Using Fraud Rules

The TUNE Fraud Prevention Solution shines a light on the root causes of fraud and gives all parties the information they need to take the right, most granular actions to reduce fraud.

The solution includes:

  • Fraud Reports
  • Fraud Rules
  • Fraud Transparency Insights (TUNE Partner Center)

You can use both pre-defined and custom fraud rules to validate attribution based on inbound click geo, device, or campaign values to credit, flag, or filter out suspicious conversions. 

This article is part of our Popular Features series.

Fraud Rules Actions

Any time you create a fraud rule, the intended action must also be specified. You can choose from the following actions to occur any time the rule thresholds have been met.

  • Attribute, mark as ‘Suspicious’ and send postback with fraud status and reason code
    • Click and corresponding installs/events that meet the criteria for the specific rule will be attributed to the corresponding partner.
    • Click and corresponding installs/events get marked as ‘Suspicious’.
    • Postback for the corresponding partner and conversion sent including the applicable reason code within the HTTP header.
  • Attribute, mark as ‘Suspicious’ and send postback without fraud status and reason code
    • Click and corresponding installs/events that meet the criteria for the specific rule will be attributed to the corresponding partner.
    • Click and corresponding installs/events get marked as ‘Suspicious’.
    • Postback for the corresponding partner and conversion sent but not with the applicable reason code within the HTTP header.
  • Do not Attribute
    • Any click that meets the criteria for the specified rule will not be attributed to the corresponding partner.
    • Click marked as ‘Suspicious’.
    • Postback for the corresponding partner and conversion not sent.


Global Fraud Rules

To get you started, we recommend enabling pre-defined fraud rules that represent the strongest indicators of suspicious fraudulent activity:

  • Click to Install Time: Flag installs as suspicious if the time between click and install is under a set number of seconds. You can adjust this number to any time between 1 and 30 seconds.
  • Conflicting Device Info: Flag installs as suspicious and don’t use the click for attribution if device IDs between click and install match, but corresponding device info (model, brand, OS) do not.
  • Conflicting Click Region: Flag installs as suspicious if the click source region differs from where the corresponding install occurred.
  • Suspicious IP Proxy Detected: Flag clicks and/or impressions as suspicious if they come from an anonymous proxy server.

When referencing flagged activity, keep in mind that the Click to Install Time, Conflicting Device Info, and Conflicting Click Region global rules only flag the subsequent install/event. Similarly, the Suspicious IP Proxy Detected rule only flags the click.

Note: These rules apply to all partners and are not turned on by default. If you leverage TUNE’s server-to-server measurement capability, you will not have access to the Conflicting Device Info or Conflicting Click Regions rules as they collect the required information from your app using the TUNE SDK.

Determining IP Source & Proxies

TUNE uses Digital Element’s NetAcuity solution for global geolocation and IP intelligence to determine whether a traffic source is using a proxy, and if so, what type.

While the detection of a proxy is not suspicious in and of itself—corporations and educational institutions use proxied networks—we consider anonymous proxies to be the source of possible fraudulent activity.

Value Description
? Not determined to be a proxy.
anonymous Anonymous proxy – Actual IP address of client is not available.
transparent Transparent proxy – Actual IP address of client is available via HTTP headers.
aol AOL proxy.
corporate Corporate proxy – Multiple users proxied from a corporate network and clients “share” one IP network-apparent address.
public Public proxy – Multiple users proxied from a location that allows public access to the Internet.
edu Educational proxy – Proxied users from an educational institution.


Creating a Custom Rule

You can create custom rules for a variety of combinations for clicks, installs, and in-app events. You can have a maximum of ten custom fraud rules (including inactive rules).

To create a custom rule:

  1. In the Partners section of the main navigation, click Fraud Rules.
  2. On the Fraud Rules page, click Create Rule.
  3. Provide the following information:
    1. Name your rule
    2. Select a Field
    Field Sub-field Parameter
    Partner publisher_id
    Mobile App site_id
    Geo country_id, region_id
    Click IP Address ip
    Referral URL referral_url
    User Agent String user_agent
    Device Info Device IP Address device_ip
    Device OS Version wurfl_device_os_version
    Device Model wurfl_model_name
    Device Type device_type
    Device Brand wurfl_device_brand
    Device ID device_id
    iOS IFA ios_ifa
    Google AID google_aid
    Sub 1 publisher_sub1
    Sub 2 publisher_sub2
    Sub 3 publisher_sub3
    Sub 4 publisher_sub4
    Sub 5 publisher_sub5
    My Parameter My Ad advertiser_sub_ad_name
    My Ad Group advertiser_sub_adgroup_name
    My Placement advertiser_sub_placement_name
    My Campaign advertiser_sub_campaign_name
    My Keyword advertiser_sub_keyword_name
    My Partner advertiser_sub_publisher_name
    My Site Name advertiser_sub_site_name
    Partner Parameter Partner Ad publisher_sub_ad_name
    Partner Ad Group publisher_sub_adgroup_name
    Partner Campaign publisher_sub_campaign_name
    Partner Keyword publisher_sub_keyword_name
    Partner Placement publisher_sub_placement_name
    Partner Publisher publisher_sub_publisher_name
    Partner Site
    1. Select an operator
      • Equals Any
      • Does not Equal Any
      • Contains
      • Does not Contain
      • Starts With
      • Does not Start With
    2. Enter a value
  4. Select the action you want applied if the above criteria is met.

