Understanding a Spike in Click Activity

Recently my team was managing a customer escalation about an unexpected and suspicious spike in click activity in email.  The customer observed all the links within an email activated immediately after delivery.  This is a known issue with filters like Barracuda. The email is accepted and if the message is deemed suspicious, it is subjected to higher scrutiny and the links are validation ‘tested’ to ensure they are not malicious. We have seen a slight increase in this activity since the beginning of the year but in most cases we can mitigate the behavior by focusing on improving the reputation of the sender.

 

"At issue is a part of the Barracuda email filter call the intent filter. There are 3 different modules to this filter.

Intent Analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central.

    • Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS lookups against known URL blocklists.
    • Multilevel Intent Analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of Web queries to URLs of well-known free websites for redirections to known spammer sites.

 

According to Barracuda support it is the Multilevel Intent Analysis module responsible for clicks on links." [Barracuda filters clicking all links - Word to the Wise]

 

Often in these cases the bounces returned from other undelivered email show evidence of content filtering by other networks also, which may indicate there's something going on with the content that's making it look suspicious. In addition we always coach customers to avoid the usage of any URL shorteners also. If there are any in your content, that may prove problematic.

 

How to Manage This Behavior?

One of the ways we suggest mitigating this behavior if it is problematic is to consider set up a “stealth” link, that human readers won’t see or click on but that parsing software might. Clicks on that link, that is unseen by human eyes, are a sign that the click was not done by the intended recipient. It would allow you to create program rules around the behavior so as to mitigate skew in the click rates.

 

I also suggest reviewing your own email sending reputation to understand if your own reputation is triggering this activity.  Are you managing your in-active addresses and removing those from your email program over time?  Do you have a process to remove recurring Soft Bounces after successive unsuccessful delivery attempts?  These two processes are often the first place my team starts when working with customers to improve their sending reputation.  Taking these two actions will improve your reputation over time and you will be less likely to trigger enhanced content filtering if you maintain a pristine sending reputation.

 

Here is a great series of Community Resources to help you understand and manage your email sending reputation:

 

Also, here's a link to an article by a well known deliverability expert on this topic from a couple of years ago but is still relevant: https://wordtothewise.com/2013/07/barracuda-filters-clicking-all-links/.


Is this article helpful ?

YesNo


25258
11
11 Comments
Kiersti_Esparz1
Level 7

There is a fascinating discussion about this happening here - https://nation.marketo.com/message/119613#comment-119613

Anonymous
Not applicable

Hi Kiersti Esparza, you mentioned using the stealth link to identify these situations...can you elaborate on that approach a little bit? I think we could create a smart campaign that listens for those clicks, but what would we do with that information? Thanks!

Kiersti_Esparz1
Level 7

Trask,

Unfortunately I am not the expert on how to construct the Smart Lists.  There are a number of interesting ideas in the discussion linked above. 

A method I have heard works successfully is including"visits web page" when also tracking the "email click" activity.  The bots that are clicking the links don't travel to the web page.

NOTE this link clicking is evidence of higher filter scrutiny.  You may also want to understand how you can improve your sending reputation.  Are you managing your inactive email recipients by removing them after a period of inactivity?  Do you remove recurring bouncers after a set number of bounces.  How are you acquiring your email addresses?  Are you following organic best practices?  Or are you acquiring from third parties?  Third party acquisition is very risky and can drive the indicators that trigger this enhanced level of filtering.

How to Manage Your Marketo Database for Deliverability

Wake Up Your Sleepy Subscribers with Reactivation Campaigns - http://blog.marketo.com/2016/05/ebook-wake-up-your-sleepy-subscribers-with-reactivation-campaigns.ht...

Email Deliverability Cheatsheet - https://www.marketo.com/cheat-sheets/email-deliverability/ 

Database Health Report - https://nation.marketo.com/docs/DOC-2648

Deliverability Series, part 1 Bounces - https://nation.marketo.com/blogs/marketowhisperer/2015/07/20/monitoring-email-deliverability-bounces...

Deliverability Series Part 2, Unengaged Users - https://nation.marketo.com/blogs/marketowhisperer/2015/07/27/monitoring-email-deliverability-unengag...

Deliverability Series Part 3 Bounce Rates - https://nation.marketo.com/blogs/marketowhisperer/2015/08/05/monitoring-email-deliverability-trouble...

Deliverability Series Part 4, Spam Blocks - https://nation.marketo.com/blogs/marketowhisperer/2015/08/18/monitoring-email-deliverability-trouble...

Metrics for Email Marketing - https://nation.marketo.com/docs/DOC-2883

Devraj_Grewal
Level 10 - Champion Alumni

I provided a couple of workarounds for this issue on my discussion topic: Email was clicked before it was delivered? It's a link scanner

Sarah_Greig2
Level 3

Can Marketo remedy this by actively excluding these as registered clicks. They seem to click at same time as delivered so would be easy to manage?

Anonymous
Not applicable

Hi Kiersti Esparza - My issue is that we create Salesforce reports based on link clicks in specific emails. I'm wondering, if I added a stealth link and turned off tracking for that link, might that prevent those certain filters/bots just clicking the first link from showing up in the report? It won't apply to filters/bots that "click" other links, but they seem to be the exception at this point.

SanfordWhiteman
Level 10 - Community Moderator

It won't apply to filters/bots that "click" other links, but they seem to be the exception at this point.

Mail scanners that click all links are definitely not the exception... don't know where you'd get that idea. A scanner is useless if it doesn't click all links.

Anonymous
Not applicable

I may be making a wrong assumption, for sure. Here's what I'm seeing over time:

For a email with multiple links, the first link in the email is receiving much higher clicks, but the corresponding webpage views are much lower (and closer to what the other links figures). The first link shows 815 clicks, but only about  60 views for the webpage it goes to. The second link shows 37 clicks and 35 web page views.

Clicks.jpg

SanfordWhiteman
Level 10 - Community Moderator

The newer mail scanners scan all links, and expect that only to grow in share (as long as link prescanning is done it all). Older ones (still in use in-the-wild) scanned only the first, somewhat bizarrely.

Remember, the mail scanners are designed so they can't be evaded by malicious actors. So if you can evade them as a legit actor, expect that hole to be patched. A "stealth link" is just a patch over the problem, since any scanner worth its salt will know what you're trying to do, or soon learn.

Anonymous
Not applicable

Makes sense. I just need a report that's more accurate and this is the only option I'm seeing right now. It doesn't even need to "stealthy," just a regular link to our website is fine, so 600 people who may not have even seen the email aren't included in the report.