We have a webapp. 3rd party websites put our banners on their pages (banner is a snippet of HTML). They are paid for it using "Pay per click" or "Pay per show" methods.
So 3rd party website's owners are interested in abusing this payment methods by e.g. clicking banner a lot of times/creating bots/etc.. I'd want to defend against such abuses.
How can I defend against such show/click fraud?
After reading some parts of AdWords help and this report I know that I should log some info about each click like exact time, IP address, user-agent, tracking cookie. And then apply some filters to those logs:
- Period between repetitive clicks. If it's too low, discard all but one of them
- Statistical analysis of clicks per time period. If number of clicks per current period is significantly larger than average, this activity should be reviewed
- Check banner environment for reality: cookie support, JS code execution, comparison of user-agent and browser JS detection, comparison of JS detected locale, timezone and source IP
- If percent of already detected invalid clicks originating from a particular IP address is significantly higher than from other IPs, and number of clicks is significantly large, then all clicks from this IP address should be discarded
- Shows/clicks coming from IPs in http:BL of Project Honeypot, countries not in areas where users live, datacenter IPs
Please, advice other filters that will be useful. Also I don't know proper settings that should be used in those filters. What are they?