34 Replies Latest reply on Sep 13, 2018 11:28 PM by Sanford Whiteman

    Bot or Not? – Are you suffering from ‘bot clicks’?

    Ronen Wasserman

      If you are a marketer, you probably have heard about the somewhat new and emerging enemy: The Email Security Bots. The war is on and we have been standing clueless for a while, watching from the side while the Bots were messing with our numbers, with no real solution available.
      Well, it’s time to fight back!
      It all started a couple of years ago when some of our customers noticed a surge in email click metrics and they also pointed out some interesting and strange behaviors in their data:

      • Seconds after email is delivered, they see a high volume of clicks
      • They noticed a high volume of clicks from the same account/company
      • The activity log shows ‘clicked a link in an email’ before the ‘email open’ event and in many cases without visiting the actual page

      Our research concluded those behaviors are typical for Bots, and NOT for humans. The bots' role is to click each link in emails, sent to the domain they protect, to prevent harmful clicks that can harm the company by flagging them as a phishing scam.
      The implications of those Bots clicks can be devastating for marketing teams worldwide.
      All your marketing numbers could be way off. It means you’ve been counting clicks completely wrong in your marketing automation program. Not to mention the impact on your scoring, interesting moments and nurturing campaigns and obviously your reports.
      We, at eDigital.Marketing, did an extensive research and came up with a solution that we would like to share with you. We implemented it in our customers' instances and our customers are surprised by the findings and are satisfied with the results.
      We started by running a test on an email that was part of a nurturing campaign already built in Marketo.
      The test was using a Smart Campaign that was listening to page visits and email delivery.
      The program was running for about five days to allow enough time for prospects to actually click on the link in the email.
      Five days later we ran a new Smart Campaign just to collect data from Marketo about "clicked the link in the email" without any filters at all.
      We downloaded both lists to excel and checked for clicks in Marketo that were NOT in the list we have created. Here are the shocking numbers:
      Marketo counted 327 clicks WHILE the Smart Campaign only identified 91 of those clicks as real people who clicked the link and actually visited the page.

      So at that point, it was pretty simple to calculate that approximately 72% of those clicks were fake and were made by ‘Bots’, we then identified and created a list of the companies that are using bots as part of their IT security infrastructure.
      To make things even more complicated, we then went ahead and made some additional research on the list and found that a third of the remaining ‘humans’ can NOT be counted as clicked anyway since they visited the webpage in the past and NOT by using the email we've tested. The Smart Campaign was flagging them since the email was delivered to them and indeed in the past, they visited the page.
      BUT since we compared the Marketo clicks to the Smart Campaign clicks, those ‘humans’ (that didn't click but visited the page) where excluded and therefore no extra calculating was needed.
      To make sure the data is correct, we sampled some ‘Bot’ leads and checked their logs in Marketo. All leads from all companies who were suspected to be using ‘bots’ were showing the activity of a ‘bot’ - clicked but no open nor visited page.
      In conclusion, out of 327 clicks identified by Marketo, only 91 were Humans.
      Now all was left for us to do is to add a few Smart Campaigns to neutralize the Bots and stop them from disrupting the scoring system, the interesting moments and all reporting.
      We now have a Bot system running in the background making sure all our numbers are correct and not just making us look good.

        • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
          Chris Wilcox

          We've definitely seen the same issue. It's fairly isolated in our industry and we see bot-clicks in a pretty specific region, but our numbers are even farther off than the 72% you're seeing. We're talking 93-96% inaccurate.

           

          We've since started utilizing the page view as the trigger for those groups as well which has helped, but the biggest issue for me is associating those clicks (web views) back to the program level in an automated way. Since the clicked link in email activity has a program ID associated, but the web page visit activity log will not.

           

          It's a serious issue that Marketo itself needs to bake into the platform. We've been trying to get cleaner data with our own workarounds, but it really only works in a program-to-program basis and haven't been able to come up with an instance wide solution that we could set up to have running all the time.

          2 of 2 people found this helpful
          • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
            Dan Stevens

            To ensure you’re truly dealing with human activity, you need to measure one additional step - and that’s identifying those that are web page visits are also clicking on a link (or submitting a form) on the landing page. Today, bots can trigger web page visits as well.

            1 of 1 people found this helpful
              • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                Josh Hill

                Agree.

                 

                I'd love to see a clearer set of images or diagrams for how you did this Ronen.

                • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                  Sanford Whiteman

                  bots can trigger web page visits as well.

                  Ab-so-lutely!

                  1 of 1 people found this helpful
                  • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                    Chris Wilcox

                    It's really interesting you're seeing bots trigger page views, I really haven't seen that correlation in our data yet. We operate in a pretty specific B2B sector, so I actually think it more likely has to do with the most commonly used technology in our sector. Barracuda seems to be our biggest problem, and from my research and own testing, it does not appear that Barracuda specifically downloads any javascript when it gets to the landing page, as I'm not seeing broad bot-click activity in Marketo, GA, or other web analytics tools, but I AM seeing the corresponding click activity in Marketo. The honeypot idea someone posted below seems like a decent way to avoid that, but only if you're batch reporting OR mass-suppressing known bot-click addresses.

