Recent Posts ¶

Stop Ad-Block Plus from removing AdSense Ads

Ronald MacDonald <ronald@rmacd.com>

Introduction

And so you run a website. Like me. Probably a small one. Like me. And you run Google AdSense. Like me. Yet, somehow, the numbers just don’t add up.

Take my case, as an example. I had 210 unique hits on the last article I published, over a period of 24 hours. Yet on the AdSense the number was significantly less than that. While a small percentage of these may be attributed to clients with little or no support for JavaScript (such as search engines or mobile phones for example) there’s still a large gap remaining - that which is, most likely, due to ad-blockers.

The Solution

This technique redirects your visitor to a pre-designated page if they happen to access your site with an ad-blocker. We don’t change any of Google’s code and so your Terms of Service with Google should be safe.

No redirection will occur on a non-JS browser, though non-JS clients would not see Google’s ads anyway, so it’s no great loss.

The script relies on the fact that the regex used by AdBlock Plus is quite loose and so will block any script sitting within any file called adsense.js. I’ve also changed a couple of the options to include other blocking applications into the work-around.

Considerations

  1. The script will fail to work if the maintainers of ABP etc tighten their regexes.
  2. DNS lookups can take some time, depending on where your server is and which DNS servers you use. Think carefully before deploying this technique across your entire site.
  3. Corporate users may not be able to change their block-lists. Again, think carefully, or you might end up blocking many from using your site.
  4. The script can be modified to provide a Goodwill feature - ie. users will be able to revisit your page without the ads, on the basis of them affirming they’ve no way of unblocking the adverts.

Prerequisites

  • PHP/FastCGI etc
  • Some form of web server (I use nginx)
Note

TITLE

We’re looking up the reverse DNS of the remote client. That means our lookups have to be super-quick. A quick dig google.com on the web server should show how fast your upstream DNS server’s initial response is. Remember on a public DNS server that a site like Google will be requested frequently and as such, answered from the DNS’s cache. So try a couple of other names just to check.
The Principle

We’re wanting the code to look something like this:

$redirect is set to TRUE [in adverts.js]:
$redirect is set to FALSE (if JS is loaded)
if $redirect is TRUE then redirect_to_page
Observations
  • Code seems to work OK
  • Users need to be taken back to the original page
  • $_SESSION or encrypted $_GET would be best (2-way RC4?)

The Scripts

Fake AdSense Script

Create the file /adsense/adsense.js on the root of the site you wish to protect from ABP and similar applications and put the following line in it:

trap_active=false;

Now, if you’re also wishing to undermine Squid’s AdZapper application, add the following line as well:

adx_active=false;

The script, situated at example.com/adsense/adsense.js, should read as follows:

trap_active=false;
adx_active=false;
Per-Page JS/AdSense Checker

At the bottom of each page you wish to 'protect'

<?php
        $doms = array_reverse(explode(".",gethostbyaddr($_SERVER['REMOTE_ADDR'])));
        if (($doms[0]=="com")&&($doms[1]=="googlebot")) { ?>

                <script type="text/javascript">
                <!-- var trap_active = false; //-->
                </script>

        <?php } else { ?>

                <script type="text/javascript">
                <!-- var trap_active = true; //-->
                </script>

        <?php } ?>

<script type="text/javascript" src="/adsense/adsense.js"></script>      1
<script type="text/javascript"><!--
if (trap_active) {
window.location="http://www.example.com/about-ads.php?url=<?php         2

// set up new rc4
$rc4 = new rc4crypt;

// grab the address and pass it to the endec() function
$enc = $rc4->endecrypt("Bollocks",$_SERVER["REQUEST_URI"]);             3

// spit it out
echo urlencode(base64_encode($enc));

// terminate JS window.location
?>"}

//--></script>
1 Make sure the path is correct.
2 Remember to replace example.com with your own domain and path.
3 Change the encrypting phrase to something of your own choice.
Landing page

Upon being redirected, users with ABP etc enabled are shown this page. You can be as explicit as you like but the page should contain a link which they can us so as to return to the last page.

Using the same encryption phrase as before, the link to return could be returned as follows:

<a href="http://www.example.com<?php $rc4 = new rc4crypt;
        echo rawurldecode($rc4->endecrypt("Bollocks.",                  1
        urldecode(base64_decode($_GET['url']))));
?>">Disable AdBlock for this site before clicking here to return</a>
1 Yes, even that extra '.' will stop the whole thing working properly ;-)

Step-by-step

What happens?

<script type="text/javascript" src="adsense.js"></script>

This line sets the trap to FALSE so that the redirect does not occur. Then:

$doms = array_reverse(explode(".",gethostbyaddr($_SERVER['REMOTE_ADDR'])));
if (($doms[0]=="com")&&($doms[1]=="googlebot")) { ?>
        <script type="text/javascript">
        <!-- var trap_active = false; //-->
        </script>
  1. Gets the hostname of the connecting client
  2. Compares it to .googlebot.com
  3. Upon match, keeps the trap 'disabled'
<script type="text/javascript"><!--
        if (trap_active) {
        window.location ...

Redirects users who have not loaded the fake adsense.js to a custom page, explaining why it’s a good idea to keep adverts enabled.

The return-address is encrypted and hashed using a string that only we know (in this case, something about sheep). Encryption mitigates XSS attacks and hashing ensures URL contains only 'legal' characters.

That’s it!