Understanding a Spike in Click Activity

Recently my team was managing a customer escalation about an unexpected and suspicious spike in click activity in email.  The customer observed all the links within an email activated immediately after delivery.  This is a known issue with filters like Barracuda. The email is accepted and if the message is deemed suspicious, it is subjected to higher scrutiny and the links are validation ‘tested’ to ensure they are not malicious. We have seen a slight increase in this activity since the beginning of the year but in most cases we can mitigate the behavior by focusing on improving the reputation of the sender.


"At issue is a part of the Barracuda email filter call the intent filter. There are 3 different modules to this filter.

Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central.

    • Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS lookups against known URL blocklists.
    • Multilevel Intent Analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of Web queries to URLs of well-known free websites for redirections to known spammer sites.


According to Barracuda support it is the Multilevel Intent Analysis module responsible for clicks on links." [Barracuda filters clicking all links - Word to the Wise]


Often in these cases the bounces returned from other undelivered email show evidence of content filtering by other networks also, which may indicate there's something going on with the content that's making it look suspicious. In addition we always coach customers to avoid the usage of any URL shorteners also. If there are any in your content, that may prove problematic.


How to Manage This Behavior?

One of the ways we suggest mitigating this behavior if it is problematic is to consider set up a “stealth” link, that human readers won’t see or click on but that parsing software might. Clicks on that link, that is unseen by human eyes, are a sign that the click was not done by the intended recipient. It would allow you to create program rules around the behavior so as to mitigate skew in the click rates.


I also suggest reviewing your own email sending reputation to understand if your own reputation is triggering this activity.  Are you managing your in-active addresses and removing those from your email program over time?  Do you have a process to remove recurring Soft Bounces after successive unsuccessful delivery attempts?  These two processes are often the first place my team starts when working with customers to improve their sending reputation.  Taking these two actions will improve your reputation over time and you will be less likely to trigger enhanced content filtering if you maintain a pristine sending reputation.


Here is a great series of Community Resources to help you understand and manage your email sending reputation:


Also, here's a link to an article by a well known deliverability expert on this topic from a couple of years ago but is still relevant: https://wordtothewise.com/2013/07/barracuda-filters-clicking-all-links/.

Is this article helpful ?