An ad serving limitation is not the same as a ban. While I can understand your frustration, your account should be still normally operating and you should receive the money, unless they find significant illegal activity during their investigation.

You are not the first person to report similar circumstances here. This appears to be getting more frequent. Given your history here I trust that what you describe above is absolutely true. But is it possible that there was or is (ongoing) spurious bot/click activity happening without your knowledge. A simple increase in traffic, even a large one, shouldn't trigger this, what typically triggers this type of a penalty is sudden or large increase in CTR. Have you segmented your traffic by location, device, screen size etc... This may point to where the root cause of the problem lies.

Also the problem can be caused by a bug in your page layout. The bug may be subtle and only effect a small number of users, so you remain unaware of its existence. But in high traffic conditions, the number of users affected by the bug grows sufficiently to trigger the penalty. Look for issues, such as slow loading ads causing the layout to change when they finally load, or ads that are pushed over content, buttons, or links.

Another possible cause is "click jacking" where an attacker creates a iframe of your website, or simply of an ad on your website an shows it on different website, then users of the other site are now clicking your ads. Where and how really depend on the goal of the attacker, but the bottom line is that since these request are coming from actual users they would be more difficult to detect.

Hello again MayankParmar. I am in the same boat as you, and probably thousands of other publishers. There seems to be a major bug in AdSense, but I think Google is playing the ostrich.

Though I did NOT get the "AdSense ads serving limited" warning, I've had the Confirmed Click penalty since February 28th. Loss in revenue has already exceeded 95% since March. When we got the penalty, there was absolutely nothing that had changed on our website in months. Not even traffic patterns. We get most of our traffic from Facebook and it has always been the case. And this is NOT a small website. We get millions of unique visitors and pageviews per month.

I've been digging quite a bit in my AdSense reports / Google Analytics reports to try and find the cause of the issue. I have made some interesting observations, but nothing yet that helped me fix the problem.

Here's what I found so far:

- The problem is definitely NOT an ad implementation / design / bot / click bombing / click jacking issue. I've done some tons of testing that brought me to this conclusion. Read below for more info.

- I've created a simple script to detect clicks over AdSense ads by placing an invisible DIV over the ads, intercepting the clicks and sending them as Google Analytics events. As I thought, the clicks were very low and were definitely NOT coming from users or bots. I believe either the clicks are being wrongly reported by AdSense or AdSense has a bug in how it detects clicks.

- The problem seems to happen on Mobile / Tablet only. When I look at my Google Analytics Publisher report at Behavior -> Publisher -> Publisher Pages and choose the following Secondary Dimension: Users -> Operating System, I notice that URLs for iOS and Android have an extremely high CTR, with some URLs having a CTR over 30%. URLs for Windows and Macintosh have a low / normal CTR.

- After archiving all my AdSense ad units, removing the code from my website, creating new ones and disabling the new ones on Android / iOS (leaving them only on Windows / Macintosh), I noticed the new ones were getting a normal CTR, but the old ad units were still being clicked like crazy by users from 2 countries: United States and Spain (I normally don't get much visits from those countries) ([imgur.com ] - the new ad units are at the bottom and have "content" in their name). You will notice some of the ads have over 300% CTR! So it's like if those old ad units are stuck somewhere in AdSense's cache, and AdSense is detecting clicks on those units every day even if they have long been removed from my website (one of the units has been removed for over 2 weeks). To see if you are experiencing the same issue, make sure you look at today's report early in the day and look for a high CTR. If you look at today's report too late or even yesterday's report or any other day, you won't see the invalid clicks as they are deducted over the course of the day.

- I added temporary CloudFlare Firewall block rules to block all traffic from United States and Spain except known bots. The next day, AdSense reported the old ads were still being clicked by users from United States and Spain. In Google Analytics, there were absolutely no visitors from United States and Spain.

- I sent numerous emails to AdSense support and filled out the Invalid Clicks form ([support.google.com ]) many times with detailed information and reports, but I never got any helpful response. All I really got from AdSense support is an email telling me to check my ad implementation. But that has long been ruled out as the issue.

- I've also opened threads on various online platforms (official AdSense Community, CloudFlare Community, Reddit, here), and tons of people seem to be having the same issue, but no one has answers. CloudFlare Community seems to be the place where there is the most valuable information, but nothing seems to have fixed the issue for anyone. You can do a search for "AdSense invalid" here: [community.cloudflare.com ] and you will find lots of information from people with similar issues.

So this is where I'm at now. Unfortunately, I believe there is nothing we can do for the time being to fix the issue. It is clearly a bug on Google's end. The company has become so burdened with AI that it has probably completely lost touch with users and issues like this one. I cannot believe they are letting hundreds, maybe thousands of publishers lose months of revenue. And let's not forget advertisers who are clearly NOT getting their websites visited or products bought because of this same issue / penalty. So everyone is a loser here, even Google.

