2 Replies Latest reply on Apr 12, 2018 2:36 PM by Lucas Bishop

    Strange Behavior Being Tracked

    Lucas Bishop

      I'm writing to see if anyone else is seeing this in their own reporting, or if there is an already known explanation.

       

      I have a lead list, full of non-engaged users.

      • They haven't opened an email in months
      • They are close to aging out of a program

       

      Suddenly, I'm seeing a large percentage of these leads all exhibit the same behavior in the Marketo's activity log, across a variety of different companies:

      • Every email is opened
      • Every link is clicked (including privacy policy, unsubscribe, etc.)
      • Time on landing-page (measured through GA, is barely a couple of seconds)

       

      When looking at this activity, there are some similarities across all of the different companies:

      1. IP Address is from Microsoft Azure
      2. Order of link clicks is generally the same
      3. User agent is Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

       

      These companies have no relation to each other, they span multiple industries and locations.

       

      The big issue here is that this is inflating the open/click rates and keeps people from aging out of programs. It makes emails appear to be engaging, when they are not.

       

      Is this some kind of spam filter that is trying to portray itself as a real user, and as such causes itself to be tracked as one? Anyone familiar with this?

        • Re: Strange Behavior Being Tracked
          Sanford Whiteman

          Eh, not really strange at all.

           

          Is this some kind of spam filter that is trying to portray itself as a real user, and as such causes itself to be tracked as one? Anyone familiar with this?

          Yes, there are several anti-phishing/anti-malware products using this tactic (this started a few years ago, and the number has been growing along with the threat landscape). By definition, they must seamlessly impersonate the real user, or else the malicious actor could easily get around the protection.

           

          There are a few Community threads on this topic. Bottom line: open and click are merely directional (that is, a giant jump/dip is notable, but the raw numbers can't be interpreted as human activity).

          1 of 1 people found this helpful