                     

                    Dan -- When you track that additional activity on the landing page, is that trigger based? Do you have a way you associate that activity with the program which the user originally clicked? That's my biggest gap that I'm trying to solve for at this point.

                      • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                        Dan Stevens

                        Chris - the way we used to do this (until we saw false-positives with page visits) was to add a "Visited web page" choice to the "change program status" flow step.  You can't add it as a filter in the smart list since it can sometimes take several minutes for Marketo to register the page visit when it has already triggered off of the email click.  So we add a 15 minute wait step and then something like this:

                         

                         

                        But now that we're faced with a third variable - and since Marketo doesn't support conditional "choice" logic (where we would need a second level choice of "clicked link on specific web page") - we're kinda stuck. Heck, there's not even a choice that allows you to select the link constrained by a web page.  I believe Sanford has been toying with a custom activity that would identify when all three of these actions have occurred, but nothing's been published as of yet.

                         

                        Obviously, if the person has visited this page in the past - and not part of the email click session - then this too will result in a false-positive.

                        1 of 1 people found this helpful
                          • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                            Chris Wilcox

                            Ahhh yea this makes sense. Agreed on the previous visitors issue. Conditional choice logic would be amazing, the trouble I face is I really want to use the "Clicked Link" trigger, but want to wait for a period of time after that activity and wait for the 2nd or 3rd layer activity like you're describing here (page view, page click, form fill, etc.). I can watch page activity and use querystring filters to identify users who visit pages via email clicks, but that activity isn't associated with the email program and the trigger is now the "Visited Webpage," which doesn't help our sales team understand what content or marketing campaign is driving engagement.

                            • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                              Denise Greenberg

                              Hey Dan Stevens -

                              Re: "Heck, there's not even a choice that allows you to select the link constrained by a web page", I'm sure you know that there IS a constraint for web page for the trigger/filter clicks/clicked link on web page (see below) so I'm wondering what you meant by that.

                               

                              The limitations in the flow step choice logic have often frustrated me too. Have you considered using "Member of Smart List" as the Choice in Change Program Flow step and putting your multiple criteria in the Smart List?

                               

                              Denise

                              1 of 1 people found this helpful
                              • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                Kai Crow

                                It's not a perfect solution, but maybe a way around a 'fake' page view being triggered is to use the forms 2.0 API - embed a hidden form in the page and check for the form submission in the campaign instead of a page view (include the URL of the page as a hidden field in the form and you can easily re-use). Then, depending where the page is hosted (either on your own server or a mkto landing page), you can also add a layer of checks to make sure it's a real browser before allowing that form script to run - eg check user agent header, maybe a delay of a second, assuming a bot's session is very short - of course, if a bot really wants to mimic a human, then it's going to be pretty hard to detect, but that should help weed out the most obvious ones.

                                 

                                Note: if the page is accessible publicly as well as from your email, then you'll also likely want to add some conditions around loading the form script so that it only runs for known users, otherwise, you'll end up with a whole lot of unidentified users that count towards your allocated users (because as soon as a form is submitted, it counts as an identified user, even if name and email are blank)

                                  • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                    Sanford Whiteman

                                    of course, if a bot really wants to mimic a human, then it's going to be pretty hard to detect

                                    Right, and the inability to distinguish between the two is key to scanner technology working at all. You can't distinguish based on User-Agent because scanners purposely use real, headless browsers. If you could check based on the User-Agent, then so could the person running a malicious site, and the scanner would be rendered worthless.

                                     

                                    If you require form submission before registering the initial hit, then it's even easier than what you've described! Problem is that marketers want to know if someone clicked, even if they don't convert via form. That's the hard part.

                                  • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                    Jay Jiang

                                    Wouldn't you just use request campaign and add the filters in the requested campaign's smart list?

                                     

                                    RE: detecting link clicks after clicking through from an email AND visiting a webpage, doable using munchkin API:

                                     

                                    if(location.search.indexOf('mkt_tok') != -1){
                                    $("a").addClass("tracklink");
                                    $("a.tracklink").click(function(){
                                        Munchkin.munchkinFunction('visitWebPage', {
                                            'url': '/email-visit-click'
                                        });
                                    });
                                    }
                                    

                                     

                                    Will add the class "tracklink" to all <a> tags if mkt_tok is present in the url search string. adds a listener to a.tracklink so when it's clicked it fires a munchkin visitwebpage to Marketo. You can then use the visited webpage filter for everyone who's visited "/email-visit-click"

                                      • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                        Sanford Whiteman
                                        1. Visit Web Page uses async XHR by design, so you can't make this event finish before the person navigates away from the page.
                                        2. This requires an additional interaction with the page, which means it isn't tracking the page view only.
                                        3. Why even bother with this, as the click event is already going to be logged as a Clicked Link which can be constrained by Web Page?

                                         

                                        People seem to think this is easy to solve using only the tools available in the browser. It's not.

                                          • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                            Jay Jiang

                                            Just replying to Dan's post..