[edited by: janvitos at 3:43 pm (utc) on Mar 19, 2021]

So it's like if those old ad units are stuck somewhere in AdSense's cache, and AdSense is detecting clicks on those units every day even if they have long been removed from my website (one of the units has been removed for over 2 weeks).

Have you purged your Cloudflare cache?

Have you purged your Cloudflare cache?

Local cache and CloudFlare cache were completely purged many times every day over the past weeks. We normally only completely purge the cache once a week, but since we've been battling this issue, we've been purging the cache continuously.

Believe me, this is NOT the issue here. But thanks for asking, it would’ve been an easy fix.

Are you able to see, from Google Analytics or your server logs where and when the pages that showed the "old" ads were accessed?

Are you able to see, from Google Analytics or your server logs where and when the pages that showed the "old" ads were accessed?

I found out the clicks on those ads are coming from 2 countries: United States and Spain. I blocked users from those countries in CloudFlare Firewall (except known bots), and the next day, AdSense was still reporting the ads were being clicked by people from those two countries. In Google Analytics, there are absolutely no visits from users from those countries (this was expected as I've blocked them with the firewall rule).

In AdSense in the ad-unit reports you can add "Countries" as a segmentation. At the top left of the report, it shows report by "Ad Units" and to the right it shows a "+add" button. Click it and select countries. With the country and by narrowing the date range you should have sufficiently narrow criteria to then search your raw server logs to find the IP addresses used to get impressions to those "old" ads.

Sorry, I wrote my last post before I saw your answer.

In Google Analytics, there are absolutely no visits from users from those countries (this was expected as I've blocked them with the firewall rule).

You can't depend on Google Analytics for this, you need to verify your raw server logs. Although it appears from what you have shown that your ad code has most likely been copied and is being run off of a another computer.

With the country and by narrowing the date range you should have sufficiently narrow criteria to then search your raw server logs to find the IP addresses used to get impressions to those "old" ads.

Like I said, there are zero users from those countries. Those are "phantom" clicks. They seem stuck in AdSense's system and are logged again every day as new clicks, but nothing is generating those clicks. They are NOT real clicks.

I also checked my CloudFlare logs and there were NO logged visits from United States or Spain, except the blocked ones from the firewall rule. But since they are blocked, it's impossible those blocked visitors are clicking on the ads.

I doubt my ad code has been copied and running on another computer. It would show in AdSense that my code is running from another website. Under Sites -> Overview, I have allowed only my own domain to show ads. It has happened in the past that my ad code was copied and I received a notification from AdSense asking me if I recognized / allowed that site to run ads. I declined and the warning went away.

Just look at the number of posts in the official AdSense Community ([support.google.com ]) about this issue and you will see that it's NOT a publisher problem. There is definitely a bug in AdSense.

I doubt my ad code has been copied and running on another computer. It would show in AdSense that my code is running from another website. Under Sites -> Overview, I have allowed only my own domain to show ads. It has happened in the past that my ad code was copied and I received a notification from AdSense asking me if I recognized / allowed that site to run ads. I declined and the warning went away.

Yes I agree, but it may be that an attacker has found an exploit. It may be as simple as spoofing the referrer in the http headers, I don't know. But the evidence suggests strongly that the clicks are not coming from your server.

This is an open question. (maybe it should be it's own thread)
Is it possible that the page was accessed a while ago (weeks or months), simply held in memory on the attackers computer and then the ad code is executed at any future point, programatically clicked? In such a scenario, it would be impossible to block the request as it has occurred in the past, the click would appear to come from the correct domain the only thing preventing the click from occuring would be Adsense implementing some code that would make the ad request stale and thus not clickable. I'm not sure that such a mechanism exists, and I doubt Adsense would say if it did or didn't.

Is it possible that the page was accessed a while ago (weeks or months), simply held in memory on the attackers computer and then the ad code is executed at any future point, programatically clicked?

I have thought about this. I did a simple test. I downloaded one of my website's pages with the following command:

wget -p -k https://www.website.com/my-page-name/

I then accessed the downloaded page locally. The ads did NOT load because the scripts were blocked from loading (blocked:other).

I'm not sure if there is any other way the pages could have been cached / saved and accessed for the scripts to load properly. But from my test, it doesn't work. There are CORS policies in place to prevent such problems.

To be honest, I'm not sure why attackers would want to do this anyways. It would give them absolutely no revenue at all and it would be quite a bit of trouble. Again, this feels more like a bug than an attack.

[edited by: janvitos at 5:43 pm (utc) on Mar 19, 2021]

I then accessed the downloaded page locally. The ads did NOT load because the scripts were blocked from loading (blocked:other).

