Email Bot Activity Feature Catching Actual Leads?

michellechopin · ‎04-26-2023

Hello Community Friends,

I'm investigating 7 leads from the same organization that Marketo has identified as bots. Looking at each of them, I've noticed the following things:

They have been in our database for a while (1-2 years)
They have received regular emails but have only experienced this bot issue recently (from September 2022 onward)
Several leads that received an email on December 7 showed the first click as normal (Bot Activity Pattern = N/A) but by the third click (all in the same minute), the lead shows Bot Activity = Match with IAB bots list
Most don't have an "Open Email" activity but are registering click activity, except for one lead that has four email clicks and the open email activity 44 minutes later

Questions:

Is this a case of the bot/IAB list misidentifying those leads? We only use the IAB list option so would that impact the quality of the bot identifications? See screenshot below for our settings.
Can email server scanners cause a lead to look like a bot by clicking all the links in an email at the same time?
Is this an issue on the organization's side where their email addresses have been compromised somehow?

We've always assumed that when someone comes to us asking about bots, because of multiple clicks on an email at the same time, that it's email scanners doing their thing and falsely attributing that activity to bots. Now I'm concerned that we've been wrong all this time!

Any help is appreciated 😀

Michelle

Darshil_Shah1 · ‎04-26-2023

Questions:

Is this a case of the bot/IAB list misidentifying those leads? We only use the IAB list option so would that impact the quality of the bot identifications? See screenshot below for our settings.

Well, AFAICT, if you have gotten a non-bot real human activity for a person in the past, it's not guaranteed that the subsequent activities for the same person would always be genuine (and vice versa). As you'd know, for the Match with IAB list bot identification method, Marketo looks at the user agent and IP of email activity and marks it as a bot activity in case it matches with the IAB records. Needless to say, the bot filtering could never be 100% accurate, and even though Marketo works hard in ensuring they accurately identify all of them, there's always a chance of at least a minuscule gap in bot identification.

Can email server scanners cause a lead to look like a bot by clicking all the links in an email at the same time?

Match with proximity patten bot identification method looks at the activities that happen at the same time (in under a second). Marketo checks, Lead ID, Email asset, activity (email open/link click), and time difference b/w subsequent activities for this. Since you've got proximity patten identification method turned off, Marketo would not check for this in your subscription for identifying the bot activities.

Also, to be clear, bot identification methods doesn't identify whether a person itself is a spam/bot or not, rather it identifies whether the email activity matches with the enabled bot identification patterns or not.

Is this an issue on the organization's side where their email addresses have been compromised somehow?

As the email scanning setup changes/updates at the client's end, you may start seeing bot activities on their record. Again, that doesn't mean that the person record itself is spam/bot.

Lastly, if the person opens an email w/o loading images, and clicks a link, Marketo would only log a click activity in their activity log. An open email activity would not be logged as the tracking pixel was never downloaded. FYR, Marketo doesn't backfill open activities for such cases (i.e., no open, but has a click activity) in the activity log unlike the email performance reports, wherein the opens are backfilled in case the person has a click activity on the corresponding email w/o an open activity.

View solution in original post

Darshil_Shah1 · ‎04-26-2023

Questions:

Is this a case of the bot/IAB list misidentifying those leads? We only use the IAB list option so would that impact the quality of the bot identifications? See screenshot below for our settings.

Well, AFAICT, if you have gotten a non-bot real human activity for a person in the past, it's not guaranteed that the subsequent activities for the same person would always be genuine (and vice versa). As you'd know, for the Match with IAB list bot identification method, Marketo looks at the user agent and IP of email activity and marks it as a bot activity in case it matches with the IAB records. Needless to say, the bot filtering could never be 100% accurate, and even though Marketo works hard in ensuring they accurately identify all of them, there's always a chance of at least a minuscule gap in bot identification.

Can email server scanners cause a lead to look like a bot by clicking all the links in an email at the same time?

Match with proximity patten bot identification method looks at the activities that happen at the same time (in under a second). Marketo checks, Lead ID, Email asset, activity (email open/link click), and time difference b/w subsequent activities for this. Since you've got proximity patten identification method turned off, Marketo would not check for this in your subscription for identifying the bot activities.

Also, to be clear, bot identification methods doesn't identify whether a person itself is a spam/bot or not, rather it identifies whether the email activity matches with the enabled bot identification patterns or not.

Is this an issue on the organization's side where their email addresses have been compromised somehow?

As the email scanning setup changes/updates at the client's end, you may start seeing bot activities on their record. Again, that doesn't mean that the person record itself is spam/bot.

Lastly, if the person opens an email w/o loading images, and clicks a link, Marketo would only log a click activity in their activity log. An open email activity would not be logged as the tracking pixel was never downloaded. FYR, Marketo doesn't backfill open activities for such cases (i.e., no open, but has a click activity) in the activity log unlike the email performance reports, wherein the opens are backfilled in case the person has a click activity on the corresponding email w/o an open activity.

michellechopin · ‎04-27-2023

I always appreciate your thorough answers, @Darshil_Shah1!

From your comments and looking at these leads in detail, it sounds like these leads could simply be performing tasks that look like, and are associated with, bots on the IAB list but aren't necessarily bots themselves.

We try to get external team members to err on the side of looking at the WHOLE picture with incidents like this so I'm confident that we've not been steering them incorrectly. We also regularly remind folks that these processes are not going to be 100% and your statement below is going to be very helpful in general:

"...bot identification methods doesn't identify whether a person itself is a spam/bot or not, rather it identifies whether the email activity matches with the enabled bot identification patterns or not."

I'll turn on the extra monitoring option to cover all our bases and will also do better to remember that about the images downloading as being what triggers the pixel and results in that Open Email activity showing. I also didn't realize that data doesn't backfill at any point so, today, I learned and I will pass that on as well!

@Christiane_Rode - thank you also for your suggestions! Here's what I found:

Each of these leads received the exact same emails at the same times and had all the same activities (in the same order) with a couple of exceptions for those leads that had an "Open Email" activity (they were part of a specific campaign)
For the email activities that listed the leads as a bot, they are showing "Default browser" and "Unknown" for device and platform; for the email activities prior to that that are normal (on the same email), all but one lead shows Browser as "IE", Platform as "W7", and Device as "Windows Desktop" - they are all coming from the same IP address range. The anomaly shows Browser as "Edge", Platform as "W10", and Device as "Windows Desktop" - this comes from a different IP address (maybe a personal computer/laptop)

I very much appreciate your expertise and suggestions for further troubleshooting! If there's anything else to consider here, given my updates, please let me know.

Thanks so much 😀

Michelle

Christiane_Rode · ‎04-26-2023

It's also worth looking inside the click activity to see if there are similarities/differences that exist between the engagement activities. Perhaps the first few clicks are from a scanner, but then subsequent clicks are from a person.

While it can be manual, it's worth looking at devices/browsers/platforms to see if you can see similarities there.

Email Bot Activity Feature Catching Actual Leads?

Email Bot Activity Feature Catching Actual Leads?

Re: Email Bot Activity Feature Catching Actual Leads?

Re: Email Bot Activity Feature Catching Actual Leads?

Re: Email Bot Activity Feature Catching Actual Leads?

Re: Email Bot Activity Feature Catching Actual Leads?