Adsense click bot is click bombing my site

google-adsense advertising web-crawlers botattack

11,243

Solution 1

Although I totally agree with danlefree and his previous answer, there are some ways to make it more difficult for bots, at least for "not-so-clever" bots.

1 - Other than IP and User-Agent strings, you could try to set a cookie and display ads only if cookie is set. Also, if the bot uses cookies, try to see if it's clever enough to clear them when it changes IP (it probably will, but it's worth a shot). If it doesnt, then you could use an unique_id cookie to prevent the bot from clicking.

2 - If you have multiple bot-hits with the same IP, you could try also to display: none in the CSS file a block of code similar to an AD, and see if the bot clicks on it. If it does, you can ban it from hitting other ADs (until it changes IP). 3 - I do not think it's worth it, but you could try to train a Machine Learning algorithm that prevents displaying the ads to suspected bots, but you will probably have some(many) false positives, as it is really hard to predict what user is a bot based solely on behaviour (especially if the bot tries to emulate a human).

You probably cannot ultimately defeat this bot, but can still try to make its "life" harder.

Solution 2

How can I block a bot like this?

There is no foolproof way for you to block illegitimate clicks on ads served with your content - if a human can click the ads, so can a bot.

Detection and mitigation is Google's responsibility, so (beyond completing your due diligence by reporting activity which may reflect poorly upon the status of your AdSense account) you can limit the scope of your concerns regarding these bots to whether or not their activity is impacting site performance for legitimate visitors.

11,243

Graham

Updated on September 18, 2022

Comments

Graham over 1 year

I have a site that get's roughly 7,000 - 10,000 page views per day right now. Starting around 1 AM on 7/1/12 I noticed the CTR was rising dramatically. These clicks would be credited then de-credited soon after. So, they were obviously fraudulent clicks. The next day I had about 200 clicks with about 100 of them being fraudulent. It's about 3 - 8 clicks per hour evenly dispersed for each of the three ads 24 hours a day. This leads me to believe that it's some sort of Adsense click bot. Also, I removed the ads last evening then put them back up around 3AM and the invalid clicks started within 10 minutes.

I signed up for statcounter.com to analyze the exit links on the Adsense. Then I conditionally blocked ads for the IP address of the person / bot I suspected doing this. But, I think that the bot has several proxies to choose from and can refresh IP addresses.

I've notified Google through the invalid click form / email 4 times over the past two days in order to let them know I'm aware of the situation and am working on a solution. I've also temporally removed all ads on that site.

How can I block a bot like this? Thank you.
Graham almost 12 years

My concern is Advertisers reporting this to Google. I haven't gotten credited for one illegitimate click, nor is it effecting legitimate users, but it does show over 100 invalid clicks per day. At some point that won't be OK with Google. I'm going to keep banning IP's associated with it and may have to ban all users from it's provider e.g. Comcast or whatever (worst case scenario). Have you heard of this type of situation and how people deal with it? Also, can Google eventually solve this sort of problem on their end?
Jonx almost 12 years

@Graham There are certainly mitigation measures which Google can take, however, this is an arms race with no immediate solution (let Google fight it - your resources are better spent on reporting where you see things Google didn't catch and building your site).
Anonymous almost 12 years

@Graham - I think you're right to be concerned. I've heard and read about no-end of horror stories of Google terminating accounts and any unpaid funds along with it. Like danlefree says, as long as a human can click the ads, so can a bot - and it's Google's responsibility to ensure their advertisers aren't paying for invalid clicks, so leave it to them. I expect provided the attacker's IP address isn't your own (i.e. they don't suspect your clicking your own ads), you should be fairly safe and they will simply discount all fraudulent clicks.
Graham almost 12 years

@danlefree - Thank for the good suggestions. I agree that it should be Googles responsibility to catch this sort of behavior and put an end to it. However, it's ultimately the publishers responsibility to take care of these situations. support.google.com/adsense/bin/…. That article explains Googles stance on this sort of behavior. I think Click bombing is something you have to expect and be prepared for.
Jonx almost 12 years

I think you mean === false - strpos() will return 0 if the haystack starts with the needle (which, unless you're using a strict comparison, will evaluate loosely as false)
Graham almost 12 years

I'm not going for literal comparison though. It worked consistently as I had it. Otherwise if(!strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome/20') {} would work fine too.