Okay, I checked GA. I do have a clickbombing issue to content with, so I reported the problem to Google.

Not that I'm complaining after a record low weekend, but now it's like the gates of Adsense clicks and $ are wide open!
CPC and CPM are to the roof, CTR little bit higher.

I really hope it will stick!

It looks to me as most effective solution what AlexB77 said:

RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* - [F,L]

And it works if you try to visit your website with User Agent Firefox 27.0
Now it is to see of it will works for blocking Adsense Attacking Bots.

If someone is still looking for xlhost IP ranges i have collected some of them using As number AS10297. It is nummber from XLhost:
<Files ~ "^.*$">
order allow,deny
allow from all
#XLHOST IP RANGES
deny from 209.51.197.0/24
deny from 209.190.121.32/27
deny from 209.190.0.0/17
deny from 173.45.64.0/18
deny from 64.79.64.0/19
deny from 64.79.89.0/19
deny from 64.79.85.0/19
deny from 207.182.128.0/19
deny from 173.244.160.0/19
deny from 206.222.0.0/19
deny from 207.182.128.0/19
deny from 209.190.116.0/24
deny from 209.190.70.0/24
deny from 209.51.192.0/19
</Files>

[edited by: dolcevita at 1:03 pm (utc) on Apr 20, 2015]

Knew the high CPM was too good to be true, good thing I came in here and checked just in case. Did the block, disabled authorization and reported to Google. It goes to show how fracked things are when us publishers are the unsuspecting victims of bot attacks, and we're the ones worrying about getting the Google banhammer.

Thanks to all who posted here, especially code examples, ip ranges and how to mine data from GA.

So many times I use WWW just to complain about Adsense.
But as AlexB77 suggests, if there was a long-standing (permanent) thread here where members posted about Adsense spam, solutions, Ip's, etc... , that would be an astoundingly strong attribute of WWW.

I really had almost no idea about most of the things discussed in this thread. Adsense doesn't seem interested in helping me to keep my site healthy proactively. It'd be nice if WWW could help me do that.

I am seeing the same click attack. Anyone here affected using cloudlfare?

I'm seeing an obscenely HIGH RPM this morning. It couldn't possibly be right. I'm talking at least ten times higher than it's ever been. Is anyone else seeing the same thing?

I feel like the kid not invited to the party!

What do you lot have in common that I don't?

Most of the members experiencing this seem to be 5+ to 10+ years at WebmasterWorld! This is definitely some sort of a major attack. Hope Google will issue a statement on their blog and tell us about what happened - would be an interesting read.

Yes I am seeing the same activity -- started yesterday, and continuing today. I am using Cloudflare.

Could it be that cloudflare networks are being attacked?

Nope, not on cloudflare and seeing the same unusual high CTR.

@illusionist it could be proxies that cloudflare is using, but I would recommend checking your weblogs especially access logs for past few days.

I'm not on Cloudfare and our main site is underfire with the click attacks. Only my main site though and not my smaller sites

I have seen this morning / today worse scenario than yesterday. And i'm not on Cloudfare.

But after i have implemented htaccess rules from my last post i see that CTR along with RPM going down.

Rules above probably do not cover all malicious bots but it helps.

My 3 sites are on cloudflare and are seeing very high ctr. my other sites not on cloudflare dont seem to be affected. I added the code suggested by dolcevita in the the htaccess but still the issue persists.

I'm not on Cloudfare and our main site is underfire with the click attacks. Only my main site though and not my smaller sites

Same here. Two smaller sites unaffected.

Removing the site from the list of authorized sites has NOT worked as the revenue keeps on climbing. Guess I'll have to go to the IP block. It would be nice to keep the revenue from the authorized clicks as Monday is a big day for me.

When you go into Google Analytics, you can confirm that Firefox 27 is the problem. Simply go here Audience, Technology, Browser & OS and click on Firefox then you will see the different browsers and the avg session time

I am not on Cloudfare, but am seeing the high suspicious activity.

To be honest, I noticed a similar attack in February, but it died off after 3-4 days.

Checking back for months Firefox v 27 has always been a popular browser for my users.

Firefox Version 27.0 <00:00:01

This must be where the attacks are coming from!

Yes, azlinda, that's it.

It is very unlikely that Firefox 27 is among your popular browsers, it is quite outdated, most are now using version 37. That's 10 versions ago. It is therefore safe to copy it into your htaccess file.

Looks like I finally got this under control. Went into GA and yesterday before blocking the ips I was getting a load of traffing from firefox browser version 27, but now today not getting any from that browser version except one site that I did not block the ip froms yet. Blocked it and added the rule for firefox 27 in htaccess and I think Im in good shape, hopefully. This sucks though because I have no clue what I really made yesterday and today since one of my sites was still being click bombed.

@oliversk Thank you so much. I copied your code into my htaccess file. Hopefully that will put an end to this nonsense.

Could be the old tags that are being attacked. I just don't do anything and let goog sort this out themselves. This happened last year so it's déjà vu all over again.

Did most of you guys report the invalid clicks to Google using the Invalid Clicks Contact Form?
I know we are supposed to do so, but I wonder if by doing this we are also telling google that our account poses a risk of generating invalid activity, and it leaves a "bad record" on our account every time we report invalid clicks.

@azlinda no problem, glad I could help. Please note this is a temporary fix. If we are unlucky they change the useragent and you have to add the IP blocks to your htaccess file as well as @dolcevita suggested above:

<Files ~ "^.*$">
order allow,deny
allow from all
#XLHOST IP RANGES
deny from 209.51.197.0/24
deny from 209.190.121.32/27
deny from 209.190.0.0/17
deny from 173.45.64.0/18
deny from 64.79.64.0/19
deny from 64.79.89.0/19
deny from 64.79.85.0/19
deny from 207.182.128.0/19
deny from 173.244.160.0/19
deny from 206.222.0.0/19
deny from 207.182.128.0/19
deny from 209.190.116.0/24
deny from 209.190.70.0/24
deny from 209.51.192.0/19
</Files>

Please note that attacks are coming from other IP blocks as well, go to page 7-9 to find other IP blocks.

Kinda strange my overall CTR is not out of this world. It's actually not that far off from normal but the CPC is a lot higher.