How To Remove Referral Spam In Google Analytics

Have you opened Google Analytics, seen a spike in referral traffic from a domain you’ve never heard of, and wondered if you’re being spam-hit? For sites running between 2014 and 2019, that experience was nearly universal — Russian lottery sites, keyword-stuffed traffic, ghost referrers pushing 100% bounce rates. The 2026 landscape is meaningfully different. Here’s what changed, what still matters, and the correct way to clean up referral data in Google Analytics 4 (GA4).

What changed: Universal Analytics is gone

If your memory of “referral spam filtering” involves Views, View-level filters, or the Referral Exclusion List, that’s Universal Analytics (UA) — and UA no longer exists.

• July 1, 2023 — UA properties stopped collecting new data.
• July 1, 2024 — Google permanently deleted all Universal Analytics data, including historical reports.
• 2024 onward — Only GA4 exists, with a different architecture (event-based rather than session-based) and different administrative surfaces.

If you’re reading an old guide that tells you to “create a View-level filter” or “enable Bot Filtering in View settings”, that guide is years out of date. None of those controls exist in GA4 — and the referral-spam problem they were meant to solve has largely been designed out of the newer product.

Is referral spam still a problem in GA4?

For most sites, no — or far less than it used to be. Three GA4 changes reduce the attack surface that made ghost spam so easy in UA:

• Measurement Protocol v2 requires authentication. The server-side API that let UA spammers send fake hits with just a property ID now requires an API secret generated per data stream. Spammers can’t guess that secret, which eliminates the crude mass-ghost-spam attack that flooded UA accounts.
• Automatic bot filtering is always on. GA4 applies the IAB International Spiders & Bots List server-side and excludes that traffic from reporting automatically — with no checkbox to disable.
• Event-based data model. Ghost spam exploited UA’s session/pageview structure. GA4’s event model plus authenticated APIs makes injecting fake referrals much harder.

What you may still occasionally see in GA4 reports:

• Legitimate referrers you’d rather not count — your own subdomains, payment gateways, email providers.
• Internal traffic from your office, VPN, or development environments.
• Bot traffic from the long tail not on the IAB list (including newer AI/LLM crawlers).
• Rare targeted spam if your API secret has leaked or been committed to a public repo.

Each has a specific GA4 control. None require the UA-era ritual of regex filters and custom segments.

The right tools in GA4, by problem

1. Exclude internal and developer traffic

Your own office traffic inflates pageviews and skews engagement metrics. In GA4:

1. Go to Admin → Data Streams → [your stream] → Configure tag settings → Show all → Define internal traffic.
2. Create a rule by IP address (or range) that sets the traffic_type parameter to internal. Do the same for developer traffic, QA, or staging.
3. Go to Admin → Data Filters at the property level. GA4 ships with a default “Internal Traffic” filter in Testing mode — switch it to Active to exclude that traffic from reports.

Data filters in GA4 are applied going forward only. Once switched to Active, matched traffic is excluded from that point on — GA4 filters cannot be “unapplied” retroactively, so test in Testing mode first.

2. List unwanted referrals

This is the modern GA4 equivalent of the UA Referral Exclusion List — and unlike its UA predecessor, it is a legitimate tool, not a warning. Use it when you don’t want your own checkout flow, auth provider, or email tracking domain counted as a referrer:

1. Go to Admin → Data Streams → [stream] → Configure tag settings → Show all → List unwanted referrals.
2. Add domains to ignore as referrers (e.g., checkout.stripe.com, accounts.google.com, your own shop.example.com).

This doesn’t prevent data collection — it changes how referrals are attributed. For cleaning up attribution noise from payment gateways and SSO flows, it’s exactly right. For actual spam, it’s not the relevant tool.

3. Bot filtering

GA4 automatically filters traffic from bots on the IAB International Spiders & Bots List. You can’t turn it off — which is a feature. If you want to see bot traffic (for example to understand which AI crawlers hit your site), use server logs or a log-analysis tool. Our crawl budget guide covers AI-crawler monitoring in detail.

4. Audit your Measurement Protocol API secrets

If you see genuinely unexplained referral sources in GA4 — domains you’ve never heard of generating conversions or events — the most likely cause in 2026 is a leaked API secret. Check Admin → Data Streams → [stream] → Measurement Protocol API secrets. How many exist? When were they last used? Search your Git history and public repos for the secret value. If it’s exposed anywhere, rotate it immediately. If you don’t actively use the Measurement Protocol, delete all secrets — GA4 collects client-side traffic via gtag.js or GTM regardless.

5. Advanced: BigQuery and Looker Studio filters

For sites at scale, the free BigQuery export (available to every GA4 property since 2021) opens a more powerful filtering surface. Write SQL to exclude specific referrer patterns or bot signatures without touching the raw data. The same principle applies to Looker Studio — apply report-level filters to exclude noise from dashboards, leaving the underlying property untouched.

What to do about old UA data

If your dashboards or reports reference UA properties, those references now return empty. Audit and replace:

• Looker Studio reports pointed at UA property IDs — repoint at the GA4 property.
• Google Tag Manager containers still firing UA tags — those tags do nothing; remove them.
• Scheduled reports or scripts pulling from the UA API (decommissioned 2024) — migrate to the GA4 Data API.

The silver lining: any referral spam that accumulated in your UA account between 2014 and 2023 is, as of July 2024, simply gone.

Frequently asked questions

Does the old UA Referral Exclusion List warning still apply?

No. The original advice concerned a specific attribution quirk in UA’s session model, which GA4 doesn’t share. GA4’s “List unwanted referrals” is a legitimate tool for cleaning up attribution from payment and auth domains.

Do I still need to build regex filters for GA4?

No. GA4 data filters are configured through a UI and are limited to four types (internal, developer, and two custom types per property). Complex rule-based filtering has moved to Looker Studio report filters or BigQuery SQL.

Can AI crawlers like GPTBot show up as referrers?

Major AI crawlers (GPTBot, ClaudeBot, PerplexityBot) are typically caught by GA4’s automatic IAB bot filter and excluded. If one slips through, it usually appears as direct traffic rather than a traditional referrer. Server logs are the authoritative place to audit AI crawler activity.

What replaced bounce rate in GA4?

GA4 initially replaced bounce rate with engagement rate. Bounce rate was added back in 2022 but is now defined as 1 − engagement_rate — the inverse of the percentage of sessions that last 10+ seconds, include a conversion event, or include two or more pageviews. Direct comparisons across the UA-to-GA4 migration are misleading.

Bottom line

Referral spam was a real UA problem that Google largely designed out of GA4. In 2026, the practical maintenance tasks are (1) switching the default internal-traffic data filter to Active, (2) listing your checkout and auth domains under “List unwanted referrals”, (3) rotating or deleting Measurement Protocol API secrets if you’re not actively using them, and (4) letting GA4’s automatic bot filtering handle the rest. Clean up any lingering UA references in your tags and reports — UA data is deleted and those references return nothing. Spend the time you would have spent writing filter regex on actually analyzing the clean data you already have.