homepage Welcome to WebmasterWorld Guest from 50.17.86.12
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Google / Google AdSense
Forum Library, Charter, Moderators: incrediBILL & jatar k & martinibuster

Google AdSense Forum

This 262 message thread spans 9 pages: < < 262 ( 1 2 3 4 [5] 6 7 8 9 > >     
How To Defend a Google AdSense Site From Click Bombing
jbayabas

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 12:20 pm on Mar 5, 2014 (gmt 0)

I may be a victim of clickbombing. I had an unusually high clicks in one of my sites yesterday.


28,520 page views and 437 clicks

This site usually only get 44 click on average.

I don't know what's going on and I don't know to find out if the clicks were valid.

What should i do on my end. I thought Adsense had a technology that filter invalid clicks.

 

webcentric

WebmasterWorld Senior Member Top Contributors Of The Month



 
Msg#: 4651333 posted 4:51 pm on Mar 14, 2014 (gmt 0)

Just following up after having had time to look through IP's I've blocked over time in my firewall. Sure enough, there are a number of Amazon AWS IP's in there which may account for why I haven't seen this type of click-bombing while others have. I block IP's all the time for various reasons so who knows what triggered me to block them but some unusual activity must have motivated me to do so. Now I'm thinking of going back and looking at my website health monitoring emails to see if I can find those IP's and see what triggered me to block them in the first place. I don't always keep those emails once I've taken action but it's worth a look. We'll see.

jbayabas

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 12:40 am on Mar 15, 2014 (gmt 0)

Do you think blocking the amazon IPs is necessarry? If a lot of users report that's what causing the Clickbombing, shouldnt google filter them out? I have since unblocked the IPs. All normal here..

Lame_Wolf

WebmasterWorld Senior Member lame_wolf us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4651333 posted 12:57 am on Mar 15, 2014 (gmt 0)

I have since unblocked the IPs. All normal here.

Jolly good. I can sleep much better knowing that.

Myself, I added this to my .htaccess

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

I've not had any visits or click removals since them. Saying that, I've not had any clicks for hours.

levo

10+ Year Member



 
Msg#: 4651333 posted 1:16 am on Mar 15, 2014 (gmt 0)

REMOTE_HOST would only work if you had HostnameLookups enabled, and HostnameLookups adds considerable latency. You can use

Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18


(based on their current Public IP range - https://forums.aws.amazon.com/ann.jspa?annID=1701 )

netmeg

WebmasterWorld Senior Member netmeg us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4651333 posted 2:49 pm on Mar 15, 2014 (gmt 0)

The problem is, the worst offender on my sites (54.186.) isn't even on that list.

levo

10+ Year Member



 
Msg#: 4651333 posted 3:46 pm on Mar 15, 2014 (gmt 0)

The problem is, the worst offender on my sites (54.186.) isn't even on that list.



54.184.0.0/13 covers 54.184.0.0 - 54.191.255.255

Lame_Wolf

WebmasterWorld Senior Member lame_wolf us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4651333 posted 6:15 pm on Mar 15, 2014 (gmt 0)

Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18


Are they entered into .htaccess like that? Or do you have to have "Deny from" before each one?

Also, if they are entered like that, can I have them in a vertical list, or will that screw things up with the .htaccess file?

Thanks.

netmeg

WebmasterWorld Senior Member netmeg us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4651333 posted 6:37 pm on Mar 15, 2014 (gmt 0)

Ah, I missed that one. The list kind of makes ones eyes glaze over.

levo

10+ Year Member



 
Msg#: 4651333 posted 6:50 pm on Mar 15, 2014 (gmt 0)

You can just copy&paste it to .htaccess (or httpd.conf/rewrites.conf), keep it one-line. If you want to break it to multiple lines, you have to add "Deny from" before each line.

Lame_Wolf

WebmasterWorld Senior Member lame_wolf us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4651333 posted 7:53 pm on Mar 15, 2014 (gmt 0)

Thanks, Levo. I thought as much, but wanted to make sure I was doing it correctly.

webcentric

WebmasterWorld Senior Member Top Contributors Of The Month



 
Msg#: 4651333 posted 8:26 pm on Mar 15, 2014 (gmt 0)

The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing. A lot of anger around here has been sent G's way that could have easily had an Amazon address on it. Google has been dealing with the problem probably the best way they can. I can see why they don't want to be the one's to block all of the above IP addresses because I'm certain that a great many legitimate websites also are served from those same IP's (given their dynamic nature). Just as the bots are coming from different IP's in those blocks, so other websites are being served from them as well. Short of Amazon cleaning this mess up, this really does feel like it was a problem in need of a publisher solution. G's reporting could probably hide this from us but then how would we have ever known to look for it in the first place.

jojy

5+ Year Member



 
Msg#: 4651333 posted 11:19 pm on Mar 15, 2014 (gmt 0)

Click bombing stopped since yesterday. I think bot is tired now.

HowYesNo

5+ Year Member



 
Msg#: 4651333 posted 11:38 pm on Mar 15, 2014 (gmt 0)

thanks everyone in this thread

# Amazon bots
deny from 54.186.

this stopped invalid clicks on one site!

wa desert rat



 
Msg#: 4651333 posted 12:42 am on Mar 16, 2014 (gmt 0)

The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing.


