Just following up after having had time to look through IP's I've blocked over time in my firewall. Sure enough, there are a number of Amazon AWS IP's in there which may account for why I haven't seen this type of click-bombing while others have. I block IP's all the time for various reasons so who knows what triggered me to block them but some unusual activity must have motivated me to do so. Now I'm thinking of going back and looking at my website health monitoring emails to see if I can find those IP's and see what triggered me to block them in the first place. I don't always keep those emails once I've taken action but it's worth a look. We'll see.

Do you think blocking the amazon IPs is necessarry? If a lot of users report that's what causing the Clickbombing, shouldnt google filter them out? I have since unblocked the IPs. All normal here..

I have since unblocked the IPs. All normal here.

Jolly good. I can sleep much better knowing that.

Myself, I added this to my .htaccess

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

I've not had any visits or click removals since them. Saying that, I've not had any clicks for hours.

REMOTE_HOST would only work if you had HostnameLookups enabled, and HostnameLookups adds considerable latency. You can use

Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18

(based on their current Public IP range - [forums.aws.amazon.com...] )

The problem is, the worst offender on my sites (54.186.) isn't even on that list.

The problem is, the worst offender on my sites (54.186.) isn't even on that list.

54.184.0.0/13 covers 54.184.0.0 - 54.191.255.255

Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18

Are they entered into .htaccess like that? Or do you have to have "Deny from" before each one?

Also, if they are entered like that, can I have them in a vertical list, or will that screw things up with the .htaccess file?

Thanks.

Ah, I missed that one. The list kind of makes ones eyes glaze over.

You can just copy&paste it to .htaccess (or httpd.conf/rewrites.conf), keep it one-line. If you want to break it to multiple lines, you have to add "Deny from" before each line.

Thanks, Levo. I thought as much, but wanted to make sure I was doing it correctly.

The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing. A lot of anger around here has been sent G's way that could have easily had an Amazon address on it. Google has been dealing with the problem probably the best way they can. I can see why they don't want to be the one's to block all of the above IP addresses because I'm certain that a great many legitimate websites also are served from those same IP's (given their dynamic nature). Just as the bots are coming from different IP's in those blocks, so other websites are being served from them as well. Short of Amazon cleaning this mess up, this really does feel like it was a problem in need of a publisher solution. G's reporting could probably hide this from us but then how would we have ever known to look for it in the first place.

Click bombing stopped since yesterday. I think bot is tired now.

thanks everyone in this thread

# Amazon bots
deny from 54.186.

this stopped invalid clicks on one site!

The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing.

I agree with this. I don't think Google can actually block anything from our websites. All they can do - and have been doing - is ratchet back the damage the AWS bots are doing to the advertisers.

The one good thing out of this is that in the space of two weeks I learned a crap-load about click-fraud and botnets.

It would have been nice if G had given us a clue through all this but maybe they didn't think they had to. After all, we have netmeg. :D

WDR

I think I aged 10 years in these last 10 days.

I think we should all chip in and get netmeg a gift :)

I was gonna offer to kiss her but I couldn't round up enough people to catch her and hold her down. :P

WDR

I've killed men for less.

I've killed men for less.

Seriously, you did good. We would still be running around like chickens if you had not noticed those AWS bots.

:)

WDR

We should probably look around to see if Amazon maintains any kind of contact information to report abuse, and then all affected write in.

(no problem)

From a "whois amazon.com"

Registrar Abuse Contact Email: compliance@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740


WDR

opps ... skip that.

ok some bots are back (-15 clicks in the last few minutes), so i'll test with lame_wolf's code too

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

let's see if this could help

I have no signs of any AWS connections for two days. That's not to say that they aren't out there... just not affecting me. Yet.

WDR

How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.

Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.

Did you check Network report in Google Analytics? You can see adsense earnings based on isp.

I've had some suspicious clicks and going through my logs I have this visitor:

IP173.45.120.114
ID 79ee3df5fc6e333b
Firefox Win 7
Resolution1024x768

The version of Firefox is 18 which matches the profiles of the AWS bots that we had earlier. This is from xlhost.com which is a hosting service. One visit, one page. 3 visits from this domain since midnight and each one has exhibited the same characteristics. Over 300 visits from xlhost.com in the past week and every single one of them has had a bounce rate of 100%. YMMV

I just banned the range: 173.45.120.112/29

WDR

Did you check Network report in Google Analytics? You can see adsense earnings based on isp.

Yes, that's where I found it (and took some screenshots). No question it was AWS. (Also sent it around to a few people here)

Flipboard would have little reason to keep visiting my sites, and Pinterest NO reason. I barely have any images at all other than social icons.

Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.

That's true. But if you combine the profile of the visits (Firefox 18, resolution of 1024x768, Windows 7 OS) with the fact that:

1. They are all direct entry;
2. They are all new visits (not returning);
3. That they all have a bounce rate of 100%; and,
4. That when the IP range they use is banned the invalid clicks slow by 95%.

Then there is a decent chance that it's malicious.

I am not banning all of AWS but I am banning specific ranges that seem to correlate to issues.

Does the network revenue count when the clicks are reversed?

WDR

*edited to add that they are all new visits.

[edited by: wa_desert_rat at 3:20 pm (utc) on Mar 16, 2014]

How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.

I would hardly call Pinterest a good bot, and if I just happen to have blocked them, good.

I also spotted a large number of visits from wowrack, so I've blocked them too.

Lame Wolf, I blocked wowrack, IP 208.115.111.74, but they keep getting in. Did you block a range?

Sheesh.. Getting hit again, this time from another site.