Welcome to WebmasterWorld Guest from 54.166.112.74

Forum Moderators: incrediBILL & martinibuster

Message Too Old, No Replies

How To Defend a Google AdSense Site From Click Bombing

   
12:20 pm on Mar 5, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



I may be a victim of clickbombing. I had an unusually high clicks in one of my sites yesterday.


28,520 page views and 437 clicks

This site usually only get 44 click on average.

I don't know what's going on and I don't know to find out if the clicks were valid.

What should i do on my end. I thought Adsense had a technology that filter invalid clicks.
4:51 pm on Mar 14, 2014 (gmt 0)

WebmasterWorld Senior Member Top Contributors Of The Month



Just following up after having had time to look through IP's I've blocked over time in my firewall. Sure enough, there are a number of Amazon AWS IP's in there which may account for why I haven't seen this type of click-bombing while others have. I block IP's all the time for various reasons so who knows what triggered me to block them but some unusual activity must have motivated me to do so. Now I'm thinking of going back and looking at my website health monitoring emails to see if I can find those IP's and see what triggered me to block them in the first place. I don't always keep those emails once I've taken action but it's worth a look. We'll see.
12:40 am on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Do you think blocking the amazon IPs is necessarry? If a lot of users report that's what causing the Clickbombing, shouldnt google filter them out? I have since unblocked the IPs. All normal here..
12:57 am on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I have since unblocked the IPs. All normal here.

Jolly good. I can sleep much better knowing that.

Myself, I added this to my .htaccess

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

I've not had any visits or click removals since them. Saying that, I've not had any clicks for hours.
1:16 am on Mar 15, 2014 (gmt 0)

10+ Year Member



REMOTE_HOST would only work if you had HostnameLookups enabled, and HostnameLookups adds considerable latency. You can use

Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18


(based on their current Public IP range - [forums.aws.amazon.com...] )
2:49 pm on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The problem is, the worst offender on my sites (54.186.) isn't even on that list.
3:46 pm on Mar 15, 2014 (gmt 0)

10+ Year Member



The problem is, the worst offender on my sites (54.186.) isn't even on that list.



54.184.0.0/13 covers 54.184.0.0 - 54.191.255.255
6:15 pm on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Deny from 72.44.32.0/19 67.202.0.0/18 75.101.128.0/17 174.129.0.0/16 204.236.192.0/18 184.73.0.0/16 184.72.128.0/17 184.72.64.0/18 50.16.0.0/15 50.19.0.0/16 107.20.0.0/14 23.20.0.0/14 54.242.0.0/15 54.234.0.0/15 54.236.0.0/15 54.224.0.0/15 54.226.0.0/15 54.208.0.0/15 54.210.0.0/15 54.221.0.0/16 54.204.0.0/15 54.196.0.0/15 54.198.0.0/16 54.80.0.0/13 50.112.0.0/16 54.245.0.0/16 54.244.0.0/16 54.214.0.0/16 54.212.0.0/15 54.218.0.0/16 54.200.0.0/15 54.202.0.0/15 54.184.0.0/13 204.236.128.0/18 184.72.0.0/18 50.18.0.0/16 184.169.128.0/17 54.241.0.0/16 54.215.0.0/16 54.219.0.0/16 54.193.0.0/16 54.176.0.0/15 54.183.0.0/16 79.125.0.0/17 46.51.128.0/18 46.51.192.0/20 46.137.0.0/17 46.137.128.0/18 176.34.128.0/17 176.34.64.0/18 54.247.0.0/16 54.246.0.0/16 54.228.0.0/16 54.216.0.0/15 54.229.0.0/16 54.220.0.0/16 54.194.0.0/15 54.72.0.0/14 54.76.0.0/15 54.78.0.0/16 175.41.128.0/18 122.248.192.0/18 46.137.192.0/18 46.51.216.0/21 54.251.0.0/16 54.254.0.0/16 54.255.0.0/16 54.179.0.0/16 54.252.0.0/16 54.253.0.0/16 54.206.0.0/16 54.79.0.0/16 175.41.192.0/18 46.51.224.0/19 176.32.64.0/19 103.4.8.0/21 176.34.0.0/18 54.248.0.0/15 54.250.0.0/16 54.238.0.0/16 54.199.0.0/16 54.178.0.0/16 177.71.128.0/17 54.232.0.0/16 54.233.0.0/18 54.207.0.0/16 96.127.0.0/18


Are they entered into .htaccess like that? Or do you have to have "Deny from" before each one?

Also, if they are entered like that, can I have them in a vertical list, or will that screw things up with the .htaccess file?