                                            But now that we're faced with a third variable - and since Marketo doesn't support conditional "choice" logic (where we would need a second level choice of "clicked link on specific web page") - we're kinda stuck. Heck, there's not even a choice that allows you to select the link constrained by a web page.  I believe Sanford has been toying with a custom activity that would identify when all three of these actions have occurred, but nothing's been published as of yet.

                                            1. Checking the network traffic in chrome, the custom munchkin event does fire and the made up page is also pre-populating in visited webpage dropdowns in Marketo

                                            2. This is just a suggestion to which the goal was to track 1. Email click -> 2. Visited webpage -> 3. Clicked link on webpage. But all in one session starting with the email click.

                                            3. Again, this would let you track 1, 2, and 3 above without worrying about historical click activities. Plus I suppose it'd make things easier because you can just listen for a single visited webpage activity

                                              • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                                Sanford Whiteman

                                                1. Checking the network traffic in chrome, the custom munchkin event does fire and the made up page is also pre-populating in visited webpage dropdowns in Marketo

                                                You haven't tested this sufficiently. The definition of an async XHR is that it cannot be guaranteed to finish before the page unloads. Sometimes an XHR will complete, sometimes not. Network conditions, the speed of the subsequent page's TTFB, and browser heuristics are all involved. That uncertainty is not up for debate, it's been understood for like 15 years now, and it's the reason that the alternative Beacon API exists (in some browsers, unfortunately not all). Munchkin doesn't use beacons unless you use my adapter but even so will never work in Safari and IE.

                                                 

                                                2. This is just a suggestion to which the goal was to track 1. Email click -> 2. Visited webpage -> 3. Clicked link on webpage. But all in one session starting with the email click.

                                                If you change the goal to "There must be a deliberate human interaction after the pageview" that's a new goal, and you don't need to do a fake Visit Web Page for for that. But we can't keep moving the goalposts of what a Click Email represents, or used to represent!

                                                 

                                                3. Again, this would let you track 1, 2, and 3 above without worrying about historical click activities. Plus I suppose it'd make things easier because you can just listen for a single visited webpage activity

                                                You can already listen for a single Click Link activity constrained by the web page, which will always be logged for the same click event you're adding a second event listener for. I'm not understanding what else you get from a fake Visit Web Page, even if it were made reliable.

                                          • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                            Grégoire Michel

                                            Hi Dan,

                                             

                                            You can use smart list and "member of smart list" in your choices if you need some advanced logic.

                                             

                                            -Greg

                                      • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                        Frank Elley

                                        Here's another place where this can bite you: reports. We email a daily "known visitors" and a weekly "anonymous visitors" report for specific geos/segments to the relevant sales teams. After a nurture or promotional email drops, the sales team sees a "too good to be true" surge of visitors from some accounts. So many things are wrong at this point. First, the sales team wastes time getting excited about a sudden spike in interest from an account that turns out to be a waste of time. This in turn damages the credibility of these reports (and thus of Marketo and Marketing Ops in general). And worse, as you can imagine, the sales teams who really embrace these reports are of course the most effective and good partners for marketers; so it's doubly a shame when these reports send false positives. Would also love to see some schematics or smart list/flow screenshots that give us a head start. These metrics are still useful, so we haven't discontintinued the reports; but you really just can't tell your sales team "don't believe them under XX conditions until we have time to re-rationalize them."

                                        • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                          Danielle Chan
                                          The test was using a Smart Campaign that was listening to page visits and email delivery.

                                           

                                          how exactly did you set this test up?

                                          • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                            Dezie Okpoebo

                                            I have also experienced this, and while I can't speak to the percentage of clicks that were "false" as I haven't run that full research, it has caused us many issues; Sales reps following up on false leads, bad & misleading reporting, etc. The solution highlighted above is a good one, but as some have noted, bots can also "view webpages." We were also having a hard time when we simply sent people to a pdf from an email. You can't see webpage visits to a pdf, unfortunately.


                                            So we implemented a honeypot to our emails. A honeypot is also seen as bait for a bot that humans cannot see or click. We added a 1x1 pixel image that blended into either the header or the footer of our emails and hyperlinked it to a specific page. Now a human cannot see that link and therefore will not click the link, but bots will click every link within an email (as far as I know). We then created a smart list of clicks to that honeypot link, and used that to suppress the bots from reporting, Salesforce, interesting moments, lead scoring, you name it. I've heard back from Sales reps that the leads they are seeing have all improved significantly since we implemented the honeypot.

                                            4 of 4 people found this helpful
                                            • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                              Rafael Santoni

                                              What did you do when you say at the end...

                                               

                                              "Now all was left for us to do is to add a few Smart Campaigns to neutralize the Bots and stop them from disrupting the scoring system, the interesting moments and all reporting.

                                              We now have a Bot system running in the background making sure all our numbers are correct and not just making us look good."

                                               

                                              Did you manage to make the Marketo native reports be accurate by excluding the bots, or are you now reporting using a different system/method?

                                              • Re: Bot or Not? – Are you suffering from ‘bot clicks’?
                                                Raj Jain

                                                Yes we were recently affected by bot activity that hijacked our Marketo form. Fortunately, the bot was using the same IP each time so I set a flow step to block the activity based on IP.