Testresults: Adwords IP & Hostname Cloaking

[madsem]

Hi,

first post here, I normally don't write a lot in forums because I'm working a lot on my campaigns and stuff, but I figured this could be of interest for some fellow marketers here.

As most of you I was getting slapped left and right by Adwords (mainly content network) and I figured I should try cloaking my landingpages.

So i coded a script which cloaks my landingpages based on incoming IP addresses, ip ranges, hostnames and user agents.

I've added a ton of ip addresses from every known cloaking program, added all registered IP ranges from Google & others and of course all the known user-agents.

Now my campaign lasted 4 days

But that's not the reason why I post here, to whine about how I got raped by the Adwords nazis, the reason is that the manual review happened was very uncommon...

First my campaign stopped getting impressions (only a few thousand tickled in, and I got no more clicks, that's how I know no regular visitor was on my site. At least not a lot...)

Then later tonight it started that the Adwords-Bot hammered my site, approx. 1-2 requests per second, then about 4 hours ago I saw some suspicious IP addresses, referers and hostnames.



Normally I read a lot of people saying that Google always comes over a Google hostname, or level3 etc. but for me it was totally different now.

First hostname I saw was:
la3.desireerocks.com

IP: 72.51.38.166, registered to Serverbeach

This hostname hit my site then about 20 times, with 3 different ip addresses. I looked up who registered this site, the registrant was a women. (As you can easily find out I guess) When I googled her name I found out that exactly this person works for Google's Advertising Department.

I banned this hostname immediately, a little bit later I got hit by server1.tex.icehockeyjapan.com, Domains by proxy but hosted in Mountain View, CA

IP: 66.135.37.248, which is registered also to serverbeach

After that I got hit several times by iphones, coming from various Verizon IP's, I also received more hits without hostname but ip's resolving to Serverbeach again etc.


That's now approx. 3 hours ago, and since I received the last hit from all these wierd hostnames and IP's, my campaigns impressions stopped completely, so yeah...fully slapped. (Maybe even me banned now that they found me cloaking haha)



However, I figured that could be interesting since it seems like they starting to check suspicious websites not only from Google hostnames but also from domains registered to Google employees and various isp's like Verizon etc.

I would appreciate it if someone had a tip how I could prepare my script for stuff like that, how to cloak a review like this. because I'm puzzled.

Ah and btw. Google sucks

 

[AdHustler]

Interesting first post. +rep

 

[Seema]

Hi,

first post here, I normally don't write a lot in forums because I'm working a lot on my campaigns and stuff, but I figured this could be of interest for some fellow marketers here.

As most of you I was getting slapped left and right by Adwords (mainly content network) and I figured I should try cloaking my landingpages.

So i coded a script which cloaks my landingpages based on incoming IP addresses, ip ranges, hostnames and user agents.

I've added a ton of ip addresses from every known cloaking program, added all registered IP ranges from Google & others and of course all the known user-agents.

Now my campaign lasted 4 days

But that's not the reason why I post here, to whine about how I got raped by the Adwords nazis, the reason is that the manual review happened was very uncommon...

First my campaign stopped getting impressions (only a few thousand tickled in, and I got no more clicks, that's how I know no regular visitor was on my site. At least not a lot...)

Then later tonight it started that the Adwords-Bot hammered my site, approx. 1-2 requests per second, then about 4 hours ago I saw some suspicious IP addresses, referers and hostnames.



Normally I read a lot of people saying that Google always comes over a Google hostname, or level3 etc. but for me it was totally different now.

First hostname I saw was:
la3.desireerocks.com

IP: 72.51.38.166, registered to Serverbeach

This hostname hit my site then about 20 times, with 3 different ip addresses. I looked up who registered this site, the registrant was a women. (As you can easily find out I guess) When I googled her name I found out that exactly this person works for Google's Advertising Department.

I banned this hostname immediately, a little bit later I got hit by server1.tex.icehockeyjapan.com, Domains by proxy but hosted in Mountain View, CA

IP: 66.135.37.248, which is registered also to serverbeach

After that I got hit several times by iphones, coming from various Verizon IP's, I also received more hits without hostname but ip's resolving to Serverbeach again etc.


That's now approx. 3 hours ago, and since I received the last hit from all these wierd hostnames and IP's, my campaigns impressions stopped completely, so yeah...fully slapped. (Maybe even me banned now that they found me cloaking haha)



However, I figured that could be interesting since it seems like they starting to check suspicious websites not only from Google hostnames but also from domains registered to Google employees and various isp's like Verizon etc.

I would appreciate it if someone had a tip how I could prepare my script for stuff like that, how to cloak a review like this. because I'm puzzled.

Ah and btw. Google sucks

Good post.

I'm not sure what you can do on top of what you are doing at the moment. If they really are suspicious of your pages then they will find out what you are doing, it doesnt take much as you can see they can just fire up their iphones and its good night vienna.

 

[uguxseo]

Maybe you'll have to run a whois on each of these hits. Everyone leaves footprints.

And, to not risk a ban, read into mosaic cloaking.

