Tonight I woke up early and discovered that my Adsense earnings shot up 100% and more. I quickly identified this as click-bombing and reported the incident to Google. Here are 5 ways to quickly prevent click-bombing on your sites.


If you are only interested in a fix and not the entire backstory, click here to jump to step 4 below – this fix will block the bad bots immediately and normalize your clicks and earnings.

Found it useful?

Update: It appears, Google Adsense is indeed under attack by bots with IPs originating from XLHost.com and a bunch of other networks. The Adsense traffic team apparently failed to block this in time and many Adsense publishers report earnings that are up to ten times higher. We will keep you posted on this. So far it very much looks like an organized attack. Curious is the date, one day before Google launches a new algorithm.

Step 1: Immediate Action To Prevent Further Harm

If you suspect click fraud, click bombing, click shaving and the like, the first thing you should do is to keep calm. Let’s try to avoid fear of getting banned by Google. The folks at Google are reasonable people and won’t immediately ban you for unusual click activity in your account without analyzing it. (Yes, there are exceptions, but you always have the chance to appeal).

Anyway, if you already know that you are under attack, the first thing you can do to avoid problems is to remove ads.

The second alternative if you don’t want the click-bomber to know you are on to them is to remove your sites from the list of authorized sites in your Adsense account.

That’s how it works:

1. Open your Adsense account and click on the Account Settings button

Adsense Account Settings.png

2. Select Settings and in the sidebar uncollapse Access and authorization

3. Tick the box to only allow certain sites to show ads for my account:

Only Allow Certain Sites To Show Ads For My Account.png

4. Enter your domain without a leading www, like webmaster.net

5. Repeat the same for other sites you believe are under attack

Google will continue to show ads on your sites but the sites are no longer authorized and Google won’t take action on your account.

Step 2: Report Unusual Activity

The next step should be to immediately report any unusual activity. The traffic team will keep a close eye on your account and block any bad bots on their end:

Invalid Clicks Contact Form

Step 3: Identify The Problem, Is It A Bot, Wrong Implementation, What User Agent Is The Bot Using?

Next, we are going to identify the problem. Possible issues

  • Click-bombing using a bot
  • Wrong implementation and/or modification of ad code
  • Poor placement artificially inflating click count

The usual response from Adsense support whenever you report unusual activity will be: Analyze your ad implementation. That is because they don’t want to give away information to you, because all publishers no matter how big are automatically suspects and frauds. (A wrong approach in my opinion, but understandable).

Adsense support will not share any data with you, including IP’s or tips how to avoid click-bombing. They will always tell you that the problem is with you, even if it is not, to mitigate the risks of a real fraud.

So, we are on our own. But are we? Thanks to Google Analytics and server logs you can quickly identify the problem.

First, let’s see if you can find any unusual activity.

1. To do that, we will open Google Analytics.

2. Open Audience, Technology, Browser & OS

Open Google Analytics Browser And Os Info.png

3. Many adsense bots use Firefox, so let’s start with that one. Click on the blue Firefox link.

4. Now compare all different subversions. Do you notice that Firefox 27, a version that is quite old, has a bounce rate of over 96% and only stays 4 seconds on the page? Yes, something fishy is going on here.

Bounce Rate For Click Bomb Bot.png

5. Now let’s scan our log. (Replace vhost with your sitename, if you don’t know it, use cd and dir to verify the content of the directory first)

pico /usr/local/apache/domlogs/vhost

6. Let’s check any IP’s that make use of the user agent. To do that, hit CTRL + W to open the search and copy and paste Firefox/27

7. As it happens we have found a winner:

Mozilla/5.0 (Windows NT 6.2; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

Now copy and paste the IP of this user and use your firewall control panel or iptables to drop this IP immediately.

In this case, it is very likely that the bot will use other IP’s from the same block. Luckily, it’s easy to block entire ranges via iptables. Using a CIDR calculator you can calculate the entire range:

209.51.197.0/24

In this case, it also helps to resolve this IP and see what host is responsible for the attack. Then you can google other IP blocks and add them to your firewall as well.

You now have a recipe to block all bots, but let’s go one step further.

Step 4: Block Bad Bots Using .Htaccess

.htaccess is a powerful tool. Mod_rewrite makes it extremely easy to block bad bots using a particular user agent. We know that the click bomber is using Firefox 27 and we also know that this is an extremely outdated browser that our visitors rarely use, so it might be a good idea to block this bot using .htaccess until the Adsense team has blocked it on their end:

1. Open .htacces in your root directory

2. At the top add the following code. Modify the version number to match your findings. This will block only Firefox version 27. This is the version the clickbombing bot is using. Very few legitimate users are using Firefox 27. The most recent version is 37.0, this is therefore considered a safe solution for today. After today you may remove it.

RewriteCond %{HTTP_USER_AGENT} Firefox/27\.0 [NC]
RewriteRule .* - [F,L]   

Step 5: Get In Touch With Other Webmasters

There are many webmaster forums where you will find more information about widespread attacks. If other people report high CTR’s, there’s a good chance someone is targeting the Adsense network.

CIDR Blocks You May Want To Block

Here is a list of IP blocks we have compiled together:

209.51.197.0/24
209.190.121.32/27
209.190.0.0/17
173.45.64.0/18
64.79.64.0/19
64.79.89.0/19
64.79.85.0/19
207.182.128.0/19
173.244.160.0/19
206.222.0.0/19
207.182.128.0/19
209.190.116.0/24
209.190.70.0/24
209.51.192.0/19

Even more IPs:

5.101.144.0/21

94.229.64.0/20 

173.209.49.0/24

88.150.131.0/24 

173.209.49.0/24 

68.168.114.0/24