Email Filters appear to be Clicking Links

*Updated in September 2024

 

An updated blog related to Understanding a Spike in Click Activity

 

Support, Services and Marketo Engage Executives occasionally report an increase in customers escalating elevated email click volumes in performance reporting. The most typical escalation will identify the instances of this filter’s behavior where all the links within an email have been clicked, often narrowed down to specific business targets at the same corporate domain/s within a customer’s database. This method of link inspection is visible because it is so different from expected human behavior and happens in bulk.  It is easy to identify and ignore this kind of activity that is easy to spot but the methods for this kind of anti-malware detection vary and not all methods are as easy to identify and exclude from reporting.

 

The underlying issue is due to email filters inspecting links to prevent their end users from downloading malware. This can result in the links within Marketo Engage customer email appearing to have been clicked by a recipient but instead were inspected by an email filter. Marketo Engage has been aware of the filter behavior for several years and has been coaching customers with blog content and custom Professional Service consulting projects to reduce the triggers for and impact of this filter method, but this anti-malware methodology is increasing in the marketplace.

 

The escalation of this filter method’s impact is not unique to Marketo Engage customers.  These email security filters impact all email senders including Marketo Engage competitors.

 

For the anti-malware filter/security provider it is an arms race against bad actors attempting to deliver malware to the security vendor’s end users. Barracuda Email Security Service was the first email security vendor to develop link inspection as anti-malware methodology, but other providers have begun leveraging link inspection to protect their users. Link inspection methods may include but are not limited to:

  • clicking one, to all links within an email
  • links may be clicked at the time of delivery and/or later
  • clicks may occur before the receiving mail server returns a confirmed delivery response
  • clicks may or may not result in a website visit
  • some providers rewrite links within an email to inspect the link every time it is clicked
  • some providers inspect all redirected links; targeting link tracking utilized by all email
  • service providers and marketing automation companies
  • filter click traffic can come from the same IP addresses as legitimate click traffic making it impossible to filter out of activity reporting
    • some filters inspect links from residential IPs spaces instead of their business or corporate IP space to obfuscate the identify behind the link inspection

 

The filter is looking to hide the activity of inspecting the link and will try to look "as human as possible" to prevent the bad actor from changing the link’s potential payload after inspection but prior to the email recipient clicking the link. This intentional obfuscation of the link inspection is what makes it difficult for a provider like Marketo Engage to exclude the activity of the link inspection from customer’s reporting.

 

For some providers, link inspection happens as an enhanced or escalated filtering method applied to a message determined to be suspicious by other stages in a multilevel filtering process. For Barracuda there are thirteen different layers of inbound email filtering and link inspection is part of a higher level of filtering that is triggered if other aspects of the message or sender appear suspicious.  While this is not considered to be a “Deliverability issue” Marketo Engage Deliverability Consultants who have been troubleshooting this, have learned that sender reputation issues may cause emails to be subjected to a higher level of filtering and machine-initiated clicks. So, we recommend taking steps to help alleviate the symptoms of the link inspection in the customer’s performance reporting. This kind of project typically requires 12-20 hours of Deliverability Services paid consulting because the solutions explored can vary from:

 

  • making sure the customer’s email Authentication mechanisms, like SPF and DKIM, are in place and valid
  • reviewing reputation drivers like acquisition and database management practices that may drive a poor sending reputation
  • understanding the segment size within individual companies our customer may be targeting because sending to many recipients within the same company can trigger link inspection
  • inspecting the content for malformed html
  • reviewing specific addresses exhibiting anti-malware filter activity to develop a custom flow to ignore the activity in the customer’s reporting.

 

Marketo Engage’s Product Team has been monitoring this customer escalation and is working to monitor patterns and develop a methodology for identifying click activity in reporting that is the result of filter activity without ignoring legitimate email clicks. This project is on-going.

 

One of the risks attempting to ignore link activity from anti-malware link inspections is patterns are likely to change over time and hardcoded rules for filtering activities may not be entirely effective. Because of this limitation Marketo Engage has approached this both by looking to see how the product can be improved to reflect true recipient engagement as well as focusing on developing actionable recommendations Support can provide customers as well as Professional Service engagements.

 

Additional Information about this filtering technique can be found here:

Cracking the Inbox Code: Barracuda

 

 

11925
3
3 Comments
Brian_Adam1
Level 1

One of the big although imperfect signs of a email filter click we see is that the click takes place before the email delivery (i.e. the third bullet in the list above). If we could simple filter out those clicks it would be a meaningful step in the right direction even if that filters out a few human clicks.

We have also observed that the vast majority of these suspected email filter immediate clicks do NOT result in a web visit, per bullet #4.

Rob_Alfieri
Level 2

What if the email checker vendors could append a UTM parameter on the URL before they issue the click? That would enable filtering out those clicks from being recorded.

SanfordWhiteman
Level 10 - Community Moderator

That would make the whole concept of scanning meaningless. An attacker just serves non-malicious code when they see the UTMs.

Mail scanners must appear to be end users (humans) by definition.