From f481a1d13cebdc6d15ff2c6b64771b1fd48fac74 Mon Sep 17 00:00:00 2001 From: justin Date: Thu, 18 Jun 2026 02:02:34 -0500 Subject: [PATCH] analytics: filter email-scanner / headless traffic out of Umami stats Email security gateways (Microsoft Defender Safe Links / ATP, Proofpoint, Mimecast, Barracuda, etc.) auto-fetch and often render every link in a campaign email to scan for malware. The advanced ones drive a real headless browser, execute JS, and fire Umami pageviews/clicks that masquerade as human visits -- inflating campaign click-through. New site/public/js/pw-bot-filter.js queries multiple real-browser signals and gates Umami via its official data-before-send hook (umamiBeforeSend), dropping all events when the visitor is a bot. Signals (from empirical chromium probing): decisive: navigator.webdriver, HeadlessChrome UA, known scanner UAs, zero/ collapsed screen|viewport|outer geometry, window LARGER than the physical screen (impossible on real HW; uses outerW/H so page zoom does not false-positive), software GPU rasterizer (SwiftShader/ llvmpipe/swrast via WebGL UNMASKED_RENDERER), zero logical CPUs. soft (>=2 to trip): tiny screen, inner>screen, low color depth, empty navigator.languages, no input device (no fine/coarse pointer + no hover + 0 touch), no WebGL on a desktop UA. Designed to FAIL OPEN: only strong/corroborated evidence suppresses, so real visitors (incl. zoomed, privacy-tooled, remote-desktop, kiosk) still count. Wired before the Umami tag in Base.astro (Astro pages) and all 86 static public/**/*.html pages; both load with defer so order is guaranteed and the hook is defined before Umami reads it. Tested end-to-end with chromium (site/tests/bot-filter.test.sh, 4/4): default headless-new, spoofed-Windows-UA + normal 1366x768 window, and spoofed-UA + 1x1 window are all caught; hook returns null to drop the event. --- site/public/404.html | 2 +- site/public/about/index.html | 2 +- site/public/accessibility/index.html | 2 +- site/public/account/reset-password/index.html | 2 +- site/public/admin/index.html | 2 +- site/public/contact/index.html | 2 +- site/public/index.html | 2 +- site/public/js/pw-bot-filter.js | 186 ++++++++++++++++++ site/public/order/canada-crtc/index.html | 2 +- site/public/order/cancel/index.html | 2 +- site/public/order/cancelled/index.html | 2 +- site/public/order/crypto-pay/index.html | 2 +- site/public/order/dot-compliance/index.html | 2 +- site/public/order/fcc-499a/index.html | 2 +- .../order/fcc-carrier-registration/index.html | 2 +- site/public/order/fcc-compliance/index.html | 2 +- site/public/order/formation/index.html | 2 +- site/public/order/neca-ocn/index.html | 2 +- site/public/order/state-puc/index.html | 2 +- site/public/order/success/index.html | 2 +- .../order/trucking-new-carrier/index.html | 2 +- site/public/portal/dashboard/index.html | 2 +- site/public/portal/domain-search/index.html | 2 +- site/public/portal/esign/index.html | 2 +- site/public/portal/manage-services/index.html | 2 +- site/public/portal/setup/index.html | 2 +- site/public/portal/sign/index.html | 2 +- site/public/pricing/bundles/index.html | 2 +- site/public/pricing/index.html | 2 +- site/public/privacy/index.html | 2 +- site/public/security/index.html | 2 +- .../corporate/annual-reports/index.html | 2 +- .../dexit-reincorporation/index.html | 2 +- .../services/corporate/formation/index.html | 2 +- site/public/services/corporate/index.html | 2 +- .../corporate/registered-agent/index.html | 2 +- .../corporate/state-registration/index.html | 2 +- .../contractor-classification/index.html | 2 +- .../services/employment/flsa-audit/index.html | 2 +- .../employment/handbook-review/index.html | 2 +- site/public/services/employment/index.html | 2 +- .../employment/policy-development/index.html | 2 +- site/public/services/index.html | 2 +- .../privacy/breach-response/index.html | 2 +- .../services/privacy/ccpa-audit/index.html | 2 +- .../services/privacy/data-mapping/index.html | 2 +- site/public/services/privacy/index.html | 2 +- .../privacy/privacy-policy/index.html | 2 +- .../services/tcpa/campaign-review/index.html | 2 +- .../services/tcpa/consent-audit/index.html | 2 +- .../services/tcpa/dnc-compliance/index.html | 2 +- site/public/services/tcpa/index.html | 2 +- .../services/telecom/canada-crtc/index.html | 2 +- site/public/services/telecom/cpni/index.html | 2 +- .../telecom/database-management/index.html | 2 +- .../services/telecom/fcc-499a/index.html | 2 +- .../guides/cores-registration/index.html | 2 +- .../guides/cpni-certification/index.html | 2 +- .../telecom/guides/fcc-499a/index.html | 2 +- .../telecom/guides/fcc-499q/index.html | 2 +- .../telecom/guides/rmd-filing/index.html | 2 +- .../guides/usac-account-setup/index.html | 2 +- site/public/services/telecom/index.html | 2 +- .../services/telecom/ipes-isp/index.html | 2 +- .../services/telecom/state-puc/index.html | 2 +- .../services/telecom/stir-shaken/index.html | 2 +- .../services/trucking/california/index.html | 2 +- .../services/trucking/connecticut/index.html | 2 +- .../trucking/drug-alcohol-program/index.html | 2 +- .../services/trucking/florida/index.html | 2 +- .../services/trucking/hazmat/index.html | 2 +- site/public/services/trucking/index.html | 2 +- .../services/trucking/irp-ifta/index.html | 2 +- .../services/trucking/kentucky/index.html | 2 +- .../services/trucking/new-carrier/index.html | 2 +- .../services/trucking/new-mexico/index.html | 2 +- .../services/trucking/new-york/index.html | 2 +- .../services/trucking/oregon/index.html | 2 +- .../public/services/trucking/texas/index.html | 2 +- site/public/terms/index.html | 2 +- site/public/tools/contractor-quiz/index.html | 2 +- .../public/tools/corporation-check/index.html | 2 +- .../tools/dot-compliance-check/index.html | 2 +- .../tools/fcc-compliance-check/index.html | 2 +- site/public/tools/formation-guide/index.html | 2 +- site/public/tools/privacy-check/index.html | 2 +- site/public/tools/tcpa-check/index.html | 2 +- site/src/layouts/Base.astro | 3 +- site/tests/bot-filter.test.sh | 67 +++++++ 89 files changed, 341 insertions(+), 87 deletions(-) create mode 100644 site/public/js/pw-bot-filter.js create mode 100644 site/tests/bot-filter.test.sh diff --git a/site/public/404.html b/site/public/404.html index 5014540..5ba7ac9 100644 --- a/site/public/404.html +++ b/site/public/404.html @@ -5,7 +5,7 @@ if (h === "dev.performancewest.net") return "https://api.dev.performancewest.net"; return "https://api.performancewest.net"; })(); - Page Not Found | Performance West Inc.

