PDA

View Full Version : Adwords click or bot


fritzelly
09-28-2013, 04:05 AM
I have lots of the following example entries

24 Sep 07:24:33 IE 8.0
WinXP
1024x768 United States Flag Mountain View,
California,
United States Google (66.249.83.61) [Label IP Address]
<url>
www.google.de www.mysite.com+key-words#4

I assumed at first they are Google bots from Adwords checking the ads are running, I get one or two every day and they never go further than the initial page. It's highly unlikely someone would be searching for them using my url.
Can anyone confirm they are bot and if they are then why are they presenting themselves as XP and IE8, sometimes Vista and sometimes IE7.
When comparing my clicks in Adwords I always ignore them and my visitors and clicks usually match up.

fritzelly
10-23-2013, 01:57 AM
No one got an explanation for this?

tosommerfugle
10-23-2013, 04:46 PM
No explanation, but a couple of thoughts. I'd be surprised to see Google cloaking as "Windows XP"; I'd say that it is more likely that someone is using certain Google features as a proxy server, possibly to avoid you being able to see who's there. Why they would do that is unclear, but it might be part of preparing for spam or hacking. Or something else.

fritzelly
10-24-2013, 12:23 AM
Thanks for replying
After some investigating it turns out it is either Google's Live Site Preview (strange since it has been dropped) or private proxies for Google staff.
But they are definitely not public proxies.

So still not sure.
I doubt it is Joe Public, because they are using the exact terms in my Adwords and everyday there is usually two of them and they never go beyond the searched page

rotarysteve
10-24-2013, 07:00 AM
It's hard to tell what is showing up in your stats.

I'm experiencing a perplexing situation with a major pest to my site.

Having recently endured the changing of hosts, as one company bought out the other, I've been paying a bit more attention to my server logs and find a lot of activity from a huge pest. This pest has been hitting the site from both before and after the host change. I did take a chance and look at one of the referral pages, but no visible hints to the page--hits in question.

Here are some of the examples that do not show up in SC..... but this is amazing, all from the same server, with different referrals, after a page that doesn't exist, 'though it does exist in the stats directory-despite the 404', and using different user agent's. Also looks like an approximate 11 minute span between these groups of hits. Any Ideas Here????

52.216.151.178.triolan.net - - [24/Oct/2013:00:51:54 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Opera/9.80 (Windows NT 5.1; MRA 6.0 (build 5998)) Presto/2.12.388 Version/12.11"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:54 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Opera/9.80 (Windows NT 6.1; WOW64; U; Edition Next; Edition Yx; ru) Presto/2.11.310 Version/12.50"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:54 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Opera/9.80 (Windows NT 6.1; WOW64; U; Edition Next; Edition Yx; ru) Presto/2.11.310 Version/12.50"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:55 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:55 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:55 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11"
52.216.151.178.triolan.net - - [24/Oct/2013:00:51:56 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/floventventolinp6" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:55 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Opera/9.80 (Windows NT 5.1; Edition Yx) Presto/2.12.388 Version/12.10"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:55 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:56 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:56 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:56 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:57 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:02:57 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/lincocinantibioticop5" "Mozilla/5.0 (Windows NT 5.2; rv:12.0) Gecko/20100101 Firefox/12.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:53 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:53 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 5.2; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:53 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 5.2; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:54 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 5.2; rv:17.0) Gecko/17.0 Firefox/17.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:54 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 5.2; rv:17.0) Gecko/17.0 Firefox/17.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:54 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:13:55 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/wheretobuygynelotriminbe" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:24 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:25 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.92 Safari/537.4"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:25 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.92 Safari/537.4"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:26 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Opera/9.80 (Windows NT 6.2; WOW64; MRA 8.0 (build 5784)) Presto/2.12.388 Version/12.11"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:26 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Opera/9.80 (Windows NT 6.2; WOW64; MRA 8.0 (build 5784)) Presto/2.12.388 Version/12.11"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:26 -0400] "GET /stats/usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) YaBrowser/1.1.1084.5409 Chrome/19.1.1084.5409 Safari/536.5"
52.216.151.178.triolan.net - - [24/Oct/2013:01:25:27 -0400] "GET /usage_201207.html HTTP/1.0" 404 5824 "http://flavors.me/buyaugmentinonlinefl" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) YaBrowser/1.1.1084.5409 Chrome/19.1.1084.5409 Safari/536.5"

tosommerfugle
10-24-2013, 09:06 AM
rotarysteve, that looks like a classic case of referer spam. By making fake pagehits, they're hoping to gain visits. One way would be if you explore the referer links, and get tempted to buy something, or infected with malware (if you have a less secure browser). Another way would be if the targeted site publishes stats info, leading to the possibility of getting links for SEO, or possibly even clicks. A third way would be if the a helpful 404 page generates clickable links, searches, or whatever. A fourth way would be if the bemused webmaster asks questions, spreading the spammy links :-)

If you have had a stats package (like Webalizer) installed on those URLs, that may have been a place they wanted their links to appear in.

rotarysteve
10-24-2013, 10:35 PM
The old webhost had the webalizer and publishing public stat pages. So, that is it then. I did check the page they're trying to hit, and their address isn't in there anywhere. They must of just found a page to attack and are just having at it. They may be in those stat pages somewhere, but oh well. I suppose if they keep this up, I'll just block the IP. Doesn't make sense to me for them to do this, as percentage-wise, who looks at server logs, :lol:

Wonder if we should get someone to cutout the server log section of my last post, though they're unclickable, as I don't have access to update the post anymore???

