Scanning through the IP logs is often times the best way to detect cheaters.
Familiarize yourself with these tools as much as you can.
The Proxy Counter goes through the log files of the last 24 hours and counts all (open / anonymous) proxy hits.
In the generated report, high proxy percentages are highlighted. (class .negative)
The following image shows the output of the proxy counter.
The next step is to select a domain to scan. In this case we select 'noref'.
A likely cheater in this report is the 6th trade with 47% open proxy hits in and 27% open proxy clicks.
When you click on 'noref', the following report is generated
This is a detailed report of IPs that frequently appeared as 'noref' in the logs.
One ip that stands out is 22.214.171.124, with over 13.000 hits in and 0 clicks.
To further scan the IP, click on it or fill it out in the following form
When you've eventually narrowed your selection down to one IP, you can run the IP scanner and find out all sorts of information about that one IP.
Take a look at the following report for example.
The report shows which trades have sent this IP, and where it has been sent to.
By clicking on [?] you see detailed info about the hit of the IP; the user agent of it and the time.
Cheating IPs often times come in large volumes in relative short periods of time and have the same user-agent,
usually a false one, like "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
, like in the following report
The time format is day of the year - hour of the day - minute of the hour.
The user agent field has a max of 40 characters but the full string can be seen by holding your mouse over it.
Instead of using the proxy scanner first to see if a trade is suspicious because of high proxy percentages,
you can also directly run the IP counter to see if certain IPs are appearing more than others.
When you check the 'Get hostnames' field, do not set a low number in the 'Minimum amount of occurrences' field;
Retrieving a hostname from a IP can take more than 1 second in some cases, so when 500 IPs come up,
apache is likely to let the stats page time out - resulting in either a blank page or a internal server error.