404 Error

Page not found

+ Page Not Found | Performance West Inc.

404 Error

Page not found

Sorry, the page you're looking for doesn't exist or has been moved.

Go home diff --git a/site/public/about/index.html b/site/public/about/index.html index fba9958..e2a6c5e 100644 --- a/site/public/about/index.html +++ b/site/public/about/index.html @@ -5,7 +5,7 @@ if (h === "dev.performancewest.net") return "https://api.dev.performancewest.net"; return "https://api.performancewest.net"; })(); - About | Performance West Inc.
Regulatory Compliance Consulting

About Performance West

+ About | Performance West Inc.

Regulatory Compliance Consulting

About Performance West

Professional compliance consulting built on fixed pricing, domain expertise, and a commitment to helping businesses navigate regulatory requirements.

Our story

Performance West Inc. began with a focus on corporate and telecom regulatory compliance — helping carriers, CLECs, and VoIP providers navigate FCC filings, state PUC registrations, STIR/SHAKEN implementation, and the alphabet soup of telecom regulation. diff --git a/site/public/accessibility/index.html b/site/public/accessibility/index.html index 41c6bd0..4d2d356 100644 --- a/site/public/accessibility/index.html +++ b/site/public/accessibility/index.html @@ -5,7 +5,7 @@ if (h === "dev.performancewest.net") return "https://api.dev.performancewest.net"; return "https://api.performancewest.net"; })(); - Accessibility | Performance West Inc.

+ Accessibility | Performance West Inc.
Accessibility

Accessibility Statement

We want everyone to be able to use performancewest.net, regardless of ability or technology.

diff --git a/site/public/account/reset-password/index.html b/site/public/account/reset-password/index.html index 0713182..f099099 100644 --- a/site/public/account/reset-password/index.html +++ b/site/public/account/reset-password/index.html @@ -5,7 +5,7 @@ if (h === "dev.performancewest.net") return "https://api.dev.performancewest.net"; return "https://api.performancewest.net"; })(); - Reset Password | Performance West Inc.
Performance West

Set new password

Choose a new password for your account.