Note: Both the click and the subsequent install/event are marked as suspicious for custom rules you create.

Viewing Suspicious and Fraudulent Activity in Reporting

Once you’ve enabled fraud rules, any suspicious and/or fraudulent activity is available in both the Actuals and the Logs Reports.


When viewing your Actuals report, you can include suspicious or fraudulent activity as additional data points:

  1. In the Reporting section of the main navigation, click Actuals.
  2. Click Edit to add the related fraud metrics.
  3. Select any of the following Show Metrics:
    1. Suspicious Clicks
    2. Suspicious Installs
  4. Click Apply.


Suspicious or fraudulent activity can be viewed in the following Logs Reports:

  • Installs
  • Impressions
  • Clicks
  • Events

To view suspicious or fraudulent activity:

  1. In the Reporting section of the main navigation, click Logs.
  2. Click Configure Report to add the related fraud metrics.
  3. Select any of the following Include Metrics:
    1. Fraud Status – possible values of ‘Suspicious’ or ‘NULL’
    2. Fraud Action – possible values of ‘Do not Attribute’, ‘Attribute, mark as Suspicious and send postback with reason code’, and ‘Attribute, mark as Suspicious and send postback without reason code’
    3. Fraud Reason Codes – possible values of ‘CUSTOM’, ‘COUNTRY_CONFLICT’, ‘DEVICE_CONFLICT’, ‘IP_PROXY’, ‘CONVERSION_TIME’
  4. Click Apply.

Third Party Reporting

If you send your Attribution Analytics data to another third party reporting, the following postback macros are available:

  • {traffic_flag_status} – Indicates whether or not the click and corresponding installs/events were flagged as suspicious; possible values 1 (flagged as suspicious) or 0 (not flagged as suspicious). For any fraud rules where the chosen action is “Attribute, mark as Suspicious and send Postbacks without reason code”, this macro is always 0.
  • {traffic_flag_reason_code} – The applied fraud reason code (‘CUSTOM’, ‘COUNTRY_CONFLICT’, ‘DEVICE_CONFLICT’, ‘IP_PROXY’, ‘CONVERSION_TIME’) with its corresponding ID.

 Things to Keep in Mind

  • Permission to access this functionality can be enabled or disabled on a per person basis with the options of View-only and Full (Create/Edit not available).
  • Only Full Access Agencies (AORs) can create fraud rules and view related reporting fields. Limited access agencies will not be able to access these rules or related reporting fields.
  • Advertising partners who use the TUNE Partner Center can view active fraud rules that apply to them (global or custom) as well as unique instances of suspicious clicks and installs in the Logs. For more details, see the Partner Center article on Viewing an Advertiser Logs Report.


Leave a reply
  • Jason  •  July 20, 2017

    As a partner of TUNE, is there any signal we could have when the fraud postback is triggered?
    That is, is there any macro in postback URL we could use to inform us that the conversion is marked 'suspicious'?


    • Grace  •  July 25, 2017

      Hello Jason,

      We are currently working on including several postback macros that will denote both the action taken and the reason itself. They should be released within the next few weeks. Please note, however, that we will only populate these values if the advertiser chooses to share this information.

  • Marin  •  November 30, 2017

    A small questions on "conflicting device info" :
    If I understand well, the suspicion arise when there is a difference between the device info between click and install.
    If the attribution technique used is fingerprinting, that matchs click and install based on device info, how can the install be mark as "conflicting device info" after it is attributed correctly?

    • Jonathan  •  December 12, 2017

      Hi Marin, thanks for asking!

      Fingerprint attribution is a probabilistic match (not deterministic like identifier or referrer attribution), so it's possible in some cases that a device conflict may be found. These use separate checks and we're looking at ways to refine the accuracy of fingerprint logic based on our newer fraud features. I know some fingerprint improvements are currently in testing, so you can expect more info coming in the near future on this.

  • John  •  December 13, 2017

    A question regarding conflicting device info:
    Is there a more efficient way to see the difference between the conflicting device info other than downloading install and click logs?


    • Grace  •  December 14, 2017

      Hello John,

      Currently the only method to viewing conversions that have triggered a fraud rule is at the log level; either by viewing the Logs Reports themselves, exporting the Logs Reports via API or setting up postbacks to your own internal BI system if available.

      Our product team is always looking for client feedback, so if you have any ideas on how else you'd like to see this data please let us know!

  • Kevin  •  January 17, 2018

    Is there any story behind the rule "conflicting device info"? I can understand that any inconsistency could be abnormal. But what's the fraudulent scheme behind this behavior?

    Thanks for replying!

    • Jonathan  •  January 18, 2018

      Hi Kevin,

      Thanks for asking! In some scenarios, a bad actor can attempt to hijack organic installs through partial matching of device info like IP or user agent. The conflicting device info rule helps identify these situations for further investigation.

  • Min  •  October 31, 2018

    Shouldn't this part "For any fraud rules... “Attribute, mark as Suspicious and send Postbacks without reason”, this macro is always 0." be as "...this macro is always 1"? Why is it 0 ? I see raw data report and it seems like it should be 1 instead of 0

    • Jonathan  •  November 1, 2018

      Hi Min, that fraud rule action is designed to be primarily for internal reporting, as not all advertisers have the same definition of "suspicious" as their partners. If you and your partner's are well-aligned in that regard, you can instead use the "Attribute, mark as 'Suspicious' and send postback with fraud status and reason code" action.