WAF rule, Black list rule


We are currently being spammed by the referer urlumbrella.com, sending a lot of bot traffic to our website bubliq.com

We have tried to create a WAF rule, blocking the referer urlumbrella.com, and the IP-address’ associated with this domain. The traffic is still not being blocked. In the field we use “contains” for the referer name, and “equals” for the IP-address.

We have read the documentation on how to create WAF rules, but cannot figure out if we are missing something.

Here’s the expression Cloudflare generates from the referer and URL we inserted:
(http.referer contains “trafficdrive.xyz”) or (http.referer contains “nfocusdriver.com”) or (http.referer contains “urlumbrella.com”) or (ip.src eq or (ip.src eq

Any feedback on this would be really helpful.


Thanks for the advice.

Bot fight mode is enabled, but is unfortunately not blocking the traffic.

Are there any other ways of blocking bots using the WAF rules? Perhaps by using a different input field?

How are you assessing this? If you see this traffic in your Google Analytics reports, please keep in mind that there’s an old, persistent referrer spam technique in GA that does not depend on visitors actually visiting your website (and therefore cannot be handled by Cloudflare products.)

Otherwise, if you’re seeing these referrers in your origin logs, you should make sure you origin only allows requests from Cloudflare IPs.


Hello, I have the same problem, spam from urlumbrella or (not set) referals from severals countries (russia, indonesia, etc), generating page views without doing nothing and without any access logs.
So as @cbrandt said, it seems to be a GA4 spam.
How can we get rid of it as it has not always a referal set.

What is the purpose of those spammers ?

@Victor_bubliq Did you get rid of them ?

Thanks for the help.

The traffic suddenly stopped, so I didn’t take any further actions.

Hope you are able to find a solution.

And therefore an issue that you guys have to bring to another forum, as it falls outside the scope of this community. Perhaps you should try Google Analytics Community

1 Like