Admin Login

Performance West Operations

Stay ahead of compliance changes

Regulatory updates, enforcement trends, and compliance tips. No spam.

All Services Pricing Free Tools Contact Form a Business Client Portal

Contact us

+ Contact | Performance West Inc.

Contact us

Have a question about our services or need help with a compliance issue? We're here to help.

Send us a message

All Services Pricing Free Tools Contact Form a Business Client Portal

+ Home | Performance West Inc.

Navigate compliance.
Achieve success.

Professional compliance consulting for healthcare, trucking, telecom, data privacy, TCPA, and corporate regulatory requirements. Healthcare provider compliance: Medicare revalidation, NPI/NPPES, enrollment, and OIG/SAM screening. DOT/FMCSA motor carrier compliance: MCS-150, BOC-3, UCR, operating authority, and state filings. diff --git a/site/public/js/pw-bot-filter.js b/site/public/js/pw-bot-filter.js new file mode 100644 index 0000000..6d20fb7 --- /dev/null +++ b/site/public/js/pw-bot-filter.js @@ -0,0 +1,186 @@ +/** + * Performance West - email-scanner / headless-browser filter for analytics. + * + * WHY: Email security gateways (Microsoft Defender Safe Links / ATP detonation, + * Proofpoint URL Defense, Mimecast, Barracuda, Cisco, Google) automatically + * fetch and often *render* every link in an email to scan it for malware. The + * advanced ones drive a real headless browser, so they execute JS and fire + * Umami pageviews/clicks that look like human visits -- inflating campaign + * stats and making click-through look better than it is. + * + * WHAT: query a battery of signals that a REAL interactive browser on a REAL + * screen has and an automated/headless scanner usually does not, combine them + * into a confidence score, and expose window.pwIsBot. The Umami `before-send` + * hook (umamiBeforeSend, below) drops every event when this is true, so bot + * traffic never reaches analytics. Real visitors are unaffected. + * + * Designed to FAIL OPEN: any uncertainty counts as human, so we never silently + * undercount real people. We only suppress on strong, multi-signal evidence. + */ +(function (w, d, n) { + "use strict"; + + var reasons = []; + function flag(r) { reasons.push(r); } + + // ── 1. navigator.webdriver: set true by Selenium/Puppeteer/Playwright and + // by Chrome headless. The single strongest, lowest-false-positive tell. + try { if (n.webdriver === true) flag("webdriver"); } catch (e) {} + + // ── 2. Headless user-agent markers ───────────────────────────────────── + var ua = (n.userAgent || ""); + if (/HeadlessChrome/i.test(ua)) flag("ua-headless-chrome"); + if (/PhantomJS|SlimerJS|Electron|jsdom|Nightmare/i.test(ua)) flag("ua-automation"); + // Known scanner/preview bots that DO run JS (defense in depth; most are + // already excluded server-side, but some spoof regular UAs intermittently). + if (/bingpreview|YandexBot|Barracuda|Proofpoint|Mimecast|Cisco|Symantec|MessageLabs|GoogleImageProxy|Google-Safety|Microsoft Office|MSOffice/i.test(ua)) { + flag("ua-scanner"); + } + + // ── 3. Screen / window geometry ──────────────────────────────────────── + // Headless browsers default to a fixed off-screen viewport (often 800x600 + // or 1x1/0x0) with no real device behind them. Real monitors are larger and + // the browser window is a sane size. We treat clearly-degenerate geometry as + // a bot signal but keep thresholds conservative to spare small/old screens. + var s = w.screen || {}; + var sw = s.width | 0, sh = s.height | 0; + var iw = w.innerWidth | 0, ih = w.innerHeight | 0; + var ow = w.outerWidth | 0, oh = w.outerHeight | 0; + + // Zero / collapsed dimensions = no real surface (very strong, headless only). + if (sw <= 0 || sh <= 0) flag("screen-zero"); + if (iw <= 0 || ih <= 0) flag("viewport-zero"); + + // Absurdly tiny screen that no real desktop/phone reports (phones are >=320). + if (sw > 0 && sh > 0 && (sw < 300 || sh < 300) && !/Mobi|Android|iPhone|iPad/i.test(ua)) { + flag("screen-tiny"); + } + + // outerWidth/Height of 0 with a non-zero viewport: classic headless (the + // window has no chrome because there is no window manager). + if ((ow === 0 || oh === 0) && iw > 0 && ih > 0) flag("outer-zero"); + + // Viewport larger than the physical screen is impossible on real hardware. + // innerWidth is in CSS pixels and GROWS when the user zooms OUT, so an + // inner>screen check alone would false-positive on zoomed-out humans; we + // therefore make it a SOFT signal and pair it with an outer>screen check. + if (sw > 0 && sh > 0 && (iw > sw + 40 || ih > sh + 40)) flag("viewport-gt-screen"); + + // outerWidth/Height is the PHYSICAL window frame -- unaffected by page zoom -- + // so outer>screen is a much cleaner "window bigger than the monitor" tell. + // Headless browsers given a --window-size on top of an unchanged 800x600 + // virtual screen trip this even with a perfectly spoofed UA and normal-looking + // window. (Real false positive: a single window dragged to SPAN two