A) That would put one thin barrier of entry between your ads and a robot, but it doesn't really prevent click fraud. It just moves a page from one host to another. The criminal can still load the ads page directly with the same URL as is used by the iframe. Besides, 3rd party iframe implementations have layout issues when the size (ie character length, height or width of the rendered ads) is uncertain. Nice for banner ads and AdSense, but not so good for text links with unknown-length subtitles. B) that's not PPC.
Preventing PPC click fraud is a lot like developing a spam filter. You need to build a set of rules, algorithms, processes that can tell the difference between a "legit" click and a bot, macro, botnet, or someone just clicking on their own ads using proxies and UserAgent spoofing. In order to "teach" a system to recognize fraudulent clicks, you need a large sample set where the fraudulent status is either known or statistically inferred. Then you can use Baysean filters or K-means analysis or neural something or other to build your fraud detection brain. It's not simple, at all. And there's an army of criminals working for the dark side!
You have two opportunities to prevent bots and fraudsters from clicking a PPC ad: once when the ads are requested, and again when the ad is clicked.
There are experts in this subject... I am not one. But I know a few basic principles
1) When the ads are requested,
require the publisher to send along the user's IP and UserAgent
- validate the User Agent
- validate the IP
- employ rate limiting, and/or have filters in place to detect massive numbers of requests from the same IP
2) When the ad is clicked
- employ whitelisting and blacklisting in tandem
- check that human-like behaviour preceded the click
- trigger the alarms if one IP does a lot of clicking
- look for timing patterns, such as clicks that happen exactly every 10 seconds
- throw away any clicks that come from IPs that are known to be used by the publisher themself
One PPC syndication company I know requires publishers to put a piece of hotlinked Javascript on the page along with the ads. It does some magic on the client side to determine "yes, this is a browser which supports javascript, and a user is moving their mouse and putting it over a link, and now he's pressing the mouse button". If those criteria are met, in order, it accepts the click as being genuine. Javascript generates a checksum, pops that onto the href, then validates that at the server before redirecting to the advertiser. A pretty ingenious scheme, I must admit, I wish I'd come up with it myself.
