APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Someone is click bombing me

Click bombing is when someone tries to damage your reputation with Google by deliberately clicking on Adsense ads you have on your site. Obviously neither the advertisers nor Google like that and Google may even close your Adsense account because of it.

Someone did that to me yesterday. I noticed because earnings were unusually high and continued so this morning. When I checked my logs, I found that a small set of IP addresses were the likely suspects, so I reported them to Google using this form and also configured iptables to drop them. If Google can confirm that they were the culprits, I'll report them to their ISP also.

To track them down, I extracted GET's of the pages with high earnings from that log and trimmed everything but the IP address from the result.


for i in `cat highpages`
do
grep 19/Apr logs/access.log | grep $i |  sed 's/- -.*//' | sort -u
done > suspected
 

That gave me a short list of suspected IP's. I grepped each of those from access.log and ran that through "wc -l".

for i in `cat suspected`; 
do echo -n "$i ";
grep 19/Apr logs/access.log | grep $i | wc -l; 
done > checkthese
 

I edited those to leave only those with high numbers. The ones with high numbers were then dropped after checking to be sure they were not known spiders:

for i in `cat checkthese | sed 's/ .*//'`
do
host $i
done
 

I then manually removed known spiders and put the rest in "badips".

for i in `cat badips`
do
/sbin/iptables -A INPUT -s $i -j DROP
done
 

However, this jerk kept coming back from new IP's in the same netblock. I had to block the entire subnet to stop him. Of course I don't know if he has access to other IP's, so I'm still watching carefully.

I also ran my Logdropper script just to be sure.

At this time, revenue is still climbing, but that could be due to delayed reporting by Google. I'll give it a few hours and see where we are at.

It looks like this is a more wide spread attack, probably meant to harm Google itself rather than individual sites.

5 Ways To Prevent Adsense Click-Bombing From XLHost (April 20 Attack)

Foolish of them.. easy to notice.

Update: this guy noticed that the attacks were all using an old version of Firefox and suggested blocking on that. That's not a bad idea, but the USER-AGENT can be changed easily, so I'll continue to block by IP also,

See also Spotting Click Bombing with Google Analytics.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Someone is click bombing me




Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence



Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Whenever the literary German dives into a sentence, that is the last you are going to see of him till he emerges on the other side of his Atlantic with his verb in his mouth. (Mark Twain)

FORTRAN was the language of choice for the same reason that three-legged races are popular. (Ken Thompson)







This post tagged: