Traffic Promotion Fraud Prevention detects fraudulent traffic in real time for online marketing campaigns. Advertisers and media platforms use it to identify threats across traffic monetization, channel promotion, and Real-Time Advertising (RTA) scenarios. The service analyzes device signals, network environments, and behavioral patterns to improve traffic quality, reduce costs, and increase revenue. Industries served include casual games, social networking, e-commerce, retail, and travel.
Editions
Fraud Detection offers two editions: Basic and Advanced. Both support real-time analytics and return risk feature tags. The table below shows what each edition includes.
| Feature | Basic edition | Advanced edition |
|---|---|---|
| Real-time analytics | Yes | Yes |
| Return value | Risk feature tags | Risk feature tags |
| Device risk monitoring | Yes — detects emulators, multi-boxing instances, device farms, multi-tasking software, cloud phones, and hook devices | Yes — same as Basic edition |
| Device fingerprint | No | Yes |
| Gang analysis | Yes | Yes |
| Log delivery to Simple Log Service | No | Yes — logs are stored free of charge for one year after you authorize Fraud Detection to deliver them |
Service event parameters
Pass these parameters as JSON to the ServiceParameters common request parameter. All parameters apply to both Basic and Advanced editions.
Fraud Detection does not validate the format of input strings, which gives you flexibility to pass data in your preferred format. Validate input formats on your end before sending requests. For example, mobile phone numbers in the Chinese mainland must be 11 digits and start with 1.
| Parameter | Data type | Required | Description |
|---|---|---|---|
deliveryMode | String | Optional | The ad delivery mode. Examples: general buying, Real-Time Bidding (RTB), RTA. |
advertisingType | String | Optional | The ad placement type. Examples: information feed, launch screen. |
operateTime | Long | Optional | The UTC timestamp of the operation, accurate to the second. If you are scanning historical data for risks, pass the historical operation time — not the current time — to avoid misidentification. Example: 1522555200 (2018-04-01 12:00:00 UTC). |
imeiMd5 | String | Optional | The MD5 hash of the device IMEI. See Device ID encryption rules. |
androidIdMd5 | String | Optional | The MD5 hash of the device Android ID. See Device ID encryption rules. |
oaidMd5 | String | Optional | The MD5 hash of the device Open Anonymous Device Identifier (OAID). See Device ID encryption rules. |
idfaMd5 | String | Optional | The MD5 hash of the iOS Identifier for Advertisers (IDFA). See Device ID encryption rules. |
macMd5 | String | Optional | The MD5 hash of the device MAC address. See Device ID encryption rules. |
operateSource | String | Optional | The source channel. Valid values: PC, H5, APP. |
deviceToken | String | Required when using the Alibaba Cloud device SDK | The device token from the Device Risk SDK. Example: MzQvo1d7scyZ3tl_RcJZo_QOytAjy1LWRRLoRKo5oZSoo_JGj1ZoR5JGoRo5jcdn57gV5kxVRcLER5RQoZSvRZZQRcROjcMW5csZR_RGy_55RKJ_oooqZ7dSV5gRnKxOV7eWVQQjRtlRQoAjRcM0 |
ip | String | Optional | The originating IP address of the user operation. Example: 42.120.XX.XX. |
mobileMd5 | String | Optional | The MD5 hash of the user's mobile phone number. Example: e7beea81b7a03b38508428fbeeb3****. |
Device ID encryption rules
Each device identifier requires a specific pre-processing step before MD5 encoding. Follow these rules exactly — incorrect encryption significantly reduces detection accuracy.
| Device ID | Pre-processing | After MD5 |
|---|---|---|
| IMEI | Convert to lowercase | Convert to lowercase |
| Android ID | Keep as original | Convert to lowercase |
| OAID | Keep as original | Convert to lowercase |
| IDFA | Convert to uppercase | Convert to lowercase |
| MAC address | Keep as original | Convert to lowercase |
Apply these encryption standards strictly. Incorrect encoding for IMEI, IDFA, OAID, Android ID, or MAC address significantly reduces identification effectiveness.
Response parameters
The service returns risk feature tags in the tags field of the Data response parameter. Each tag represents a specific risk signal. The table below shows the tag values, their meanings, and recommended actions.
| Risk level | Tag value | Meaning | Recommended action |
|---|---|---|---|
| High | is_emulator | The device is suspected to be an emulator. Applies to Android and iOS. | Filter out the business. |
| High | is_rooted | The device is suspected to be rooted. On iOS, this indicates a suspected jailbreak. | Filter out the business. |
| High | is_hooked | The device is suspected to be subject to injection attacks. | Filter out the business. |
| High | …… | …… | Filter out the business. |
| Medium | is_deviceCluster_m | The device is suspected to be part of a device cluster with medium risk. Applies to Android only. | Trigger security verification or limit high-risk access or operations. |
| Medium | …… | …… | Trigger security verification or limit high-risk access or operations. |
| Low | token_replay | Device SDK token replay detected. | Tag the account and monitor it. |
| Low | …… | …… | Tag the account and monitor it. |
The tags above are a partial list. For the complete tag enumeration, go to the access management module in the Fraud Detection console.
For details on all response fields, see Common response parameters.