Lock It Down -- Here's How and What to Watch Out For

You've heard me say over the years, you can't block-list your way out of trouble. The reason is that there's simply too many fake sites and fake mobile apps to add to block lists. Imagine the compute power needed to compare the domain in the bid request against a list that's hundreds of thousands domains long, and decide within 50 milliseconds whether to submit a bid or not. Ad exchanges process 10s of trillions of such bid requests per day; so they take shortcuts -- if there's no match for include or block by a certain timeframe, they just let it through. Good for them (more impressions and revenue) bad for you (your media buy).

Ad analytics firm, DeepSee.io quite hilariously tweeted that when they reviewed the block list used by one of the largest media agencies, 71% of the entries were "dead." That means the domains didn't even exist any more. Lots of computing power to look through a block list and 3/4 of it were useless. Bad guys simply rotate new domains and app names in when old ones are caught for fraud and blocked. So there's an endless supply of domains and app names for them to use for ad fraud. You can't block 'em all. And it's a game of whack-a-mole you will never win. And don't even get me started on the list of "100 million IP addresses" that TAG and the IAB gives to their members to block bots. LOL,LOL,LOL - laughing out loud at them because Methanum-bot swapped out all 750,000 IP addresses within 6 hours of disclosure and got right back to their merry money-making.

The above slide shows a few examples of non-sensical domain names and mobile app names showing up in placement reports. No human could type those domains to visit them even if they wanted to. Why were these not caught and stopped by fraud detection vendors? Ask them. Bad guys simply lied in the bid request and spoofed the domain of some mainstream publisher to easily slip by undetected. Over the last 10 years, I have documented case after case where fraud detection tech failed to perform even the most basic detections. Last month, Gannett's mess-up revealed that billions of ads were transacted with mis-declared domains, and no one noticed and no one took action. The detection vendors had ONE JOB -- to keep your ads away from errors like mis-declared domains, fraud, bots, and not brand safe sites. They were caught with their pants around their ankles so they sent emails to all their customers claiming the Gannett thing was a "non-issue" or "it wasn't technically fraud" or "we detected everything so you were not exposed." Sounds kinda like their repeatedly reporting 1% IVT over and over again every quarter for the last 5 years. You can't detect your way out of trouble just like you can't blocklist your way out of trouble.

But you CAN use strict whitelists/inclusion lists. These should be very short -- sites that have real human audiences. Note that even with this approach you should be aware of limitations and pitfalls. Remember my example of testing a one-domain inclusion list? Only 73% of my ads went to the right domain, when I didn't specify the SSP to buy from; 27% of my ads went somewhere else. Remember the "15% unknown delta" from the ISBA supply chain transparency study from 2021? This is related. When I locked it down to 1 domain and 1 exchange, only 3% of my impressions were lost to supply path leakage (right side of the slide).

I ran the same experiment today. The campaign just started, but it's already not looking good. I specified 1 domain (zupimages.net) and 1 exchange (AppNexus). As you can see from the placement report so far, out of 15,108 impressions I paid for, only 13 appeared to go to the one domain in the inclusion list zupimages.net -- that's a rounding error to ZERO. ZERO PERCENT of my ads went to the 1 domain I specified. The rest went to mobile apps.

The chart to the right shows that FouAnalytics, with a tag in the ad itself, could only record 31 ad impressions, out of 15,108 that I paid for. When you buy digital media, lock down the domains. Use strict and short inclusion lists of sites you've heard of and other humans have heard of. If they have not heard of those sites, there won't be large numbers of humans on those sites, even if those sites are selling billions of impressions. Lock down the exchanges/SSPs, like I did in the experiments above. The fewer the exchanges, the fewer the unknown supply paths and leakage. Better still, ask the mainstream publisher for their exact sellerID, dealID, or bundleID and the specific exchange they prefer to sell through. Lock all those down to give yourself a reasonable shot that your ads will end up on that publisher's site and not somewhere else.

If you don't need mobile apps, turn those all off, categorically. For example, a pharmaceutical client showing ads to doctors does not need their ads to show up in Candy Crush or Cashman Casino. Even if it were the doctor playing, they're not going to stop their game and click on the ad; in fact, they'd probably be pissed at the pharma company for interrupting their gameplay. Note in my experiment on the right, even though I UNchecked the mobile in-app checkbox, still 50% of my ads went to mobile apps, crappy ones at that.

If you use FouAnalytics, you will have these same details that I see. These details tell you if the DSP/exchange is honoring and enforcing what you specified in the set up of your campaign. If you've seen the multitude of errors, oopsies, and just bad tech, like I have, you'd be SYH ("shaking your head") just like I've been SMH ("shaking my head") for 10 years. Be sure to insist on detailed placement reports BY DAY, so you can more quickly see if things went wrong, or are going right. Why wait till the end of the month to get summaries, totals, and averages? By then you won't be able make adjustments soon enough.

LOCK. IT. DOWN. Otherwise whatever you're spending in programmatic media might as well be pissed away down the river. There will be no difference.

If this post helped you, please feel free to re-share.

Further reading: Time to Acknowledge Ad Fraud, Instead of Countless Oopsies