
Session-quality scoring as a recommender input.We built a lightweight model that scored sessions on the four bot signatures above and fed the inverse of that score as a multiplier on the recommender's engagement weights. Sessions that looked organic got their normal weight; sessions that looked synthetic got deweighted. The model was deliberately simple — logistic regression on five features — because the goal was speed and explainability, not accuracy at the margin.
Domain diversification policy. A hard cap on the share of our total impressions that could originate from any single domain. This was less about a specific bad actor and more about reducing the blast radius of any future single-source compromise. The cap was set so that no single partner could account for more than 25% of total monetization volume.
Anomaly review queue. A daily report listing CTR spikes, monetization spikes, and engagement spikes that exceeded rolling thresholds. Items in the queue were reviewed by a human within one business day. The point was not to catch everything; the point was to ensure no anomaly could compound for a week unnoticed.
What I would tell another publisher facing IVT
- · Assume your own product is complicit before you blame partners. The recommender or the funnel is almost always part of the story. Partner-side problems are real but slower to fix and easier to over-attribute.
- · Score sessions, not users. Bots and real users often share an account or a device fingerprint. Session-level quality scoring catches things user-level scoring does not.
- · Decouple engagement from value in your recommender. Engagement is a proxy for value. Like all proxies, it is gameable. The harder you optimize for engagement alone, the more your system will reward whoever can fake it.
- · Do not assume Google's detection is the ceiling. Their SIVT models are excellent but they are not your perimeter. You need your own quality signals upstream of theirs, both to catch things sooner and to interpret their enforcement notices when they arrive.
Closing
The IVT episode ended with revenue recovering inside a month and the clawback absorbed. The more important outcome was philosophical. We stopped treating engagement metrics as if they were ground truth and started treating them as observations that could be wrong, biased, or adversarially produced. That reframe outlasted the specific bot cohort by a wide margin. It is now how I think about every optimization signal across every product, not just the ones tied to ad revenue.