 

[ayzo]

 

[madsem]

Maybe you'll have to run a whois on each of these hits. Everyone leaves footprints.

And, to not risk a ban, read into mosaic cloaking.

Thanks for the tip, just started to read about this technique, but this is exactly what I've did already, I didn't cloaked the whole page, only a small portion of my site was cloaked...

 

[r3p1v]

Interesting post. Seems like Google is going above and beyond to combat advertisers cloaking. Not much you can do if they keep using different ips/hostnames.

 

[Seema]

And, to not risk a ban, read into mosaic cloaking.

Sorry to burst your bubble dude but mosaic cloaking will make no difference. If a google employee does in fact use a legit referer it will expose exactly what he is up to.

 

[SandnSurf]

.......
First hostname I saw was:
la3.desireerocks.com
........
server1.tex.icehockeyjapan.com, Domains by proxy but hosted in Mountain View, CA
IP: 66.135.37.248, which is registered also to serverbeach

I've had ' desireerocks' blocked for quite awhile as I use to see something similar to what you described. The second one is a new one, as I've checked the last 12mths of logs and have not seen it yet.

 

[BigWill]

Good post. I would cloak server beaches whole ip block.

 

[Roundabout]

Good detective work.

What's even more interesting to me is the fact that more ServerBeach Ips came in and then from Verizon. It's almost like you've got a Level 1 Support Person whose job it is to "find" compromised websites, then they report the link to a Level 2 person who confirms it's bad, then the link goes to possibly a Level 3 person who can push the button to slap the campaign (this is purely speculative)

Assuming I'm even partially right, if everybody can spot a level 1 IP hitting their site, a script could be written to completely change the design once this IP range is detected, so by the time Level 2 support sees the site, theyll see something totally diff't, and go back to Level 1 and say "Dude, put on your fucking glasses, this site is fine", and the Level 1 guy rubs his eyes and says "I need a break"

Wishful thinking, I know. I can dream.

 

[LotsOfZeros]

LOL
Ice Hockey Japan >>> "Powered by Google Sites"

 

[xelitex]

Thanks. Good post!

 

[fitzdog]

Maybe you'll have to run a whois on each of these hits. Everyone leaves footprints.

Can you recommend an API for the whois lookup?

 

[7figures]

Very rare that a legit user would come through server beach of course, so cloaking them is a good idea. I haven't cloaked in a while, but here's some more ideas.

- Cloak everything that looks like its coming from a datacenter. Rackspace, theplanet, etc etc etc.
- If there is no hostname, or the hostname == ip, cloak
- Whitelist known ISPs. The verizon IPs you saw make this difficult, but I used to have some success with this - ie if the IP comes back as AOL, forward them on to the money site. If I dont have their ISP on file, cloak.
- Are people really gonna buy your shit through an iphone? If not, cloak.
- GeoIP. Most bots I see will have unknown state / city in a geo ip database, or if not, it'll show up as mountain view, california.
- Browser history CSS hack. For manual reviews, this would be a lot more effective if you knew the internal reviewers system URL of course. But as an example, if the visitor comes in and you see they've been to the adwords login page, they are at best a competitor, possibly a google employee. Cloak.

No one way, usually best to score the visitor based on a number of factors. Good luck

 

[Roundabout]

Good stuff, 7Fig! +rep

 

[madsem]

- Browser history CSS hack. For manual reviews, this would be a lot more effective if you knew the internal reviewers system URL of course. But as an example, if the visitor comes in and you see they've been to the adwords login page, they are at best a competitor, possibly a google employee. Cloak.

Good stuff Only problem is that the new Adwords interface deletes the referers, there is no referer anymore so I can not say if someone is coming over an Adwords system url. shitty

I almost begin to think Google doesn't want us to cloak our pages?!

 

[ricdes]

Very rare that a legit user would come through server beach of course, so cloaking them is a good idea. I haven't cloaked in a while, but here's some more ideas.[...]

+rep!

 

[Seema]

Very rare that a legit user would come through server beach of course, so cloaking them is a good idea. I haven't cloaked in a while, but here's some more ideas.

- Cloak everything that looks like its coming from a datacenter. Rackspace, theplanet, etc etc etc.
- If there is no hostname, or the hostname == ip, cloak
- Whitelist known ISPs. The verizon IPs you saw make this difficult, but I used to have some success with this - ie if the IP comes back as AOL, forward them on to the money site. If I dont have their ISP on file, cloak.
- Are people really gonna buy your shit through an iphone? If not, cloak.
- GeoIP. Most bots I see will have unknown state / city in a geo ip database, or if not, it'll show up as mountain view, california.
- Browser history CSS hack. For manual reviews, this would be a lot more effective if you knew the internal reviewers system URL of course. But as an example, if the visitor comes in and you see they've been to the adwords login page, they are at best a competitor, possibly a google employee. Cloak.

No one way, usually best to score the visitor based on a number of factors. Good luck

Quality stuff. Heard about the CSS hack a while back. Time to put it to use.

 

[alexrdx]

This CSS history hack is great.... But it might be that Google employees use some internal domain for the Ad reviews. The best would be to have some rat and see how they work from the inside