Email clicks from the firewall

On the trail of phishers

Our research revealed that organizations with their own mail server have upgraded their spam prevention systems not only in terms of the precision of the filter algorithms, but also methodically in recent years. Traditionally, most server-side security modules only rely on powerful anti-spam rule engines and blacklists in the cloud, which are fed around the clock by security experts from all over the world with new patterns and rules to detect phishing emails. All you need to do to query the database is the URL from the email — so you don't have to click on it laboriously by machine.

A phishing domain unmasked in this way is problematic for spam senders for a trivial reason alone: Developing a spam or phishing offer simply costs work and time. If spammers and phishers discover that their URL has been unmasked, they don't completely redo everything, but obscure the URL. The easiest way is to obfuscate using a shortening service such as Bitly or TinyURL. Sometimes a new, unencumbered domain is also used. In both cases, there is no content under the URL. Instead, it redirects to another address via HTTP 301 or HTTP 302. In order to access the content address, the security module must act like a browser: it opens the link and tracks all redirects. This is how the automatic click is created.

In the course of the arms race between phishers and security experts, entire forwarding networks were created on the one hand and sophisticated defense algorithms on the other hand, such as the patented “multi-level intent analysis” by security company Barracuda. According to the patent, at least one link from every email is opened.

B2B mailings particularly affected

The patented algorithm is consistent with our observation described above: Various company servers clicked on the first link in every email. If emails are sent via B2B platforms such as Marketo, Eloqua, Salesforce Pardot and Hubspot, where every response signal is included in the scoring, this can lead to falsified lead scores and corresponding lead nurturing errors. In the end, sales staff are surprised about “marketing qualified leads,” which, despite high lead scores and thus purported buying interest, turn out to be uninterested in a personal conversation.

There is a simple reason why click rates are falsified in B2B delivery scenarios, but not in B2C mailings. There is no “internal” phishing risk for major ISPs such as Gmail, Yahoo and Co. The phishing emails end up in the private email client and potentially “only” damage users' smartphones, PCs and bank accounts. The direct damage caused by careless clicks in B2B emails is disproportionately greater. Because this is where the phisher operates in the otherwise isolated corporate network. If he manages to persuade employees to open compromising links, he may be able to inject malware and steal valuable data. Drastic examples such as the theft of the RSA secret key by spear phishers or attacks on the White House show the potential of targeted spear phishing attacks. Motivated by higher loot, spear phishers are more tricky than classic mass phishers. They specifically spy on employees and develop detailed social engineering strategies.

Self-help for email marketers: Minimize and filter machine clicks

To this day, email service providers (ESPs) have been reluctant to incorporate filtering mechanisms for machine “fake” clicks into their platforms' reporting modules. However, email marketing managers can help themselves with a few steps:

1. Filter click rates

Not every response-friendly recipient is actually interested. Machine clicks are identified by the following correlative characteristics:

• Openings and clicks occurred within a few seconds after the respective email was physically sent
• An opening and/or click indicator is shown for all recipients of the same mail server

2. Wait

If there are other click events following the first autoclick, the latter are likely to be real interactions. This is because information about real accesses is not lost. In our email campaign mentioned above, recipients opened 16% of the checked emails themselves again. In the system, this can be read as a second opening.

3. Avoid link shorteners

Not every email scanner is strictly configured. Some simply open links from known link shorteners or react alarmed when the title of the link does not match the linked URL. It is best to avoid anything that can be interpreted as a concealment measure. The domain or subdomain defined for link tracking should be trustworthy, i.e. have a clear conceptual connection to the sending company and ideally belong to the sender.

4. Consider a multi-stage unsubscription process

An unpleasant side effect of automated clicks is the risk of unintentional unsubscriptions from the mailing list when a “one-click” opt-out process is implemented. Even list-unsubscribe headers could be affected by automatic clicks. This side effect is one reason for Hercula-Oneclick, an initiative by Gmail and Optivo. The method described in an RFC provides an additional parameter that can only be set by the mail client. A deregistration is only valid in combination with the parameter. Accidental cancellations would thus be easily identified. Regular unsubscription processes should never be implemented as a “one-click” process, but require an “okay” on a landing page.

Does more pressure on email service providers help?

Although machine clicks have been reported time and again for ten years, ESPs are reluctant to implement explicit configuration options to clean up the click rate. We ask ourselves whether it helps to increase pressure on email service providers, for example in the form of increased inquiries or reports in industry blogs. What is your experience with machine clicks? How do you deal with that? What solutions does your ESP offer?