Thanks.
6:37 pm on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Ah, I missed that one. The list kind of makes ones eyes glaze over.
6:50 pm on Mar 15, 2014 (gmt 0)

10+ Year Member



You can just copy&paste it to .htaccess (or httpd.conf/rewrites.conf), keep it one-line. If you want to break it to multiple lines, you have to add "Deny from" before each line.
7:53 pm on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Thanks, Levo. I thought as much, but wanted to make sure I was doing it correctly.
8:26 pm on Mar 15, 2014 (gmt 0)

WebmasterWorld Senior Member Top Contributors Of The Month



The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing. A lot of anger around here has been sent G's way that could have easily had an Amazon address on it. Google has been dealing with the problem probably the best way they can. I can see why they don't want to be the one's to block all of the above IP addresses because I'm certain that a great many legitimate websites also are served from those same IP's (given their dynamic nature). Just as the bots are coming from different IP's in those blocks, so other websites are being served from them as well. Short of Amazon cleaning this mess up, this really does feel like it was a problem in need of a publisher solution. G's reporting could probably hide this from us but then how would we have ever known to look for it in the first place.
11:19 pm on Mar 15, 2014 (gmt 0)

5+ Year Member



Click bombing stopped since yesterday. I think bot is tired now.
11:38 pm on Mar 15, 2014 (gmt 0)

5+ Year Member



thanks everyone in this thread

# Amazon bots
deny from 54.186.

this stopped invalid clicks on one site!
12:42 am on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



The ironic part of the AWS part of this puzzle is that it's really something that Amazon should be addressing.


I agree with this. I don't think Google can actually block anything from our websites. All they can do - and have been doing - is ratchet back the damage the AWS bots are doing to the advertisers.

The one good thing out of this is that in the space of two weeks I learned a crap-load about click-fraud and botnets.

It would have been nice if G had given us a clue through all this but maybe they didn't think they had to. After all, we have netmeg. :D

WDR
12:49 am on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I think I aged 10 years in these last 10 days.

I think we should all chip in and get netmeg a gift :)
1:00 am on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



I was gonna offer to kiss her but I couldn't round up enough people to catch her and hold her down. :P

WDR
2:28 am on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I've killed men for less.
3:04 am on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



I've killed men for less.


Seriously, you did good. We would still be running around like chickens if you had not noticed those AWS bots.

:)

WDR
3:08 am on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



We should probably look around to see if Amazon maintains any kind of contact information to report abuse, and then all affected write in.

(no problem)
3:15 am on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



From a "whois amazon.com"

Registrar Abuse Contact Email: compliance@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740


WDR
3:27 am on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member ken_b is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



opps ... skip that.
5:52 am on Mar 16, 2014 (gmt 0)

5+ Year Member



ok some bots are back (-15 clicks in the last few minutes), so i'll test with lame_wolf's code too

RewriteEngine on
RewriteCond %{REMOTE_HOST} \.amazonaws\. [NC]
RewriteRule ^ - [F]

<Limit GET>
Order allow,deny
Allow from all
deny from amazonaws.com
deny from .amazonaws.com
</Limit>

let's see if this could help
2:25 pm on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



I have no signs of any AWS connections for two days. That's not to say that they aren't out there... just not affecting me. Yet.

WDR
2:31 pm on Mar 16, 2014 (gmt 0)

10+ Year Member



How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.

Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.

Did you check Network report in Google Analytics? You can see adsense earnings based on isp.
2:56 pm on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



I've had some suspicious clicks and going through my logs I have this visitor:

IP173.45.120.114
ID 79ee3df5fc6e333b
Firefox Win 7
Resolution1024x768

The version of Firefox is 18 which matches the profiles of the AWS bots that we had earlier. This is from xlhost.com which is a hosting service. One visit, one page. 3 visits from this domain since midnight and each one has exhibited the same characteristics. Over 300 visits from xlhost.com in the past week and every single one of them has had a bounce rate of 100%. YMMV

I just banned the range: 173.45.120.112/29

WDR
3:03 pm on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Did you check Network report in Google Analytics? You can see adsense earnings based on isp.


Yes, that's where I found it (and took some screenshots). No question it was AWS. (Also sent it around to a few people here)

Flipboard would have little reason to keep visiting my sites, and Pinterest NO reason. I barely have any images at all other than social icons.
3:13 pm on Mar 16, 2014 (gmt 0)

Top Contributors Of The Month



Seeing aws servers in your logs can't automatically mean they've anything to do with erratic adsense earnings.


That's true. But if you combine the profile of the visits (Firefox 18, resolution of 1024x768, Windows 7 OS) with the fact that:

1. They are all direct entry;
2. They are all new visits (not returning);
3. That they all have a bounce rate of 100%; and,
4. That when the IP range they use is banned the invalid clicks slow by 95%.

Then there is a decent chance that it's malicious.

I am not banning all of AWS but I am banning specific ranges that seem to correlate to issues.

Does the network revenue count when the clicks are reversed?

WDR

*edited to add that they are all new visits.

[edited by: wa_desert_rat at 3:20 pm (utc) on Mar 16, 2014]

3:13 pm on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



How are you sure that clicks and/or click-bombs are coming from aws servers? There are a couple of 'good' bots and services, like flipboard, pinterest, that use aws. Heck, even proximic, which is associated with Adsense, uses aws.
I would hardly call Pinterest a good bot, and if I just happen to have blocked them, good.

I also spotted a large number of visits from wowrack, so I've blocked them too.
4:41 pm on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Lame Wolf, I blocked wowrack, IP 208.115.111.74, but they keep getting in. Did you block a range?
4:50 pm on Mar 16, 2014 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



Sheesh.. Getting hit again, this time from another site.
This 262 message thread spans 9 pages: 262