Someone is click bombing me

Click bombing is when someone tries to damage your reputation with Google by deliberately clicking on Adsense ads you have on your site. Obviously neither the advertisers nor Google like that and Google may even close your Adsense account because of it.

Someone did that to me yesterday. I noticed because earnings were unusually high and continued so this morning. When I checked my logs, I found that a small set of IP addresses were the likely suspects, so I reported them to Google using this form and also configured iptables to drop them. If Google can confirm that they were the culprits, I'll report them to their ISP also.

To track them down, I extracted GET's of the pages with high earnings from that log and trimmed everything but the IP address from the result.

for i in `cat highpages`
grep 19/Apr logs/access.log | grep $i |  sed 's/- -.*//' | sort -u
done > suspected

That gave me a short list of suspected IP's. I grepped each of those from access.log and ran that through "wc -l".

for i in `cat suspected`; 
do echo -n "$i ";
grep 19/Apr logs/access.log | grep $i | wc -l; 
done > checkthese

I edited those to leave only those with high numbers. The ones with high numbers were then dropped after checking to be sure they were not known spiders:

for i in `cat checkthese | sed 's/ .*//'`
host $i

I then manually removed known spiders and put the rest in "badips".

for i in `cat badips`
/sbin/iptables -A INPUT -s $i -j DROP

However, this jerk kept coming back from new IP's in the same netblock. I had to block the entire subnet to stop him. Of course I don't know if he has access to other IP's, so I'm still watching carefully.

I also ran my Logdropper script just to be sure.

At this time, revenue is still climbing, but that could be due to delayed reporting by Google. I'll give it a few hours and see where we are at.

It looks like this is a more wide spread attack, probably meant to harm Google itself rather than individual sites.

5 Ways To Prevent Adsense Click-Bombing From XLHost (April 20 Attack)

Foolish of them.. easy to notice.

Update: this guy noticed that the attacks were all using an old version of Firefox and suggested blocking on that. That's not a bad idea, but the USER-AGENT can be changed easily, so I'll continue to block by IP also,

See also Spotting Click Bombing with Google Analytics.

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Someone is click bombing me

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

The real problem is that programmers have spent far too much time worrying about efficiency in the wrong places and at the wrong times; premature optimization is the root of all evil (or at least most of it) in programming. (Donald Knuth)

This post tagged: