Click bombing is when someone tries to damage your reputation with Google by deliberately clicking on Adsense ads you have on your site. Obviously neither the advertisers nor Google like that and Google may even close your Adsense account because of it.
Someone did that to me yesterday. I noticed because earnings were unusually high and continued so this morning. When I checked my logs, I found that a small set of IP addresses were the likely suspects, so I reported them to Google using this form and also configured iptables to drop them. If Google can confirm that they were the culprits, I'll report them to their ISP also.
To track them down, I extracted GET's of the pages with high earnings from that log and trimmed everything but the IP address from the result.
for i in `cat highpages` do grep 19/Apr logs/access.log | grep $i | sed 's/- -.*//' | sort -u done > suspected
That gave me a short list of suspected IP's. I grepped each of those from access.log and ran that through "wc -l".
for i in `cat suspected`; do echo -n "$i "; grep 19/Apr logs/access.log | grep $i | wc -l; done > checkthese
I edited those to leave only those with high numbers. The ones with high numbers were then dropped after checking to be sure they were not known spiders:
for i in `cat checkthese | sed 's/ .*//'` do host $i done
I then manually removed known spiders and put the rest in "badips".
for i in `cat badips` do /sbin/iptables -A INPUT -s $i -j DROP done
However, this jerk kept coming back from new IP's in the same netblock. I had to block the entire subnet to stop him. Of course I don't know if he has access to other IP's, so I'm still watching carefully.
I also ran my Logdropper script just to be sure.
At this time, revenue is still climbing, but that could be due to delayed reporting by Google. I'll give it a few hours and see where we are at.
It looks like this is a more wide spread attack, probably meant to harm Google itself rather than individual sites.
Foolish of them.. easy to notice.
Update: this guy noticed that the attacks were all using an old version of Firefox and suggested blocking on that. That's not a bad idea, but the USER-AGENT can be changed easily, so I'll continue to block by IP also,
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2015-04-20 Anthony Lawrence