This is because you are using wget, this executes a get request and then saves the response, but it does not do anything with it. You can at some later point take the downloaded code and open it in a browser, but then code such as analytics would be triggered and that would the current time. The other issue is that there would not be a valid session so the requests to Adsense and GA would likely be ignored.

If you request a page in the browser, once the response is received the browser executes the code (js) on the page and everything acts as it should, because it is a normal request. But it is possible make the request programatically with tools such as Selenium or Puppeteer. I have used Selenium extensively for testing and crawling. It is basically remote control for your browser.

Since this works through the browser everything appears normal. In theory one could leave the page "open" and then come back to it at some later point and start clicking away at ads. So there no doubt that this is possible. What is not clear, is whether or not Adsense has any protections against this in place, like a session timeout.

Using these tools also explains how you can have ad clicks without viewability, or multiple add clicks for a single impression.

This is because you are using wget, this executes a get request and then saves the response, but it does not do anything with it.

I'm using wget to download an entire page, save it locally and then access it locally.

Using these tools also explains how you can have ad clicks without viewability, or multiple add clicks for a single impression.

But since this is such a widespread problem, I doubt this is the issue here. Unless bots are affecting thousands of AdSense website out there, I believe the issue is still most probably an AdSense bug.

As a comparison, I have generated Users -> Browser reports for two different days, one where mobile and desktop ads were enabled (Android, iOS, Windows and Macintosh), and one where mobile ads were disabled (Windows and Macintosh only).

Here's the report for mobile ads enabled: [imgur.com ]

Here's the report for mobile ads disabled: [imgur.com ]

As you can immediately notice, when ads are enabled on mobile, the CTR for Android Webview is incredibly high. On the contrary, when mobile ads are disabled, CTR for Chrome, Firefox, Edge and Safari is low / normal.

One thing that has baffled me is the fact that some days, Safari (In-App) has a really high CTR like Android Webview, but some other days, it has a much lower CTR, albeit not as low / normal as desktop browsers. I have tried disabling ads on Android and leaving them on iOS, but the penalty always comes back.

I also noticed that ALL URLs exhibited this problem except ONE. That single URL never had the issue on any browser, mobile or desktop. I tried comparing that URL with the other URLs, but I could NOT find anything that differentiated it from the others. Very strange indeed.

Why are your pages appearing in Android-Webview? Is this your own doing?

Android-Webview is not a browser per-se, it is a function within a Android native app that allows an app developer to display a webpage within their own app. But there is no navigation or UI, so a user should not be able to "navigate" to your page.

After a bit of poking around, it appears that the methods for blocking Iframes using x-frame and CSP headers has no affect on Android-webview.

I also checked my own stats and I am also seeing occasional hits from user using webview.

Why are your pages appearing in Android-Webview? Is this your own doing?

I'll answer my own question. Facebook, actually social media in general, at least based on my own stats. Webview users appear to be coming from Facebook, Instagram, Yahoo, Snapchat. I tend to get relatively little traffic from these sources, so it doesn't really have a big impact.

But, digging further I do see one instance of high CTR, eg: 5 clicks for 3 impressions. And the user came from Instagram.

Given that this is an in-app display the size of the page and the how exactly the page is displayed would be almost impossible to predict and likely varies between social media apps.

Why are your pages appearing in Android-Webview? Is this your own doing?

Indeed, Android Webview / Safari (In-App) are both Facebook browsers for Android and iOS respectively. Most of my traffic comes from Facebook.

Although the high CTR is not exclusive to Facebook, it might be exclusive to Webviews. The only other browsers I've seen with high CTRs are Samsung Internet (might be a webview with a GUI) and AMP pages from Google News (AMP pages could be rendered in a webview).

I would actually be pretty curious to see MayankParmar's findings on this matter.

[edited by: janvitos at 8:12 pm (utc) on Mar 19, 2021]

I would actually be pretty curious to see MayankParmar's findings on this matter.

Same here.

And also @friedclyde

@Janvitos
Here is link to stack overflow thread which explains how you can view and debug your pages on FB/webview. It may be of interest to you
[stackoverflow.com...]

Here is link to stack overflow thread which explains how you can view and debug your pages on FB/webview.

Thanks for the info NickMNS, but there is a much simpler way to do it now.

You can inspect the Facebook browser through Chrome DevTools just like you would inspect any other remote device:

chrome://inspect/#devices

I already did this and did not find anything of interest. I also did some packet inspection with Fiddler on the Facebook browser to try and see if some clicks were being registered on scroll / ad view / video ad view, but to no avail.

This is how I make a living, so I've been going pretty deep on this issue. Revenue loss is in the thousands of dollars for March. I am taking this very seriously.

All ideas and suggestions are very welcome.

Hello,

AMP pages?

I'm going to try disabling Cloudflare APO for 24h and see if it changes anything.