monitors; + // rare, and fail-open cost is just one uncounted visit.) + if (sw > 0 && sh > 0 && (ow > sw + 40 || oh > sh + 40)) flag("outer-gt-screen"); + + // ── 4. Device / interaction surface ──────────────────────────────────── + // colorDepth of 0/<=8 is a headless default; real displays are 24/30. + if (typeof s.colorDepth === "number" && s.colorDepth > 0 && s.colorDepth < 16) { + flag("color-depth-low"); + } + + // ── 4b. GPU / WebGL renderer ─────────────────────────────────────────── + // The single hardest signal to spoof. Real machines render through a real + // GPU driver: "ANGLE (Intel...)", "Apple GPU", "NVIDIA", "AMD", "Mali", + // "Adreno", etc. Headless/VM scanners fall back to a SOFTWARE rasterizer: + // SwiftShader (Chrome), llvmpipe / swrast (Mesa). A software renderer on a + // device claiming to be a normal desktop browser is a near-certain bot. + // (Verified: Chrome --headless=new reports + // "ANGLE (Google, ... SwiftShader Device ...)".) + try { + var glcv = d.createElement("canvas"); + var gl = glcv.getContext("webgl") || glcv.getContext("experimental-webgl"); + if (gl) { + var dbg = gl.getExtension("WEBGL_debug_renderer_info"); + var rnd = (dbg ? gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL) : gl.getParameter(gl.RENDERER)) || ""; + rnd = ("" + rnd).toLowerCase(); + w.pwGpu = rnd; + if (/swiftshader|llvmpipe|swrast|softpipe|\bsoftware\b/.test(rnd)) { + flag("gpu-software"); + } + } else { + // No WebGL at all on a desktop-class UA is itself suspicious (headless + // with GPU fully disabled). Soft, because privacy tools also block it. + if (!/Mobi|Android|iPhone|iPad/i.test(ua)) flag("no-webgl"); + } + } catch (e) {} + + // ── 4c. Input device (pointer / hover media queries) ─────────────────── + // A real desktop has a fine pointer + hover; a real phone/tablet has a + // coarse pointer. A device with NEITHER fine NOR coarse pointer, no hover, + // and zero touch points has no human input surface at all -- the hallmark of + // a headless renderer. Strong, but kept SOFT (paired with another signal) + // because some locked-down/embedded real browsers under-report these. + try { + var mm = w.matchMedia; + if (typeof mm === "function") { + var fine = mm("(pointer: fine)").matches; + var coarse = mm("(pointer: coarse)").matches; + var hover = mm("(any-hover: hover)").matches; + var touch = (n.maxTouchPoints | 0) > 0; + if (!fine && !coarse && !hover && !touch) flag("no-input-device"); + } + } catch (e) {} + + // ── 4d. Hardware introspection ───────────────────────────────────────── + // hardwareConcurrency (logical CPUs) of 0 is impossible on real hardware; + // older Selenium/PhantomJS reported 0/undefined. Modern headless reports a + // real value, so this only catches the crude scanners. Soft. + try { + if (typeof n.hardwareConcurrency === "number" && n.hardwareConcurrency === 0) { + flag("zero-cpu"); + } + } catch (e) {} + + // ── 5. Languages: real browsers expose a populated navigator.languages; + // many headless setups leave it empty or report a single bare entry. + try { + if (n.languages && n.languages.length === 0) flag("no-languages"); + } catch (e) {} + + // ── 6. Permissions API inconsistency (Chrome headless tell): notification + // permission reports "denied" while Notification.permission is + // "default" -- impossible in a real Chrome. + try { + if (n.permissions && w.Notification && + w.Notification.permission === "denied" && + n.permissions.query) { + // async; record lazily without blocking + n.permissions.query({ name: "notifications" }).then(function (p) { + if (p && p.state === "prompt") { /* normal */ } + }).catch(function () {}); + } + } catch (e) {} + + // ── Scoring ──────────────────────────────────────────────────────────── + // DECISIVE signals are individually near-impossible for a real consumer + // browser (automation flag, headless UA, zero/over-size geometry, a software + // GPU rasterizer, or 0 CPUs). Any one suppresses. + // SOFT signals are individually explainable by an unusual-but-real setup + // (privacy tools, kiosks, remote desktop, extreme zoom), so we require TWO to + // corroborate -- protecting real visitors (fail open). + var decisive = reasons.some(function (r) { + return r === "webdriver" || r === "ua-headless-chrome" || + r === "ua-automation" || r === "ua-scanner" || + r === "screen-zero" || r === "viewport-zero" || r === "outer-zero" || + r === "outer-gt-screen" || r === "gpu-software" || r === "zero-cpu"; + }); + var softCount = reasons.filter(function (r) { + return r === "screen-tiny" || r === "viewport-gt-screen" || + r === "color-depth-low" || r === "no-languages" || + r === "no-input-device" || r === "no-webgl"; + }).length; + + var isBot = decisive || softCount >= 2; + + w.pwIsBot = isBot; + w.pwBotReasons = reasons; + + // Umami `data-before-send` hook: return null to DROP the event, or the + // payload to allow it. Wired via data-before-send="umamiBeforeSend" on the + // Umami Canadian CRTC Telecom Carrier Package | Performance West Inc.

