Comments on: Detecting Bots with Javascript for Better A/B Test Results

By: Does Your Product Logo Actually Matter?: MicroISV on a Shoestring

Does Your Product Logo Actually Matter?: MicroISV on a Shoestring — Wed, 04 Aug 2010 12:30:29 +0000

[…] A/B testing framework I wrote. This particular test required A/Bingo to be slightly extended to ignore bots, because — since the test was sitewide and visible prior to a bot-blocking […]

By: Rob

Rob — Fri, 23 Jul 2010 14:51:58 +0000

Very interesting post. I’ve done something similar for websites that I develop, but using a JS Image Object & a PNG URL. My theory is that some bots that are smart enough to do a bit of math to figure out a new URL to crawl might be too smart and exclude URLs that appear to be images.

Something like:

var RT=new Image();
RT.src=”/__rt.png?x=”+(12345 + 67890);

Previously I left out the “.png” from the URL and a higher percentage of robots did request the URL. Adding the extension provided a 10% improvement to my detection rates.

By: Patrick

Patrick — Wed, 07 Jul 2010 15:38:58 +0000

That works great for blocking bots from forms, but less well for blocking bots from being counted as visitors to the site, since all they need to do to get counted for that is access a single file by HTTP.

By: Dom

Dom — Wed, 07 Jul 2010 04:23:48 +0000

Thanks for a great Ruby gem (abingo). I have combined Rack Honeypot (http://github.com/sunlightlabs/rack-honeypot) on my sign-up forms, which is what I wanted to track conversions on using a/b testing. The honeypot (field positioned with CSS offscreen or hidden) provides a way to distinguish bots from humans. I’m sure it’s not foolproof but it does seem to catch most bots out, and I’m pleased with the results.

By: ferrix

ferrix — Tue, 15 Jun 2010 17:41:35 +0000

What about the perl “Mechanize” engine? Naively speaking, that’s what I’d use to create a bot. It acts exactly like a real browser as far as I know, including scripting. Do people really use wget for bots?

By: Dennis Gorelik

Dennis Gorelik — Fri, 11 Jun 2010 23:30:23 +0000

It’s better to discriminate not against bots, but against abusers.
Bots can behave appropriately (or not).
Humans can abuse web site manually (or not).
One way to determine abuse is to count number of requests to your web site from the same IP address made during last 30 seconds. If there are too many requests — then it may make sense to block such user (bot or human does not matter).

For A/B testing purposes relying on JavaScript like Patrick described — is a good solution.
For blocking excessive request — relying on JavaScript validation is not the best approach.

By: Chris Williams

Chris Williams — Tue, 08 Jun 2010 20:48:14 +0000

Hey Patrick, interesting approach.
Caught the link via HN and Google Reader no less.

Liked the idea so much, that my subconscious expanded on what hypothetical / theoretical alternatives us programmers could put the users browser and therefore CPU to good use.

What if we were able, or sites like facebook were able to use the users impressions, using a small part of the users cpu to do some sort of tasks.

My first thought was hashing md5’s or more complicated things like searching subsets of dna sequences for patterns.

Slightly longer version.
http://thoughtsofaprogrammer.tumblr.com/post/677654730

By: Loïc d'Anterroches

Loïc d'Anterroches — Tue, 08 Jun 2010 11:39:17 +0000

Matthew, then I must be lucky or maybe they split evenly and do not affect the stats. I am using the goals of Google Analytics to double check conversions etc. and I have an average of 10% deviation between my tools and GA results.

For information, the websites are http://www.chemeo.com (physical properties of chemical components) and http://www.indefero.net (hosted git/subversion repositories and project management). These are not websites where one make money selling attorney services or things like that. This is maybe why the bots coming are not that bad.

Maybe my procedure to manage my tests is also helping, here is what I am doing:

– always have at least one A/A test open to ensure that the results are sound. That is, I test 2 times the same alternative and they come out with the same score.
– rerun on a regular basis the tests which were not that significant.
– keep long term stats to be sure that if my test gave an alternative which went from a 15% to a 20% conversion rate, it stays like that on the long run (or improve).

So I “fire and forget” a lot of tests, but I keep track of the effects on the long run and adjust. I accept that the numbers in the tests can be a bit off and always check against my real conversion rates at the end of the day. Note that the 10% deviation is that my framework (at the application level) picks up 10% more visitors, they can be bots (but they will not convert) or people without javascript enabled.

I hope it helps understanding my particular situation. The code of the A/B testing framework (PHP+MongoDB) is available (LGPL) here:
http://projects.ceondo.com/p/pluf/source/tree/master/src/Pluf/AB.php

By: Matthew Brophy

Matthew Brophy — Tue, 08 Jun 2010 10:15:58 +0000

My site is not in the gambling industry and the vast majority of bots on my site report themselves as Internet Explorer (it is obvious that they are bots by their behaviour).

Loic d’Anterroches – either you are lucky not to have these misreporting bots or because they misreport themselves you just haven’t noticed.

By: Loic d'Anterroches

Loic d'Anterroches — Tue, 08 Jun 2010 09:17:40 +0000

If your site is not in the gambling industry, you can use this way to check the user agent (PHP code):

public static function isBot($user_agent)
{
static $bots = array(‘robot’, ‘checker’, ‘crawl’, ‘discovery’,
‘hunter’, ‘scanner’, ‘spider’, ‘sucker’, ‘larbin’,
‘slurp’, ‘libwww’, ‘lwp’, ‘yandex’, ‘netcraft’,
‘wget’, ‘twiceler’);
static $pbots = array(‘/bot[\s_+:,\.\;\/\\\-]/i’,
‘/[\s_+:,\.\;\/\\\-]bot/i’);
foreach ($bots as $r) {
if (false !== stristr($user_agent, $r)) {
return true;
}
}
foreach ($pbots as $p) {
if (preg_match($p, $user_agent)) {
return true;
}
}
if (false === strpos($user_agent, ‘(‘)) {
return true;
}
return false;
}

It is not perfect, but it has been working very nicely for more than a year on my websites. Anyway, there are no perfect methods to detect if an agent is a bot… good enough is just the way to go.