Online ad campaigns depend on redirects to reconcile clicks and analytics. It is dumb, but if you want to get customers/make money in the ad space, you have to support this.
Sure, but you could make them add a meta tag or upload a validation file to prove they are actually working on behalf of the final URL, just like they do to validate that you're in control of the URL for the webmaster console. If the malicious ad buyer has access to ebay.com's server all bets are off, but I feel like that happens a lot less often than this.
