2

I hope this is the right place to ask (here is a similar question but the answers aren't specific for AdWords).

My Google AdWords campaign has been under attack for the past 3 days. Bots from different countries are clicking hard on my ads and trying to simulate activity (clicking links, scrolling) and it is driving my ad clicks up. I've contacted Google twice (chat and email), but their specialist hasn't gotten back to me. Time to be proactive!

I went through my logs and filtered on entries with ?gclid= in the URIs.

173.245.48.199 - - [17/Jun/2016:22:39:13 -0700] "GET /?gclid=COWYpKHusM0CFYZefgodOtoDjA HTTP/1.1" 200 4732 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"

Then I made a unique sorted list of these IPs. It looks like this:

162.158.104.35
162.158.104.59
162.158.104.65
162.158.104.77
162.158.104.95
162.158.108.113
162.158.108.167
162.158.11.188
162.158.11.36
162.158.115.232
...

I ran them through this bulk reverse DNS tool and got results like this:

reverse dns

So these malicious AdWords clicks are coming from CloudFlare servers?

I search for this phenomenon and got a result from Why is CloudFlare attacking me? stating:

  1. You're a CloudFlare customer with a domain on CloudFlare. Since we are a reverse proxy for sites using our service, our IPs are going to show in your server logs until you install something on your server to restore original visitor IP (mod_cloudflare for Apache servers, for example).

That's fine, but the traffic is coming from their servers. I found a list of CloudFlare servers here and entered them in my AdWords IP exclusions like so:

exclude IPs

These IPs are excluded from finding these ads on their own right, but even when my campaign is paused (out of schedule, budget exhausted, paused), these clicks keep coming in. I think someone found the clickable AdWord URL and passed it to a botnet.

How can I further reduce this click fraud? What else can I do?

Community
  • 1
Drakes
  • 121
  • 4
  • I don't want to pollute the question, so I'll suggest it here: One idea I have is on the attacked site to block (with htaccess) the IPs in the exclusion list above if the querystring parameter 'gclid' is present. I'd send those requests to a black hole. BUT, how might this interfere with Google's click-fraud algorithm?? Does anyone have experience with this? A Google specialist has yet to get back to me. – Drakes Jun 19 '16 at 13:51
  • 2
    I think you'll need to work this out with Google. Sorry – Neil Smithline Jun 19 '16 at 16:45
  • or CloudFlare is simply enumerating your links so they can cache them – schroeder Jun 20 '16 at 12:04
  • The links are Google ad links. I grep'd on gclid. Plus in real-time I could see the activity, like scrolling. We can rule out caching. I'm waiting for Google to open. I'll find out and post results. I'm sure this is important to many people too. – Drakes Jun 20 '16 at 13:15

0 Answers0