I saw on Cloudflare Community a few posts from users that mention cache problems with AdSense and Google Analytics since they activated APO. I was thinking it was a configuration issue on their end, but what if APO really does cause cache issues with AdSense and GA? It might explain the unexplained clicks on ads.

I know tons of people now use Cloudflare and APO, so it could also explain why the problem is widespread but doesn't affect everyone.

I will update this thread once I have the results.

By the way MayankParmar, do you use Cloudflare APO?

Hello,

I am still trying to find suspicious activities, but nothing odd so far. It's literally the same site with the same design and placements for the last two years

Google AdSense support replied with two details: high invalid traffic from desktop and sidebar unit. My traffic is mostly from the desktop because the site itself is about desktop platforms, and the sidebar ad unit does have a giant "Advertisements" label. The rest of the email shared tips, which are already available on their support page.

They cannot share additional details due to the nature of the penalty.

For now, I have replaced AdSense with AdX + other ads and left one AdSense ad unit on the site because they still want to monitor the traffic. Pageviews are recorded, earning is zero.

@janvitos I don't use Cloudflare. I use Sucuri.

Hi MayankParmar, thanks for the info.

Strangely enough, our setups seem to be very different from one another. So I think we can safely rule out CDN and placement type (desktop / mobile) as the cause of the problem.

You said you switched to AdX, are you seeing a "Visit website" popup when you click on those ads? Because I also tried switching to AdX, but I was also getting the Confirmed Click penalty there. So it was no good for me. It seems like the penalty is enforced in all of Google's Ad Network by domain name or URL.

Hi MayankParmar,

You can try this solution as suggested by a Cloudflare user on the Cloudflare Community ([community.cloudflare.com ]):

How to fix Ad Server Limit:

remove all ad codes (except the header code)
archive ad codes
remove ads.txt
wait until the notification will disappear (can take 1 or 2 weeks)
now don’t rush, still wait for a couple of days
in these 2 days check your analitycs…if you find pages with high CTR means are flagged by google
now recreate ad codes, add the ads.txt file
add codes in your website, but don’t place them on flagged urls for at least 2 weeks! (otherwise the notification will appear again and again until you will stop place ads on flagged urls)

Not sure why he knows so much about the issue (and how to solve it), but what he says seems to make sense.

I have also started following those steps and will see if the problem goes away.

So I finally decided I will definitely stop using AdSense.

After 7 years of serving AdSense ads, I decided I cannot continue working with a company that doesn't support and respect its publishers.

Over the past year, I've started experiencing numerous issues with AdSense. Most of my articles have been getting flagged for sexual / shocking content, but the articles are usually about cute animals and funny pictures and have absolutely nothing sexual or shocking about them. This has had a major impact on revenue. I've sent numerous emails to support about this, but each time, I received very little help and was told my comments would be sent to "product specialists". Nothing has changed.

The RPM has also been declining sharply. This year, it has been around half of what it was last year, without making any major modifications to my website or ad placements. At the same time, ad revenue from other ad networks has been increasing. So it makes no sense.

And now, the confirmed click / invalid clicks problem happened, and it was the nail in the coffin. I simply cannot accept this any longer.

I won't lie, I've always been a huge Google fan. I've actively participated in the development and debugging of the Android platform and Chrome browser in the earlier days as a community member (never made a penny out of it). I’ve also owned and debugged some of their earlier devices (Nexus and Pixel) also as a community member. I’ve been an AdSense publisher for the past 7 years and have NEVER had a single penalty. I’ve also probably indirectly paid the salaries of a few of their employees. But I’ve given enough, and now it’s time to stop.

So I’ve decided I will switch to new ad networks. Fortunately, since I have quite a bit of traffic, I’m eligible for most of the ad networks. I have chosen three of them: Mediavine, Sublime and Teads. I have looked ad their ad formats and have realized that they are way ahead of AdSense in terms of ad quality and formats. From what I read, they also seem to provide a much better CPM.

So my journey with Google seems to have taken a sharp turn. I find it disappointing (and frustrating) to have been let down after all these years. But I believe every end has a new beginning, and I believe this new beginning will come with great opportunities.

End of rant.

I had a similar situation i used Ezoic AdExchange partner [ezoic.com...] <snip> until i could serve ads with Adsense, it earned half of what Adsense earned on the first month but experts says Ezoic increase revenue each month. Give it a try

[edited by: engine at 2:55 pm (utc) on Mar 22, 2021]
[edit reason] link fixed [/edit]

Thanks for the tip Niresh12495.

Unfortunately, I already tried Ezoic, but it made my website lose 20+ points on Core Web Vitals and TTFB was much higher than usual.

I also find their platform to be a bit too intrusive (you are obligated to use their DNS and their cache system if you want your site to have decent speed, but this is something I want to keep managing at Cloudflare).