I agree with this. I don't think Google can actually block anything from our websites. All they can do - and have been doing - is ratchet back the damage the AWS bots are doing to the advertisers.

The one good thing out of this is that in the space of two weeks I learned a crap-load about click-fraud and botnets.

It would have been nice if G had given us a clue through all this but maybe they didn't think they had to. After all, we have netmeg. :D

WDR

ember

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 12:49 am on Mar 16, 2014 (gmt 0)

I think I aged 10 years in these last 10 days.

I think we should all chip in and get netmeg a gift :)

wa desert rat



 
Msg#: 4651333 posted 1:00 am on Mar 16, 2014 (gmt 0)

I was gonna offer to kiss her but I couldn't round up enough people to catch her and hold her down. :P

WDR

netmeg

WebmasterWorld Senior Member netmeg us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4651333 posted 2:28 am on Mar 16, 2014 (gmt 0)

I've killed men for less.

wa desert rat



 
Msg#: 4651333 posted 3:04 am on Mar 16, 2014 (gmt 0)

I've killed men for less.


Seriously, you did good. We would still be running around like chickens if you had not noticed those AWS bots.

:)

WDR

netmeg

WebmasterWorld Senior Member netmeg us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4651333 posted 3:08 am on Mar 16, 2014 (gmt 0)

We should probably look around to see if Amazon maintains any kind of contact information to report abuse, and then all affected write in.

(no problem)

wa desert rat



 
Msg#: 4651333 posted 3:15 am on Mar 16, 2014 (gmt 0)

From a "whois amazon.com"

Registrar Abuse Contact Email: compliance@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740


WDR

ken_b

WebmasterWorld Senior Member ken_b us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4651333 posted 3:27 am on Mar 16, 2014 (gmt 0)

opps ... skip that.

HowYesNo

5+ Year Member



 
Msg#: 4651333 posted 5:52 am on Mar 16, 2014 (gmt 0)

ok some bots are back (-15 clicks in the last few minutes), so i'll test with lame_wolf's code too

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

let's see if this could help

wa desert rat



 
Msg#: 4651333 posted 2:25 pm on Mar 16, 2014 (gmt 0)

I have no signs of any AWS connections for two days. That's not to say that they aren't out there... just not affecting me. Yet.

WDR

levo

10+ Year Member



 
Msg#: 4651333 posted 2:31 pm on Mar 16, 2014 (gmt 0)

How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.

Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.

Did you check Network report in Google Analytics? You can see adsense earnings based on isp.

wa desert rat



 
Msg#: 4651333 posted 2:56 pm on Mar 16, 2014 (gmt 0)

I've had some suspicious clicks and going through my logs I have this visitor:

IP173.45.120.114
ID 79ee3df5fc6e333b
Firefox Win 7
Resolution1024x768

The version of Firefox is 18 which matches the profiles of the AWS bots that we had earlier. This is from xlhost.com which is a hosting service. One visit, one page. 3 visits from this domain since midnight and each one has exhibited the same characteristics. Over 300 visits from xlhost.com in the past week and every single one of them has had a bounce rate of 100%. YMMV

I just banned the range: 173.45.120.112/29

WDR

netmeg

WebmasterWorld Senior Member netmeg us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4651333 posted 3:03 pm on Mar 16, 2014 (gmt 0)

Did you check Network report in Google Analytics? You can see adsense earnings based on isp.


Yes, that's where I found it (and took some screenshots). No question it was AWS. (Also sent it around to a few people here)

Flipboard would have little reason to keep visiting my sites, and Pinterest NO reason. I barely have any images at all other than social icons.

wa desert rat



 
Msg#: 4651333 posted 3:13 pm on Mar 16, 2014 (gmt 0)

Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.


That's true. But if you combine the profile of the visits (Firefox 18, resolution of 1024x768, Windows 7 OS) with the fact that:

1. They are all direct entry;
2. They are all new visits (not returning);
3. That they all have a bounce rate of 100%; and,
4. That when the IP range they use is banned the invalid clicks slow by 95%.

Then there is a decent chance that it's malicious.

I am not banning all of AWS but I am banning specific ranges that seem to correlate to issues.

Does the network revenue count when the clicks are reversed?

WDR

*edited to add that they are all new visits.

[edited by: wa_desert_rat at 3:20 pm (utc) on Mar 16, 2014]

Lame_Wolf

WebmasterWorld Senior Member lame_wolf us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4651333 posted 3:13 pm on Mar 16, 2014 (gmt 0)

How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.
I would hardly call Pinterest a good bot, and if I just happen to have blocked them, good.

I also spotted a large number of visits from wowrack, so I've blocked them too.

ember

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 4:41 pm on Mar 16, 2014 (gmt 0)

Lame Wolf, I blocked wowrack, IP 208.115.111.74, but they keep getting in. Did you block a range?

jbayabas

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 4:50 pm on Mar 16, 2014 (gmt 0)

Sheesh.. Getting hit again, this time from another site.

ember

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4651333 posted 4:58 pm on Mar 16, 2014 (gmt 0)

Yep, it's happening again.

This 262 message thread spans 9 pages: < < 262 ( 1 2 3 4 [5] 6 7 8 9 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdSense
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved