0 Shares 1584 Views 33 Comments
00:00:00
03 May

5 Ways To Prevent Adsense Click-Bombing From XLHost (April 20 Attack)

Oliver Krautscheid Apr 20, 2015
0 1585 33

Tonight I woke up early and discovered that my Adsense earnings shot up 100% and more. I quickly identified this as click-bombing and reported the incident to Google. Here are 5 ways to quickly prevent click-bombing on your sites.


If you are only interested in a fix and not the entire backstory, click here to jump to step 4 below – this fix will block the bad bots immediately and normalize your clicks and earnings.

Found it useful?

Update: It appears, Google Adsense is indeed under attack by bots with IPs originating from XLHost.com and a bunch of other networks. The Adsense traffic team apparently failed to block this in time and many Adsense publishers report earnings that are up to ten times higher. We will keep you posted on this. So far it very much looks like an organized attack. Curious is the date, one day before Google launches a new algorithm.

Step 1: Immediate Action To Prevent Further Harm

If you suspect click fraud, click bombing, click shaving and the like, the first thing you should do is to keep calm. Let’s try to avoid fear of getting banned by Google. The folks at Google are reasonable people and won’t immediately ban you for unusual click activity in your account without analyzing it. (Yes, there are exceptions, but you always have the chance to appeal).

Anyway, if you already know that you are under attack, the first thing you can do to avoid problems is to remove ads.

The second alternative if you don’t want the click-bomber to know you are on to them is to remove your sites from the list of authorized sites in your Adsense account.

That’s how it works:

1. Open your Adsense account and click on the Account Settings button

Adsense Account Settings.png

2. Select Settings and in the sidebar uncollapse Access and authorization

3. Tick the box to only allow certain sites to show ads for my account:

Only Allow Certain Sites To Show Ads For My Account.png

4. Enter your domain without a leading www, like webmaster.net

5. Repeat the same for other sites you believe are under attack

Google will continue to show ads on your sites but the sites are no longer authorized and Google won’t take action on your account.

Step 2: Report Unusual Activity

The next step should be to immediately report any unusual activity. The traffic team will keep a close eye on your account and block any bad bots on their end:

Invalid Clicks Contact Form

Step 3: Identify The Problem, Is It A Bot, Wrong Implementation, What User Agent Is The Bot Using?

Next, we are going to identify the problem. Possible issues

  • Click-bombing using a bot
  • Wrong implementation and/or modification of ad code
  • Poor placement artificially inflating click count

The usual response from Adsense support whenever you report unusual activity will be: Analyze your ad implementation. That is because they don’t want to give away information to you, because all publishers no matter how big are automatically suspects and frauds. (A wrong approach in my opinion, but understandable).

Adsense support will not share any data with you, including IP’s or tips how to avoid click-bombing. They will always tell you that the problem is with you, even if it is not, to mitigate the risks of a real fraud.

So, we are on our own. But are we? Thanks to Google Analytics and server logs you can quickly identify the problem.

First, let’s see if you can find any unusual activity.

1. To do that, we will open Google Analytics.

2. Open Audience, Technology, Browser & OS

Open Google Analytics Browser And Os Info.png

3. Many adsense bots use Firefox, so let’s start with that one. Click on the blue Firefox link.

4. Now compare all different subversions. Do you notice that Firefox 27, a version that is quite old, has a bounce rate of over 96% and only stays 4 seconds on the page? Yes, something fishy is going on here.

Bounce Rate For Click Bomb Bot.png

5. Now let’s scan our log. (Replace vhost with your sitename, if you don’t know it, use cd and dir to verify the content of the directory first)

pico /usr/local/apache/domlogs/vhost

6. Let’s check any IP’s that make use of the user agent. To do that, hit CTRL + W to open the search and copy and paste Firefox/27

7. As it happens we have found a winner:

Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

Now copy and paste the IP of this user and use your firewall control panel or iptables to drop this IP immediately.

In this case, it is very likely that the bot will use other IP’s from the same block. Luckily, it’s easy to block entire ranges via iptables. Using a CIDR calculator you can calculate the entire range:

209.51.197.0/24

In this case, it also helps to resolve this IP and see what host is responsible for the attack. Then you can google other IP blocks and add them to your firewall as well.

You now have a recipe to block all bots, but let’s go one step further.

Step 4: Block Bad Bots Using .Htaccess

.htaccess is a powerful tool. Mod_rewrite makes it extremely easy to block bad bots using a particular user agent. We know that the click bomber is using Firefox 27 and we also know that this is an extremely outdated browser that our visitors rarely use, so it might be a good idea to block this bot using .htaccess until the Adsense team has blocked it on their end:

1. Open .htacces in your root directory

2. At the top add the following code. Modify the version number to match your findings. This will block only Firefox version 27. This is the version the clickbombing bot is using. Very few legitimate users are using Firefox 27. The most recent version is 37.0, this is therefore considered a safe solution for today. After today you may remove it.

RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* - [F,L]   

Step 5: Get In Touch With Other Webmasters

There are many webmaster forums where you will find more information about widespread attacks. If other people report high CTR’s, there’s a good chance someone is targeting the Adsense network.

CIDR Blocks You May Want To Block

Here is a list of IP blocks we have compiled together:

209.51.197.0/24
209.190.121.32/27
209.190.0.0/17
173.45.64.0/18
64.79.64.0/19
64.79.89.0/19
64.79.85.0/19
207.182.128.0/19
173.244.160.0/19
206.222.0.0/19
207.182.128.0/19
209.190.116.0/24
209.190.70.0/24
209.51.192.0/19

Even more IPs:

5.101.144.0/21

94.229.64.0/20 

173.209.49.0/24

88.150.131.0/24 

173.209.49.0/24 

68.168.114.0/24 

About Us

Webmaster .Net is your all-in-one resource for blogging tips, system administration guides, industry news and a growing community of webmasters.

Can't find something or want to tip us?Contact@webmaster.net

Bulls and Bears
  • Oliver Krautscheid

    Lets just stay calm and wait until Google gives us an official statement. They must be aware of it by now and will hopefully fix it within the next 12 hours.

    • Tarun P.K

      so should we remove the ad codes till then ?

    • John MacDonald

      I had my hosting service block those IP address and the bombing stopped. I had the sites shut down in the authorized sites section on the control panel. I turned them back on.

  • Aman

    I am also hit by invalid clicks let’s see what will happen

  • Oliver Krautscheid

    As dolcevita suggested on webmasterworld.com, you can add the following IP address blocks to your htaccess file:

    order allow,deny

    allow from all

    #XLHOST IP RANGES

    deny from 209.51.197.0/24

    deny from 209.190.121.32/27

    deny from 209.190.0.0/17

    deny from 173.45.64.0/18

    deny from 64.79.64.0/19

    deny from 64.79.89.0/19

    deny from 64.79.85.0/19

    deny from 207.182.128.0/19

    deny from 173.244.160.0/19

    deny from 206.222.0.0/19

    deny from 207.182.128.0/19

    deny from 209.190.116.0/24

    deny from 209.190.70.0/24

    deny from 209.51.192.0/19

    Right now the useragent block trick works just fine but those attackers may change that.

  • Oliver Krautscheid

    I believe the same happened last year, but what bugs me is the coincidence that this happens 1 day before Googles new algorithm. Is this an attempt to actively hurt Google? Who is behind this attack, who would benefit from this other than the competition (Yahoo, DuckDuckGo, Bing, Baidu)? I can’t believe any of those companies would try to attack Google, possibly it’s a competing ad network. Anyone got any stats on whos the leading ad network behind Google Adsense other than Media.net?

  • John MacDonald

    Can you tell me where i find this htaccess file?

  • John MacDonald

    Where can I find that htaccess file??

  • Oliver Krautscheid

    The htaccess file is in your root directory usually public_html – you may have to ask your host if you can’t find it.

  • Oliver Krautscheid

    It is much appreciated if you link back to this article if you share our code. Thanks a lot!

  • Oliver Krautscheid

    Open FileZilla and go to your root directory, usually called public_html. In that directory you will find a file called .htaccess usually at the top after all folders.

  • Adrian Gheorghe

    Happened to me as well, starting yesterday.

    Been clickbombed from a XL Host Ip. 209.190.32.178

  • Oliver Krautscheid

    Blocking Firefox 27 should relatively safe because the version is 10 versions old. People use Firefox 37.0 these days. However, it may only be a temporary fix and blocking at the server level using your firewall may be the better option.

  • http://magic.indivly.com/ John Clark

    I am having this issue as well. Blocking the user-agent maybe aggressive for larger sites but should be fine with smaller sites. Also I have these CDIR ranges to share for everyone to block (in nginx format):

    deny 209.51.199.0/24;
    deny 173.45.125.0/24;
    deny 209.51.197.0/24;
    deny 209.190.6.0/24;

    My current suspect IPs:

    173.45.125.154
    209.51.197.154
    209.51.197.170
    209.51.197.178
    209.51.197.186
    209.51.197.194
    209.51.197.202
    209.51.197.210
    209.51.197.218
    209.51.197.226
    209.51.197.234
    209.51.197.242
    209.51.199.34
    209.190.6.194

  • Oliver Krautscheid

    Thank you John for posting these. Yes, for very large sites (50k+) blocking Firefox 27 is possibly an issue although I’d say only a very small percentage of users use Firefox 27 on any given site. There are some other networks the attacks are coming from including UK Dedicated Servers Limited (5.101.144.0/21). It seems to be a very organized attack, let us pray this mess won’t last for longer than a few days.

  • Oliver Krautscheid

    If you are using Apache as your server and not nginx, you can add the IP ranges using the following format:

    Order Allow,Deny
    Deny from 27.8.0.0/13
    Deny from 27.16.0.0/12
    Deny from 27.36.0.0/14

    Modify the CIDR blocks using the IPs John posted

  • Oliver Krautscheid

    To block Firefox 27 using Nginx you can try:

    if ($http_user_agent ~* (Firefox/27) ) {
    return 403;
    }

    (untested, I use Apache, let me verify it)

  • Oliver Krautscheid

    It’s been several hours since I’ve applied the fix and my earnings have normalized. The huge orange uptick is from yesterday. The blue line is today (normalized earnings).

    For now it is working just fine, but if they change the user agent you have to block the IPs.

  • Oliver Krautscheid

    Here is another CIDR block that you can add to your firewall, this one is from UK Dedicated Servers Limited. Scan your logs to verify it first

    5.101.144.0/21

  • Tyrone ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵃᶜᶜᵒᵘᶰᵗ

    Google will be refunded a lot of money at the end of the month 🙁

  • Oliver Krautscheid

    @Martin This is taken directly from Google Analytics where I also discovered the user agent. This particular shot is from Behavior, Overview, Hourly, then add Yesterday from the dropdown to compare the stats. This will show that earnings have either normalized after applying the tweak or not. You should know your approx. daily averages so you don’t really need to compare, especially since this attack is so obvious.

    @Adsense Devs who may read this: I noticed click shaving since last weekend April 11th, maybe it helps to further inspect it.

  • Oliver Krautscheid

    @Tyrone Yes, they will obviously deduct this from your earnings. All in all this will be bad for us publishers and I hope they can address this issue ASAP.

  • Tyrone ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵃᶜᶜᵒᵘᶰᵗ

    Well what I was saying is this will force Google to look very closely at these invalid clicks and they might end up removing even good clicks and we lose even more money.

  • Tyrone ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵃᶜᶜᵒᵘᶰᵗ

    Do you recommend we remove the banned ips since it appears Google might have resolved this issue? I just hate to block potentially real visitors.

  • Oliver Krautscheid

    Tyrone, Google might have resolved it by now but I suggest to keep the IPs banned for now. Those CIDR blocks are relatively safe, they belong to specific hosts (XLhost is one of them) that own a large range of IPs. You wont block many legitimate users that way. Simply dont forget to remove them later this week and you’re fine.