Canadian CRTC Telecom Carrier Package

+ Canadian CRTC Telecom Carrier Package | Performance West Inc.

Canadian CRTC Telecom Carrier Package

Canadian corporation (BC or Ontario) + CRTC domestic reseller + BITS international service. Complete turnkey setup for $3,899.

No Canadian citizenship required for resellers.

Everything included in your package

Canadian Corporation

  • Provincial incorporation filing (BC or Ontario)
  • Name search & reservation (if named co.)
  • Canadian registered office (virtual mailbox)
  • Corporate binder (digital PDF + physical copy)
  • Canadian business banking referral

CRTC & Telecom

  • CRTC registration — Voice, Data & Wireless reseller
  • BITS international service registration
  • CCTS complaint-handling registration
  • Canadian phone number (DID)
  • ACA accessibility compliance tracking

Digital Presence

  • .ca domain registration
  • Canadian business email address
  • Hosted landing page / web presence
  • Government fees (passed through at cost)
SSL Secured 256-bit encryption
A+
SSL Labs Qualys rated
A+
Security Headers A+ rated
Google Safe No threats found
Stripe Secure payments
Satisfaction 100% guaranteed
Trustpilot Read reviews
Visa Mastercard American Express Discover

Accessible Canada Act (ACA) — Upcoming Deadline: June 1, 2026

All non-exempt CRTC-registered telecommunications service providers must publish either an updated three-year accessibility plan or an Accessibility Progress Report by June 1, 2026. New 2025 market entrants must publish their accessibility feedback process description by this deadline.

  • Providers must notify both the Accessibility Commissioner (via My Accessibility Portal) and the CRTC within 48 hours of publishing.
  • Plans and reports must be developed in consultation with persons with disabilities.
  • Non-compliance can result in administrative monetary penalties against organizations and individuals.

Performance West includes ACA compliance calendar tracking with all CRTC packages. We will remind you of upcoming deadlines and assist with preparation.

Have an account? Sign in to prefill your details.

Returning clients can pull in saved directors, addresses, and contact info from prior orders.

All Services Pricing Free Tools Contact Form a Business Client Portal

Order Not Completed

+ Order Not Completed | Performance West Inc.

Order Not Completed

No worries — your order was cancelled and you have not been charged.

Your order was not completed

You have not been charged. Your order has been cancelled and no payment was processed.

If you were in the middle of checkout and experienced a technical issue, you can try again below or contact our support team for assistance.

What would you like to do?

Try Again diff --git a/site/public/order/cancelled/index.html b/site/public/order/cancelled/index.html index f14a1ef..a3906cb 100644 --- a/site/public/order/cancelled/index.html +++ b/site/public/order/cancelled/index.html @@ -5,7 +5,7 @@ if (h === "dev.performancewest.net") return "https://api.dev.performancewest.net"; return "https://api.performancewest.net"; })(); - Payment Cancelled | Performance West Inc.

Payment Cancelled

Your payment was not completed. Your order has been saved and you can try again at any time.

Try a different payment method

Payment Cancelled

Your payment was not completed. Your order has been saved and you can try again at any time.

Try a different payment method

All Services Pricing Free Tools Contact Form a Business Client Portal

Cryptocurrency Payment

Choose your cryptocurrency and send the exact amount shown.

Loading available cryptocurrencies...