The Great Spam Click Bot War
Over the past year, we’ve all seen erratic click activity on our emails, caused apparently by Email Security Servers like Barracuda clicking on one or more links. The link test is to verify that a link or visible URL, is in fact, safe to click for a human to prevent phishing scams.
This spam bot scanner protects many of us at home and work, so it’s not going away anytime soon. If anything, we should expect a bot to attempt to verify links are safe for people.
Except that for us marketers, we can no longer trust Open and Click data at all. One day it’s 3.5% and the next it’s .4%. How is a marketer to know if a real person engaged with our email or not? Click scoring is broken and we have a false sense that our emails are working.
There are methods to attempt to combat this, however, none of them are satisfactory to us. Here is our 5-Step Solution to solve this in Marketo:
Summary
- Reducing Clicks Link Scoring: Change your scoring to once per hour or once per day.
- The Stealth Bait Link: Embed a hidden “fake link” that if clicked, you’ll know it was the work of a bot.
- Smart List Exclusions: Create a list to exclude the people who clicked on the fake link.
- External Data Tool: Leverage a tool that can track the timing of the clicks – something that is not as easy to accomplish with a Smart List.
- Reporting: Email Performance reports aren’t reliable, so you’ll need to add smart lists to filter out those bot clicks to evaluate your email metrics.
Identifying the Problem
Kiersti Esparaza of Marketo summarized how Spam Bots work. There are also a few threads you should review:
One of the issues MAP users have is that we want to wrap our links in trackable redirects. And so do phishers – they use bit.ly or other fake links to make you think it’s ok to click. What you’ll see in Marketo when you investigate lists of people who clicked on your Stealth Bait Link or have Opened+Delivered at the same time. But Marketo won’t let you use that header info and it’s not consistent enough.
Essentially what you see in Marketo and most MAPs is an Email Delivered+Opened (or Clicked) at the same time stamp in the log. You will also see bots click unusual links like “Legal” “TOS” or all social links. In some cases, the bot clicks every single link.
The challenge, however, is there isn’t a functional tool to say “Show me people who clicked every single link in this email, or recent emails.” You can try with Clicked Link in Email, but you will only capture a small portion of total spam bots.
And then what happens if the Spam Bot clicks on links, then passes the email to a Human, who does click it too? Combing through log entries is very time consuming!
5 Potential Solutions for False Click Links in Email
1. Reducing Clicks Link Scoring
If you haven’t already, I recommend reducing your Clicks Link in Email scoring flow to Once per Hour or Once per Day. This should prevent most spam bots from causing more than a few false MQLs. You can also add a Smart List (below) like “Exclude clicks on the Bait Link” to further reduce the problem.
This won’t be perfect. It’s a start.
2. The Stealth Bait Link
The most common solution is to embed a “fake link” that is hidden except to a bot that scans the HTML. If the link is clicked, then we know the subsequent clicks from that email address are fake today. There are a few caveats:
- Marketo installed this at the bottom of every email automatically. They say they exclude some clicks after this link is clicked, however, we haven’t seen much improvement with this alone.
- Text Emails – you can’t have this fake link in a text-only version because it will be weird to the person or placed poorly. We recommend removing it to avoid someone actually using it.
- Where does the link go to? We set up a special page and form in case a real person clicked. What we saw is that sometimes a bot will actually fill out the prefill form, so best to use not pre-fill. It’s rare, but it happens.
- The Hidden URL may be viewed as a Scam by some spam filters since that was a common way to fool spam scanners and then later show a malware link if the person downloaded the right colors. I personally haven’t seen this happen or affect deliverability. Certainly a risk.
3. Smart List Exclusions
It is challenging to do this without serious data tools that aren’t in any MAP. Some options:
- Exclude people who click on your Bait Link
- Exclude people who click on the Legal or Social Links (who does anyway?)
- Include only Clicks with Opens.
- Exclude Delivered+Opened (or Clicked) in the same minute. (This is a strong candidate but requires external tools).
Email Was Delivered + Visited Page
This one is questionable in our book. Here’s why it should work, but doesn’t:
Most spam bots will click the link, registering in Marketo. But they rarely create a Visited Web Page activity because they won’t load the page fully (or the Munchkin).
Except that I’ve seen a lot of bots fully load the page, creating such a Visited Web Page log entry.
Instead, we came up with a method where the Human visits that page and now has to Click a Download Button on the Page to cause a Clicked Link in Web Page and get the PDF. Of course, this creates a long click path, deterring many humans. So this isn’t an ideal path either.
4. External Data Tool: The Openprise Method
This is a variation on what Marketo should do on the backend – figure out click timing and common data points and exclude clicks that fit a pattern. Instead, we have to rely on data extraction methods with tools like Openprise to achieve this.
Essentially, you want to identify the situation where someone clicks on specific links, all the links, or clicks at the same time as Delivered. That’s not easy to do with a Smart List. It is easy for other types of data tools. Once identified, Openprise can pass back to Marketo a value such as “Known Spam Bot User” which you can then use to exclude those people from Reports.
The caveat here is that spam bots may not be active for an email box 100% of the time and may not always click in the same way. You may find as your reputation improves, spam bots don’t click as often. Thus, you should consider refreshing this data periodically.
5. Reporting
For lack of tools, your Email Performance reports are now not so trustworthy. You can add some of the smart lists above to filter out the CTR, however, it will never be 100% accurate again. Email Insights also lacks tools to filter out potential bot clicks. And if you exclude spam bots, you are also throwing off your other metrics like Delivered, Opened, and Unsubscribed since you aren’t including those people in the report.
Best Solution
The single best solution I can think of is to ask people to reply to the email for the whitepaper or registration. Instead of relying on a human, use a tool like Siftrock or Conversica to manage replies automatically and send requested content back automatically. The risk here is many people will not want to reply, lest they become enmeshed in a sales conversation before they are ready. But those that do–those are real people!
The Bot War Continues
The war against the bots is ongoing. Tackling takes time and money. If you are uncertain what is your best option. Etumos can help you determine what is the best fit and help with integration.
Rolf says
We received complains from newsletter readers “I don’t get the weekly newsletter since a while. What’s wrong?” We dug into the case and learned that his employer installed an e-mail-security-bot. This bot clicked all links in the newsletter, also the “unsubscribe” link. How would you handle such cases?
Josh Hill says
Oh that’s really interesting. If your unsub link is “click to unsubscribe” where no form fill is required, that would be difficult. You should force a form fill.
I have seen some bots press the form submit, but that’s rare.
sue says
Using captcha on your unsub link will solve this problem.