An attack on a campaign in Direkte

1 23
I2
Site user since 12.06.2020
Offline
2
#21
s2709:
90% - it's your fault
and 10% - a new kind of sklika

You are not the first line of technical support Yandex? :)

Here are filtered statistics on my server received visits Tagged yclid. IP: 90% HEITZNER, 10% OVH, I think these words are familiar to you ...

IP number of appeals

138.201.193.22 43

138.201.254.94 10

94.130.39.46 9

138.201.192.241 9

94.130.36.36 8

88.99.22.149 7

138.201.136.66 7

138.201.136.67 7

138.201.254.105 7

138.201.255.13 7

138.201.47.98 6

94.130.36.40 6

54.37.234.58 6

5.9.116.25 6

88.99.130.99 4

138.201.137.20 4

94.130.36.39 3

94.130.36.28 3

54.37.234.59 2

62.210.188.216 1

46.229.168.136 1

The overall result of 156

I've temporarily disabled your Firewall server for some problematic IP from Germany in the hope that they will miss my defense, the user page to load, and the counter will give information on the visit of the metrics for analysis.

However, my expectations were not met. The logs Appache my server really affected queries Tagged yclid Troubled IP, but in the metric of these visits is not!

In addition, logs of my server shows that the page is requested, further inquiry should not be enclosed in the content of this page (css, js, images and others) !!!

It says only that the user side, these yclid were requested not through a standard web browser (even if you disable cookies and js, the image must be loaded!), But these references were simply a single request for HTTP HTML code of the page, without his interpretation of the browser !!!

It should only analyze given me in TP Yandex yclid, and I'm sure a million percent, which is the IP, Browser, Operating System, and the country does not match between the query, click and the actual visit to my site. And so on all of yclid sent them log ...

This suggests that an attacker requests a search for likely from the Russian proxy (perhaps even airsocks), then "pulls" from a link on my issuance of classified species http://yabs.yandex.ru/count/ ..., transmits this link on the "gray" server in Germany, where the software emulates a click on this link to get yclid. As a result, fixed one HTTP request with yclid on my server, but the actual page does not load (the content is not requested, the counter in the Old metric does not send).

Let me explain what this achieves an attacker:

1. I do not see the real IP, with which the requested search phrase and to trigger the search results (SERPs). It does not give me a chance to block these IP settings Direct's campaign. I can block the IP, with whom we click, but why should I? I need to not show!

2. Using a Russian proxy to search for (the show) the attacker does not need to bother with changing the region display in the browser.

3. Using a foreign IP (server) it is difficult to me to appeal to the hosting provider to impact on him.

4. Using a single reference to my website through the browser, and simply downloading an HTML page code, it does not send statistics to the metric, knowing that Yandex requires for proceedings just that, and makes it difficult to access them.

5. Without seeing the actual IP from which were requests for search I can not appeal to the law enforcement agencies.

For July 16, these "left" visits on my server logs - at least 27 (this is what I found for 10 minutes cursory analysis). At the same time, Yandex recognizes invalid according to statistics - 13 (including other sklika) !!!

It is obvious that 200 filters catch of the evil actions, but just 2 more filter would allow to reduce the almost "no," I said fraud scheme.

Should be recognized as invalid clicks, if (one):

1. visit parameters that initiated the search query (IP, web browser, operating system) does not coincide with the parameters (IP, web browser, operating system) for obtaining yclid - clique.

2. yclid issued (click passed), but in the metric on it information about the visit to the site is not transferred. Here, of course, possible fraud on the part of the advertiser, but I'm sure that Yandex will figure out how to deal with it. At least a click should be immediately suspect.

TP Yandex does not understand, or pretends not to understand the subject matter. It refers to the fact that they see these IP Direct's statistics nor any metrics. NATURALLY!!! Because Direkte hang in Russian IP proxy with which the request was on the show, and in Metric these data are not available, because the counter is not loaded!

s2709:
but very often the search terms which are very similar impressions that are formed robot
but in the end it shows on any thread pictures Yandex, Yandex Maps, etc.

In forbidden to appear on the search site: collections.yandex.ru, m.uslugi.yandex.ru, images.yandex.ru, m.images.yandex.ru

Advanced location targeting disabled

The campaign targeted exclusively to Russian

"Garbage" word in the query can be seen when they are generated by robots, and when attributed specifically to the correct key.

1 23

To post a new comment, please log in or register