Email Filters appear to be Clicking Links

An updated blog related to Understanding a Spike in Click Activity

 

Support, Services and Marketo Executives report an increase in customers escalating elevated email click volumes in performance reporting.  The most typical escalation will identify the instances of this filter’s behavior where all the links within an email have been clicked, often narrowed down to specific business targets at the same corporate domain/s within a customer’s database. This method of link inspection is visible because it is so different from expected human behavior and happens in bulk.  It's easy to identify and ignore this kind of activity that is easy to spot but the methods for this kind of anti-malware detection vary and not all methods are as easy to identify and exclude from reporting.

 

The underlying issue is due to email filters inspecting links to prevent their end users from downloading malware. This can result in the links within Marketo customer email appearing to have been clicked by a recipient but instead were inspected by an email filter. Marketo has been aware of the filter behavior for several years and has been coaching customers with blog content and custom Professional Service consulting projects to reduce the triggers for and impact of this filter method, but this anti-malware methodology is increasing in the marketplace.

 

The escalation of this filter method’s impact is not unique to Marketo customers.  These email security filters impact all email senders including Marketo competitors. 

 

For the anti-malware filter/security provider it is an arms race against bad actors attempting to deliver malware to the security vendor’s end users. Barracuda Email Security Service was the first email security vendor to develop link inspection as anti-malware methodology, but other providers have begun leveraging link inspection to protect their users. Link inspection methods may include but are not limited to:

  • clicking one, to all links within an email
  • links may be clicked at the time of delivery and/or at a later time
  • clicks may occur before the receiving mail server returns a confirmed delivery response
  • clicks may or may not result in a website visit
  • some providers rewrite links within an email to inspect the link every time it is clicked
  • some providers inspect all redirected links; targeting link tracking utilized by all email
  • service providers and marketing automation companies
  • filter click traffic can come from the same IP addresses as legitimate click traffic making it impossible to filter out of activity reporting
    • some filters inspect links from residential IPs spaces instead of their business or corporate IP space to obfuscate the identify behind the link inspection

 

The filter is looking to hide the activity of inspecting the link and will try to look "as human as possible" to prevent the bad actor from changing the link’s potential payload after inspection but prior to the email recipient clicking the link. This intentional obfuscation of the link inspection is what makes it difficult for a provider like Marketo to exclude the activity of the link inspection from customer’s reporting.

 

For some providers link inspection happens as an enhanced or escalated filtering method applied to a message that has been determined to be suspicious by other stages in a multilevel filtering process. For Barracuda there are thirteen different layers of inbound email filtering and link inspection is part of an higher level of filtering that is triggered if other aspects of the message or sender appear suspicious.  Marketo Deliverability consultants, who have been troubleshooting this, have learned that focusing and addressing triggers causing the email may be subjected to a higher level of filtering help alleviate the symptom of the link inspection in the customer’s performance reporting. This kind of project typically requires 12-20 hours of Professional Services paid consulting because the solutions explored can vary from

  • making sure the customer’s email Authentication mechanisms, like SPF and DKIM, are in place and valid
  • reviewing reputation drivers like acquisition and database management practices that may drive a poor sending reputation
  • understanding the segment size within individual companies our customer may be targeting because sending to a large number of recipients within the same company can trigger link inspection
  • inspecting the content for malformed html
  • reviewing specific addresses exhibiting anti-malware filter activity to develop a custom flow to ignore the activity in the customer’s reporting.

 

Marketo’s Product Team has been monitoring this customer escalation and is working to monitor patterns and develop a methodology for identifying click activity in reporting that is the result of filter activity without ignoring legitimate email clicks.  This project is on-going.

 

One of the risks attempting to ignore link activity from anti-malware link inspections is patterns are likely to change over time and hardcoded rules for filtering activities may not be entirely effective. Because of this limitation Marketo has approached this both by looking to see how the product can be improved to reflect true recipient engagement as well as focusing on developing actionable recommendations Support can provide customers as well as Professional Service engagements.

 

Additional Information about this filtering technique can be found here:

https://urldefense.proofpoint.com/

Cracking the Inbox Code: Barracuda

https://campus.barracuda.com/product/essentials/doc/51188521/understanding-inbound-and-outbound- message-flow/

https://www.paloaltonetworks.com/documentation/61/wildfire/wf_admin/wildfire- overview/wildfire-concepts#_73619


Is this article helpful ?

YesNo


10416
3
3 Comments