Thank You.....

tosommerfugle
10-24-2013, 11:16 PM
I'd not feel too bad about nonclickable links, which do not gain any SEO benefit. The links got clickable in my email inbox, but that does not make me click them :-)

Quite a few webmasters do probably look at stats pages, depending on what tools they have available. However, public stats pages are useful to referer spammers, as the search engines may read such pages, and in principle see links trusted by the site owner. You can find lots of Webalizer stats pages in Google, which is probably how the spammers found you.

rotarysteve
10-25-2013, 05:00 AM
Not sure what ur e-mail has to do with the OQ, but u can PM me with that.

Thanks for the insight....

tosommerfugle
10-25-2013, 09:37 AM
Notifications about forum responses come by email, including spam links made clickable. No problem.

Posted here in case others wonder.

rotarysteve
10-27-2013, 07:44 AM
Notifications about forum responses come by email, including spam links made clickable. No problem.


I understand the e-mail reference better now.

I turned that option off through my CP with the forum many moons ago. Don't even remember the when/why or how, but for some reason, I didn't want the auto-response from the forum. Also, I don't allow images with my e-mail client that I'm using. I get tons of spam because of the web-site, but am slowly fixing the site with e-mail through forms.

All the "buyer beware".

Thanks...... :cool:

rotarysteve
11-03-2013, 06:38 AM
Seems that the original pest, triolan has passed the hat to new folks, at least a different server. They are hitting my site's server pretty regular.

It's amazing, though, as the stats where in an orphaned folder. Not in the public folder, but in a stats folder right next to the public folder. Though, google has the stats indexed quite well.

Since the change in hosts, the new host doesn't use webalizer and/or have the separate stats folder, for the stats. Though since I wanted to hang on to the info, I saved the 'stats' stuff, and it now is a part of the public folder, though still orphaned.

These buggers are really riding my bandwith pretty hard, though I'm not too concerned with them exceeding my available bandwith.

From what I'm now seeing in my logs, they are looking for 'stat' or 'stats'

I believe that.... that's the key to their successful attacks, the word 'stat' or 'stats'

I've seen some recent '200' server responses to the folder stats, then followed by the '400' responses.

Suppose that I could just change the folder's name???

rotarysteve
11-14-2013, 05:44 AM
Gosh,

These triolan dot net people have hit my last nerve......

Since my stat folder is supposedly orphaned, and changing the folder name to throw them of the scent, ahhhh, them buggers.

They get the true 404, but since I have a 404 page, still eating up bandwith.....

Lets experiment with me 'ol .htaccess file..............

rotarysteve
11-14-2013, 06:33 AM
oooooh,

looks like the're spoofing the ip address.....

Will See,

Games On!!!!

rotarysteve
11-14-2013, 07:41 AM
Well,

Some improvement, still getting hit from triolan and others from russia and montenegro, but now am deny'ing by referrer and that's reduced the bandwith usage by ton's and sending them a 403.

Wonder if it would help to send them 410's instead.... Ah well, alas..... Game is still on.

Spoke with my host and dunno about how up they are on this type of problems, but he said that the TLD deal is going to start going away.... mind boggling, but he said that there will be no more .com's . org's .net's .ru .me sites

dunno if I can believe that.......

rotarysteve
11-16-2013, 06:58 AM
Ha,

Learning more as I go.......

Need to find out more about redirects.....

Whose bandwith gets the hit.

Short term band-aid.... All of Russia is banned..... lol.....

Can put the hit's back into the spammer's site it seems, could be even more evil I suppose, need to study re-directs more.....

Input Welcome :evil:

rotarysteve
11-18-2013, 11:59 PM
Well, will call it limited success.... Have reduced bandwith by tons, even requests to the server have been reduced a half ton.. :)

Of course russia is still blocked via the tld in the referrer, but also blocking another via referrer, then one by IP and another or two via remote_host

sending them back to the referrer site they're trying to spam.

Alf Walters
11-20-2013, 04:23 PM
i absolutely hate paying for ad clicks. one firm simply used robots and cost me hundreds a day then had the cheek to ask for more.
I don't imagine google would be so low down but this firm were properly with all fancy website.
due to statcounter (god love em) I found thousands of hits to one page always the same page and no further clicks at all.
I told them they were a con and they gave the usual long winded response.
But I have never found ad clicks work.
NEVER worked for me.
Yet it is so tempting to just get hits rather then months of climbing the serps which is impossible in my mind.
Statcounter showed me that I was been conned yet their whole site was very professional and all.

rotarysteve
11-21-2013, 03:14 AM
Can only say with google, why not......

Not to make any accusations, but for now, I've blocked all of russia.... But, why not hire some offshore telecom-new hire for manipulation of the net.

But, this is not the beginning especially since Facebook went public a few months back and now Twitter is now a publicly exchanged company...

Could any of the above 'three' dip so low...

I can't/don't even trust my own government anymore. Go USA!!!!! So, not too trusting at this point.

Overall, been rid of some of the pests, but have been crawled pretty heavily today, will just have to look into the sources.