Track down offending machine on network causing Google CAPTCHA on Google Searches

Has anyone ever dealt with an issue in a network when users go to do Google searches they are greeted with a redirect to CAPTCHA to verify they are not a robot?

"Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot"

My main question is how do you locate the offending machine in your network?

CAPTCHA Screen Shot
CheckThe LogsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

An introduction to your network topology would be nice....
Otherwise your machine is open proxy...
btanExec ConsultantCommented:
looks like need to trace the machine via the logs from your perimeter devices like FW and/or content filter proxy. as well as look out for the alert trigger or security warning from the log for that day (good to drill a day before that period of captcha detected for http traffic if possible).  Aggressive SEO ranking tools tends to trigger this message and even to extend of doing a couple of Linkedin profile may trigger this at times...regardless, indeed agree with ghiest to look at your network side or trigger your admin .. it may be false pos too..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
if there are heaps of client computers on the network, it seems the only practical approach is to first analyse the firewall logs by filtering outgoing HTTP and HTTPS traffic to Google's IPs and figure out the suspected source IPs, then sniff the traffic from the selected source IPs to determine the unusual searches.

if it is possible to inspect the client computers one by one, run anti-virus or anti-malware software to see if anything observed abnormal. be aware it is not rare that the software fails to detect some new, unknown malware if any.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

CheckThe LogsAuthor Commented:
Thank you all for the helpful feedback. Checking with the Proxy vendor this appears to be a reported issue that they claim is on Google's side but I am digging in the logs on our Proxy and will see what I can narrow down as they also said they have seen this when machines are scripting queries to Google. I will provide feedback as soon as I can.Thanks again for the point in the right direction!  :-)
Google correctly detects robot or open proxy. You need couple thousands of users on single IP to really flip their switch...
Please bring proxy vendor's opinion to google...
bbaoIT ConsultantCommented:
> You need couple thousands of users on single IP to really flip their switch

any particular number for the threshold? where to see the official technical details about it please?
bbaoIT ConsultantCommented:
> You need couple thousands of users on single IP to really flip their switch

any particular number for the threshold? where to see the official technical details about it please?
Ask a question in SEO area and you will find out.... (you can ask twice if you want to know more)
You are in this area to ANSWER...
btanExec ConsultantCommented:
You can report via
Please keep in mind that the "Unusual traffic from your computer network" error message is served automatically when we detect violations of our Terms of Service; we're unable to grant requests to unblock the ban as long as automated querying is detected from your network.
..and you can see that the drop down on the mantion for "Number of users affected" which is only single user, 100+ and 1000+..there must be a mean of ascertaining the threshold for "automation" trigger or their bot detecttion mechanism. Even use of non-reputable IP or IP being tagged as unsafe or blacklisted if your ISP give you that Dynamic IP can (at times) triggers the warning inadvertently, hence Google even say reset router to retry and clearning all cookies or doing ipconfig /flush etc ...

GoogleTOS (see "Using our Services") -
Google Search Help forum -!forum/websearch
I have gotten this message on a single desktop network. In one case I corrected by running cCleaner and resetting my Internet Options to default settings. In the case where It was my SEO software, I just had to wait a while before accessing Google again.
CheckThe LogsAuthor Commented:
Apologies for the delay, here is a brief update on this issue. This issue started back on 5-1-15 Friday, and we had a handful of users report this issue on their systems. Then after about 4 hours the issue just went away (My thought offending machine was turned off). We have not had any reported issues until this morning (imagine that on a Friday right around the same time it started to happen). My best guess here from the proxy logs what I could find was that maybe there was some large uploading taking place but have not yet been able to pin point it.
btanExec ConsultantCommented:
proxy log is good if you have it and drill into the the timestamp for activities close within even seconds and that hints on really intensive traffic ongoing which tends to be for (outbound) uploading to server or external sites, or (inbound) downloading from external server or client.

Such "flooding" can  be either ways and if the content payload is small it likely is a build up or scanning otherwise it is the leaking use case siphoning or exfiltration....worst will be cases it comes from more than a single common source to different destination - just some thought that it been to be either time triggered (frequency of start to end activity has some pattern or sort) or command trigger (prior to activities there are slew of traffic activities)
CheckThe LogsAuthor Commented:
Closing as resolved, even though I have not fully resolved on my end I believe the feedback has been great and appreciate all the comments and help on this one. Checking FW and Proxy seem to be the best solution and Proxy logs have pointed me in the right direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Google Apps

From novice to tech pro — start learning today.