NS8 User Guides

User Risk Factors

How NS8 classifies users by risk type.

These are the factors used to determine the suspicion level or offense of a user. While a user may have more than one risk factor associated with them, NS8 will often refer to the primary risk factor of a user. The primary risk factor carries the highest risk weight out of all the factors linked to that user.

Risk Factor
Why is this a Risk?


No user risk was associated with the session.


The user’s I.P. address is originating from a colocation data center.
Data centers are shared computing systems that lease space to remote customers. NS8 maintains a database of data center I.P. address ranges.

Colocation presents a risk because data centers are secured locations where humans are not typically allowed access and a favored location of bot networks. Traffic originating from a data center is more likely to be a bot than human.

For example, a session coming from an Amazon AWS data center address block is unlikely to be valid.

Public Proxy

A proxy server acts as a substitute, or hub, for a user’s internet traffic. The use of a proxy is common practice to anonymize a user or hide their identity. This is also commonly referred to as a VPN service.

Using a public proxy server can be a suspicion indicator because proxies are used to obfuscate a user’s location or identity . This makes it difficult to identify fraudsters from legitimate traffic.
It is not a common practice for consumers to use a proxy service to mask their identity.


TOR is short for The Onion Router. This is a protocol developed to anonymize web traffic and protect a user’s identity. Legitimate uses include whistleblowers, law enforcement, and user’s in censored countries.

Fraudster’s use TOR to conceal their location and usage from anyone conducting network surveillance or traffic analysis. Consumer’s do not normally use TOR to hide their identity making its use suspicious in eCommerce.


Traffic originating from a university network carries a higher risk than other internet traffic.

Networks at universities have large user pools with constantly changing information that have lead them to be a preferred hiding place of fraudsters. Also, universities historically have higher transaction fraud rates.

Publisher Collusion

This is the same I.P. address showing up on several sites that are owned by the same publisher at a frequency beyond normal human activity.

Publishers that buy bot traffic will spread the traffic across an array of websites.

Fast Click

By measuring the speed between clicks on a website non-human traffic can be detected.

Because bots are computer programs that perform repeatable actions monitoring for the precise repetition of activity is an indication of non-human traffic. A human user will have variations in click timing and patterns and not act with non-human precision.

User Id Rotation

When the same I.P. address is used for multiple sessions with varying user ids.

The normal relationship between a user’s I.P. address and an eCommerce account are one to one. While occasionally a consumer may have multiple ids, a significant quantity is a fraud indicator.

User Agent Rotation

The User Agent String for traffic coming from the same I.P. address changing from session to session.

Bot’s will use rotating details, such as browser type or operating system, as new sessions are initiated in an attempt to disguise the bot as human traffic. The same I.P. address for a real user is highly unlikely to have the user agent details change continually because people tend to use the same devices regularly.

NOTE: This can happen when users are behind a large organization's proxy. Therefore, it must be an abnormally high session count.

Keyword Collusion

Unusually large amounts of matching keyword referrals with similar identifiers, such as I.P Address or destination.

Keyword patterns associated with large amounts of traffic are key indicators of click farms or bot traffic.

Known Bot

NS8 maintains a database of known bot traffic sources.

Known sources of bots are most likely to be sources of bot traffic in the future.

Spoofed User Agent

The User Agent String is identified as being fraudulent. NS8 can detect characteristics of a user and compare them to the browsers user agent string.

If the user agent string is faked the likelihood of the traffic not being a real user is very high. The technical lift and lack of benefits a real user gains makes it unlikely that a real user will modify the user agent string.


Browsers report the viewability of a session or advertisement. Unviewable sessions will be minimized, briefly visible, or possibly a headless browser.

Real traffic requires the ability to view a webpage to navigate, view ads, and make purchases. If the session is unviewable the traffic is likely a bot.

Cookie Rotation

In order to avoid detection fake traffic will rotate referrer cookies to appear human.

Because the same I.P. address, or other identifier, is recorded with multiple cookies a high level of suspicion is assigned because the normal relationship between user and cookie would be one to one.

Click Count

By measuring the quantity of clicks within a session non-human traffic can be detected. A variance from normal human activity will indicate the user is a bot.

If actions are performed by a script the number of clicks can be extremely low by avoiding clicks with code or extremely high as the bot navigates poorly, either of these are suspicious activity.

Invalid Search

When traffic begins a session with a website details regarding how traffic found the website are transmitted to the website. There are published structures of this data provided by search engines like Google. They have made it difficult to accurately fake search data. This can also be referrals from a search engine that no longer is active, like 7Search.com.

When the search details of a visitor origins are wrong the traffic can be identified as invalid.

Blacklisted Referrer

NS8 maintains a black list of traffic referrers that are known sources of bad traffic like bot farms and click farms.

Traffic from known bad reference sources is considered invalid.

Spam Bot

Bots used to crawl websites trying to steal information to add to spam lists, like email addresses or phone numbers.

Spam Bots serve no purpose other than to steal information to add to spam lists.