Email clicks from the firewall

When we shared our study on email marketing practices of 6,000 US ecommerce companies with several thousand digital marketing experts in 2016, we discovered surprising results after an in-depth examination of the click response: Almost half of the clicks were measured in the first few seconds after the technical send out. And those clicks often appeared “in bulk”: They concentrated on a small number of companies. Apparently within those companies every single recipient had shown click activity (our target list contained up to five contacts per company). This response behaviour didn’t appear realistic to us. We decided to get to the bottom of the phenomenon.

Our research revealed that in the last few years, organisations with their own mail server have not only enhanced their spam defence systems regarding the precision of the filter algorithms, but also upgraded their methods. Traditionally, most security modules on the server side only make use of powerful anti-spam rule engines and blacklists in the cloud that are fed with new patterns and rules for detecting phishing mails by security experts from around the world day and night. For database queries you only need the URL in the email – so you definitely do not have to click the links automatically.

For spammers, a phishing domain unmasked like that is already problematic for a trivial reason: The development of a spam or phishing offer simply requires time and effort. Therefore, when spammers and phishers realize that their URL has been unmasked, they don’t start all over but rather disguise the URL. The easiest way to do that is using a shortening service like Bitly or TinyURL. Sometimes they also use a new, unspoiled domain. In both cases, you can’t find any content under the new URL but are rather forwarded to another address via HTTP 301 or HTTP 302. In order to get to the address with the content, the security module has to act like a browser: it opens the link and tracks all forwards. That is how the automatic click is generated.

In the arms race between phishers and security experts, whole forwarding networks have been created on one side, and on the other sophisticated defence algorithms like the patented “multilevel intent analysis” developed by the security company Barracuda. According to the patent, at least one link per mail is opened.

B2B mailings particularly affected

The patented algorithm matches the observation described at the beginning: Numerous company servers clicked the first link in every email. If the email delivery takes place via B2B platforms like Marketo, Eloqua, Salesforce Pardot or Hubspot, where every response signal influences the scoring, this can lead to distortions of lead scores and result in the wrong conclusions for lead nurturing. In the end, sales representatives are surprised at “marketing qualified leads” that, in spite of high lead scores and the alleged buying interest related to them, turn out not to be interested during the personal conversation.

Image: yapanda / 123rf.com

Why click rates are distorted in B2B delivery scenarios but not with B2C mailings can be easily explained. For large ISPs like Gmail, Yahoo and co., there is no “internal” phishing risk. Phishing mails end up in the private mail client and can “only” potentially damage smartphones, PCs or bank accounts of the users. The direct damage caused by careless clicking in B2B mails is significantly higher, because here, the phisher acts in the company network that normally is sealed off. If he can make employees open compromising links, he can potentially smuggle in malware and steal valuable data. Drastic examples like the theft of the RSA secret key by spear phishers or the attacks on the White House show the potential that targeted spear phishing attacks bear. Motivated by the higher profit, spear phishers act even more cleverly than classical mass phishers. They deliberately spy on employees and draw up detailed social engineering strategies.

Self-help for email marketers: Minimize and filter automated clicks

Even today, email service providers (ESPs) are reluctant to install filter mechanisms for automated “fake” clicks in the reporting modules of their platforms. But with a few measures, email marketers can help themselves:

Filter click rates

Not every highly responsive recipient is really interested. Automated clicks can be recognized by the following correlative characteristics:

Opens and clicks occur only a few seconds after the physical send out of the mail
For all recipients of the same mail server, one open and click indicator is disclosed

Wait

If after the first automated click, further click events follow, the latter probably are real interactions. The information about real opens is not lost. In the email campaign mentioned in the beginning, recipients opened 16% of the checked emails once more. In the system, this is detectable as a second opening.

Avoid link shorteners

Not every email scanner is strictly configured. Some only open links of known link shorteners or give an alert when the title of the link does not correspond to the linked URL. Ideally, you should avoid everything that could be interpreted as a spoofing measure. The domain or subdomain defined for link tracking should be trustworthy, that is, its name should have a clear connection to the sending company and it should ideally belong to the sender.

Consider a multi-step unsubscribe process

A negative side effect of automated clicks is the danger of accidental unsubscribes from the mailing list when a “one click” opt-out process is implemented. Even list-unsubscribe headers can be affected by automated clicks. This side effect incited Gmail and Optivo to start the initiative Hercula-Oneclick. The method described in an RFC includes an additional parameter that can only be set by the mail client. An opt-out is only valid in combination with the parameter. Involuntary unsubscribes would be easily identifiable like that. Regular unsubscribe processes should never be implemented as “one click” processes, but require an “okay” on a landing page.

Is more pressure on the email service providers helpful?

Even though there have been reports on automated clicks for ten years, ESPs are reluctant to implement explicit configuration methods for cleaning up the click rate. We are wondering whether it would be helpful to put more pressure on email service providers, e.g. by sending more requests or posting reports in blogs of the sector. Which experience do you have with automated clicks? How do you handle them? Which solutions does your ESP offer?