ads-txt icon indicating copy to clipboard operation
ads-txt copied to clipboard
verified publisher icon 10up

How to help sites avoid ads.txt fraud?

Open jeffpaul opened this issue 5 years ago • 2 comments

Is your enhancement related to a problem? Please describe. Inside the fight against 404bot, the ad fraud scheme exploiting ads.txt https://www.thedrum.com/news/2020/02/25/inside-the-fight-against-404bot-the-ad-fraud-scheme-exploiting-adstxt

Here’s some background research by the great Dr. Augustine Fou:

How Ads.txt is Being Exploited by "Baddies"​ for Fun and Profit https://www.linkedin.com/pulse/adstxt-zero-day-exploit-wild-brief-history-fraud-ad-fraud-historian/

Not much 10up’s plugin could do to help at this point, except maybe even sites that don’t advertise should consider a (non-empty) ads.txt file to prevent domain spoofing: https://api.adstxt.com/blog/adstxt-without-authorized-advertising-systems

So your plugin could start users with a default ads.txt containing this valid “placeholder” record: placeholder.example.com, placeholder, DIRECT, placeholder

Describe the solution you'd like Opening this issue to discuss how best to handle this within Ads.txt Manager.

Designs

TBD, but n/a currently

Describe alternatives you've considered

n/a

Additional context

Props to @hearvox for the issue reporting and background info, we'll want to credit him in an PR/release/CREDITS.md updates that come from this issue.

jeffpaul avatar Mar 06 '20 04:03 jeffpaul

Is there any potential harm in starting people with placeholder.example.com, placeholder, DIRECT, placeholder right when they activate? I like the idea of providing a placeholder both for best practices and to give a hint about expected content, but I am a little worried about that getting cached when it shouldn't just because somebody is in between activating the plugin and getting the contents entered and saved. There seems to be some pretty aggressive caching by crawlers.

helen avatar Mar 20 '20 17:03 helen

Good point about caching. Maybe the placeholder should be an option not a default.

FWIW, here's what the IAB ads.txt spec advises about caching (doesn't mean recommendation is followed):

3.6 EXPIRATION Consuming systems of /ads.txt should cache the files, but if they do they must periodically verify the cached copy is fresh before using its contents.

Standard HTTP cache-control mechanisms can be used by both origin server and robots to influence the caching of the /ads.txt file. Specifically consumers and replicators should take note of HTTP Expires header set by the origin server.

The old spec also included this now-removed line:

If no cache-control directives are present consuming systems should default to an expiry of 7 days.

hearvox avatar Mar 20 '20 19:03 hearvox