APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Someone is click bombing me

© April 2015 Anthony Lawrence

Click bombing is when someone tries to damage your reputation with Google by deliberately clicking on Adsense ads you have on your site. Obviously neither the advertisers nor Google like that and Google may even close your Adsense account because of it.

Someone did that to me yesterday. I noticed because earnings were unusually high and continued so this morning. When I checked my logs, I found that a small set of IP addresses were the likely suspects, so I reported them to Google using this form and also configured iptables to drop them. If Google can confirm that they were the culprits, I'll report them to their ISP also.

To track them down, I extracted GET's of the pages with high earnings from that log and trimmed everything but the IP address from the result.

for i in `cat highpages`
grep 19/Apr logs/access.log | grep $i |  sed 's/- -.*//' | sort -u
done > suspected

That gave me a short list of suspected IP's. I grepped each of those from access.log and ran that through "wc -l".

for i in `cat suspected`; 
do echo -n "$i ";
grep 19/Apr logs/access.log | grep $i | wc -l; 
done > checkthese

I edited those to leave only those with high numbers. The ones with high numbers were then dropped after checking to be sure they were not known spiders:

for i in `cat checkthese | sed 's/ .*//'`
host $i

I then manually removed known spiders and put the rest in "badips".

for i in `cat badips`
/sbin/iptables -A INPUT -s $i -j DROP

However, this jerk kept coming back from new IP's in the same netblock. I had to block the entire subnet to stop him. Of course I don't know if he has access to other IP's, so I'm still watching carefully.

I also ran my Logdropper script just to be sure.

At this time, revenue is still climbing, but that could be due to delayed reporting by Google. I'll give it a few hours and see where we are at.

It looks like this is a more wide spread attack, probably meant to harm Google itself rather than individual sites.

5 Ways To Prevent Adsense Click-Bombing From XLHost (April 20 Attack)

Foolish of them.. easy to notice.

Update: this guy noticed that the attacks were all using an old version of Firefox and suggested blocking on that. That's not a bad idea, but the USER-AGENT can be changed easily, so I'll continue to block by IP also,

See also Spotting Click Bombing with Google Analytics.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Someone is click bombing me

Inexpensive and informative Apple related e-books:

iOS 8: A Take Control Crash Course

Photos: A Take Control Crash Course

Photos for Mac: A Take Control Crash Course

Take Control of the Mac Command Line with Terminal, Second Edition

Take Control of iCloud, Fifth Edition

More Articles by © Anthony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Silence is better than unmeaning words. (Pythagoras)

Linux posts

Troubleshooting posts

This post tagged:





Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode