I hope this is the right place to ask (here is a similar question but the answers aren't specific for AdWords).
My Google AdWords campaign has been under attack for the past 3 days. Bots from different countries are clicking hard on my ads and trying to simulate activity (clicking links, scrolling) and it is driving my ad clicks up. I've contacted Google twice (chat and email), but their specialist hasn't gotten back to me. Time to be proactive!
I went through my logs and filtered on entries with ?gclid=
in the URIs.
173.245.48.199 - - [17/Jun/2016:22:39:13 -0700] "GET /?gclid=COWYpKHusM0CFYZefgodOtoDjA HTTP/1.1" 200 4732 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
Then I made a unique sorted list of these IPs. It looks like this:
162.158.104.35
162.158.104.59
162.158.104.65
162.158.104.77
162.158.104.95
162.158.108.113
162.158.108.167
162.158.11.188
162.158.11.36
162.158.115.232
...
I ran them through this bulk reverse DNS tool and got results like this:
So these malicious AdWords clicks are coming from CloudFlare servers?
I search for this phenomenon and got a result from Why is CloudFlare attacking me? stating:
- You're a CloudFlare customer with a domain on CloudFlare. Since we are a reverse proxy for sites using our service, our IPs are going to show in your server logs until you install something on your server to restore original visitor IP (mod_cloudflare for Apache servers, for example).
That's fine, but the traffic is coming from their servers. I found a list of CloudFlare servers here and entered them in my AdWords IP exclusions like so:
These IPs are excluded from finding these ads on their own right, but even when my campaign is paused (out of schedule, budget exhausted, paused), these clicks keep coming in. I think someone found the clickable AdWord URL and passed it to a botnet.
How can I further reduce this click fraud? What else can I do?