  • Tyrone ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵃᶜᶜᵒᵘᶰᵗ

    Thank you and thank you for this article!

  • Oliver Krautscheid

    Sure thing. I am usually one of the first to report about breaking webmaster news because it directly affects my business. I was among the first to report about ShellShock too. I will post breaking news in our private Linkedin group here too: https://www.linkedin.com/groups?gid=8158495

    You can also subscribe to our webmaster newsletter or bookmark our feed.

  • Tyrone ✓ᵛᵉʳᶦᶠᶦᵉᵈ ᵃᶜᶜᵒᵘᶰᵗ

    Adsense means everything to me. Yes I know, all in the same basket is bad. But I am a high earner of adsense, highest point was almost 6 figures in one month. So as you can see its important to me 🙂

  • Oliver Krautscheid

    If you want to redirect Firefox 27 users to a temporary page try this:

    RewriteCond %{HTTP_USER_AGENT} Firefox/27.0 [NC]
    RewriteRule ^(.*)$ /unsupported/ [R=302]

    (untested) This would perform a temp redirect to a page /unsupported/ on your domain. Make sure it exists.

  • Oliver Krautscheid

    Yes thats true relying only Adsense is not a good idea but they are simply the best network out there. Media.net doesn’t even come close, but others are catching up. Adsense is falling behind on static ads, ads not blockable by ABP, etc. which they will hopefully address soon. If you are earning so much you have enough traffic to create other income opportunities like creating a product yourself rather than leading visitors somewhere else. Charge people for premium content etc.

  • FuuckGler

    Thanks for keep updating us with the IP’s. thumbsup.

  • Brian

    Dear publisher,

    Thanks for reaching out. We appreciate your concern and honesty about this issue.

    Beginning April 19th, some publishers have been impacted by a new segment of invalid traffic. Fortunately, Google’s traffic quality systems were able to react quickly, detecting this traffic as invalid and treating it accordingly; however, for two days this was not reflected in estimated earnings.

    This invalid traffic will be removed before finalized revenue is reported at the end of the month. As a result, publishers may see a larger than normal difference between estimated earnings and finalized revenue for the month of April 2015.

    This invalid traffic is no longer being counted toward estimated earnings as of April 21, 2015. Since Google does not block this traffic, publishers may continue to see it reflected in their weblogs.

    Advertisers have not been charged for this invalid traffic. If you notice an issue like this in the future, please submit this form to our traffic quality specialists.

    Sincerely,

    The Google AdSense Team

  • Oliver Krautscheid

    Google has sent out mails to quite a few publishers and call it “a new segment of invalid traffic”. Earnings will be adjusted before your next payment. Thank you everyone for contributing to this article, please don’t forget to remove the htaccess rule that block Firefox 27 users and the CIDR blocks eventually.

    Apparently, Firefox 27 is used by many bots and rarely by users, you should inspect your Google Analytics logs to see if you have any real users using this browser. I will most likely keep blocking it from now on.

Webmaster Tutorials, Wordpress
0 shares663 views

WordPress SQL Query: Select And Delete Posts Between Two Dates

Oliver Krautscheid - Apr 08, 2017

If you are wondering how to delete posts for a certain date, you will need to know how Wordpress stores…

Advertising and Ad Networks, Copywriting
0 shares808 views

15 Tips For Increasing Facebook Ads CTR – Full Guide [2017 Update]

Cam Connor - Mar 30, 2017

In this article, we'll talk a lot about how you can write quality text ads on Facebook Ads to get…

Webmaster Tutorials
0 shares1486 views

10 Steps To Configure Nginx For WordPress, Drop Varnish And Cut Your CPU Load By 50%

Oliver Krautscheid - Oct 10, 2016

Are you using Varnish on your Wordpress blog? Possibly the Varnish script by Unixy? Great! Get rid off it. Here's…

Follow Us And get latest news

© 2016 Webmaster.Net - Property of Peakstone Media Ltd. - All rights reserved. | Privacy Policy | DMCA | Contact Us | Advertise