Is PlanetLab being used for automated distributed click fraud?

This last week's been very interesting, not all in a good way. Yes, my book Make Easy Money with Google goes on sale in two days (June 17, 2005). Yes, I was excited to get my first copy of the printed book. But Google wants me to take my ads off of MakeEasyMoneyWithGoogle.com, the book's companion site (and host site for this blog, of course). Not ideal for a site describing an AdSense book, is it?

The problem isn't with my site, actually, but with what someone's doing with it. As I mentioned in a previous blog entry, I had some suspicious activity in my access logs. Different IP addresses across the world were accessing this site's home page at regular, 20-second intervals. What's more, some of those accesses were obviously clicking ads on the page, because my impression count and clickthrough rates went skyhigh. I reported this to Google and they confirmed that it appeared to be fraud and deducted the bogus earnings from my account. All well and good, though annoying because a few of those clicks would have been legitimate.

Unfortunately, the zombies came back. This time I decided to be a bit forensic about it. I noticed some interesting patterns in the hostnames that matched up to the IP addresses. A lot of them had “planetlab” host names or “CoDeeN” user agent strings. Looking up what PlanetLab and CoDeeN are, it seems to me that someone was using the PlanetLab and CoDeeN infrastructures to do automated, distributed click fraud. Sophisticated system, it would seem, although I don't know why they'd keep pounding on a single site like mine for so long. More on this as I figure it out.

Comments