Update time: June 17, 2024
Issue
Recently, I noticed unexpected traffic coming from gtm-msr.appspot.com in GA4.
This traffic appears in the “Page title and screen class” report and does not belong to my website:
At first glance, this looks like normal pageview data, but the source domain is clearly suspicious.
Analysis
Identify the source URL.
By drilling down into the report, you can find that the page location being tracked looks similar to:
This is not a domain owned or controlled by me.
Open this URL:
After further investigation, it becomes clear that:
- The GTM container loaded on this page is not intentionally deployed by me
- The domain
gtm-msr.appspot.comis being used as a host to load multiple GTM containers - Each container can send data to different GA4 properties
This strongly indicates automated or machine-generated traffic, not real user behavior.
The mechanism is relatively simple:Someone opens a URL such as https://gtm-msr.appspot.com/render2?id=GTM-XXXXXXX.This page loads your GTM container ID. Once GTM loads, GA4 page_view tracking is automatically triggered, GA4 records a page view where the page location is gtm-msr.appspot.com, not your actual website
Solution
Restrict GA4 page tracking by domain in GTM
The most effective solution is to add a domain restriction to your GA4 pageview trigger in Google Tag Manager.
Modify your GA4 page_view trigger so that it only fires when the page is viewed on your own domain(s):
With this restriction in place: Even if gtm-msr.appspot.com loads your GTM container, GA4 page_view tag will not fire.
