How I Survive AdSense Ads Clickbombing Attack

About two weeks ago the AdSense ads displayed on my sites were click-bombed. It wasn’t a pleasant experience, knowing that if I can’t solve this matter my AdSense account was at risk of getting disabled or suspended. Whoooaaa – wait, wait… what? why? how? Don’t shout “Unfair” like many do… there’s an explanation for that…

Yes, if you are reading the official guide from Google, you’ll learn that:

If we determine that an AdSense account poses a risk to our ecosystem of publishers and advertisers, we may either disable or suspend that account and refund all account earnings along with Google’s revenue share to impacted advertisers.

So, whether it’s your mistake (e.g. clicking your own ads – which is, of course, prohibited) or not (e.g. click-bombed by someone else,) when Google AdSense Team thinks the clicks are unmanageable, they will suspend your account, cut your earnings and give them back to the Advertisers.

So, if you have ever read that Google stole someone’s AdSense money, that’s not true: Google voids your account and the money is returned to the Advertisers.

When your AdSense account got suspended, it’s trivial to get it active again. So, if your primary way to make money from your sites is via Google AdSense, you must do the right thing to keep your account in good standing.

So, what happened? What is “click-bomb” anyway?

First things first – what is clickbombing?

Clickbombing is basically a situation where your AdSense ads are clicked by someone else many times, in such a way that your report will generate many invalid clicks – and risking your account to get suspended.

Google does a great job handling invalid clicks. But in some cases, they are getting out of hands – which lead Google to suspension of your AdSense account.

Why would people clickbomb your ads? Well, perhaps your competitors hate you; perhaps someone just doesn’t like you to make money online, for some reasons; perhaps someone just do it for fun. Only God knows…

So, here’s what happened:

For some reasons, since late March 2013 my AdSense income skyrocketed. I should be happy, but looking at my AdSense report I learn that it’s due to invalid activities: CTR (click-through-rate – the percentage of ads clicked vs. ads displayed) doubled, even quadrupled. As I didn’t change anything, this got to be a clickbombing case.

I report to Google using this form: https://support.google.com/adsense/bin/request.py?&contact_type=invalid_clicks_contact

I detailed the attack from the form, so Google AdSense Team is well informed about my situation (yes – they DO respond and your message IS read by real people – I have the contact email of someone working in the AdSense Team – so, yes, real people DO read your report!

Here’s what I’ve tried to mitigate the clickbombing problems

Block IP addresses

I tried to block IP via my sites’ .htaccess.

order allow,deny
deny from xxx.xxx.x.xxx
allow from all

Replace xxx.xxx.x.xxx with the suspect’s IP address. How to detect IP address? No other ways than tracking your site visitors and discover abnormal activities of a particular IP address.

Here’s a useful list of monitoring tools you can use to see the IP addresses of your website visitors.

This one is failed… IPs are undetectable… no suspicious activities…

Use Clickbomb-protect WP plugin

My sites run on WordPress (self-hosted), so I tried to use a WordPress plugin – Clickbomb-protect.

It’s pretty effective in blocking IPs of someone clicking on the ads a couple of times (depending on your setting.) But it seems that I block the IPs of my site visitors who actually DO want to click the ads (so, I lose money on this…)

I use this tool, Check IP Reputation, to check the IP addresses’ reputation, and it seems the ones that were blocked were actually low risk/safe.

So, this plugin would works well against manual clickbombing, but not against script-generated invalid clicks.

Eureka moment…

I tried the 2 above and failed. Not that those two are bad solutions, but those two are effective against manual clickbombing. Mine was a case of clickbombing attack using scripts/bots.

What? Automatic? How do I know?

Firstly, I checked from Google AdSense’s country report, and discovered that the attack is from many countries (which means using dynamic IPs.) The attack continues with different IPs and originating countries everyday I checked. It’s got to be bots with the ability to use dynamic IP addresses.

With bots, it’s probably better for me to shut down all of my ads. But I decided to analyze things – using AdSense channels.

Eureka!

As I use different AdSense channels for my ads located on sidebar, homepage (top and bottom section using different channels) and inner page (also top and bottom using different channels,) I discovered that the the clickbombing bot only attacks AdSense ads displayed on homepage!

I removed AdSense ads on the homepage of my sites and keep the rest. Problems immediately solved!

Lessons learned

So, lessons learned. Here are some advices I can give you on how to survive AdSense ads clickbombing attack:

1. Be investigative
Try to detect IP address and block it. If the problems are recurring, the attack could very well be script or bot-based attack. Try using channels to detect where the attack occurs.

2. Update Google AdSense Team regularly
While I was under the clickbombing attack, I regularly contact Google AdSense Team and report my investigation, as well as the things I tried and the outcome of them. This (hopefully) shows them that in goodwill you are working on the issues on your part. Yes, it’s Google’s responsibility to ensure that invalid clicks won’t harm its clients (AdWords advertisers) but it’s site owners’ responsibility to ensure their sites are free from any spamware or harmful bots.

3. When things are getting worse…
If the clickbombing attack is sitewide with seemingly no possible solution, contact Google and ask for a solution. In the mean time, remove all ads from your site to avoid getting banned/suspended by the AdSense Team… and start looking for AdSense alternatives.

Do you have any tips to share? If so, please leave a comment on this blog post…

Ivan Widjaya
Founder/Editor AsepOnde.com

photo credit: keso via photopin cc