The Next Evolution in Email Click Bots: Exploitive Bots Pretending to Be Engaged Subscribers
Bots are having a profound effect on how the internet functions and may even outnumber people on some platforms like Twitter. Email marketing is not immune to click bots, with the newest activity being from bots that mimic human subscribers in order to collect information to power data service businesses.
“We’ve been seeing more email click bot activity with some of our clients,” says Heather Goff, Strategic Director of Deliverability Services at Oracle Marketing Cloud Consulting. “In one case, we had a retailer with transactional email behavior from 7,000 recipients that could not have been organic human behavior. It’s likely that lots of brands have no idea it’s going on if they aren’t looking closely enough.”
The problem with these kinds of email click bots is that they create activity that inflates performance numbers and causes false positives that trigger automated campaigns and muddy targeting efforts. All in all, they simply make it more difficult to see how subscribers are truly responding. That can cause brands to make tactical or strategic changes that serve bots rather than actual subscribers.
We’ll explore these bots in more detail, but let’s do so in the broader context of all email click bots. We think of these bots as falling into three categories, with each one requiring its own potential remedies:
1. Beneficial Email Click Bots
These bots are helpful and positive contributors. For example, some email click bots scan every link for malware before passing the email along to the intended recipient.
“Most beneficial bots clearly announce themselves,” says Kent McGovern, Senior Strategic Consultant of Deliverability Services at Oracle Marketing Cloud Consulting. “That makes these the easiest to address.”
“The vast majority of email service providers—including Oracle Responsys, Eloqua, and Bronto—have some processes in place to filter bot-related clicks,” he says, “so brands don’t need to take additional action. ESPs can filter by IP after doing a WHOIS lookup to determine the IP network owner and they can also filter by user-agent string.
“What makes things hard is that not all bots identify themselves,” says McGovern. “The rDNS for the signup IP may not point to an obvious filtering company like Barracuda or McAfee. Instead, it may point to a network provider like Microsoft or a security company like Palo Alto Networks.”
Most of the bots that don’t identify themselves fall into one of the two remaining email click bot categories.
2. Malicious Email Click Bots
These bots are harmful by design. They are created to explore, discover, and exploit vulnerabilities.
During the second half of 2016, Spamhaus blacklisted many well-known, popular brands because malicious bots entered the email addresses of tons of unwilling people into the brands’ open email signup forms. As a result, brands flooded those people’s inboxes with emails.
In the wake of those bot attacks, Dan Deneweth, Head of Deliverability Services at Oracle Marketing Cloud Consulting, advised brands to protect themselves by…
- Adding CAPTCHA to all web-based email signup forms.
- Adopting a confirmed opt-in (COI) permission standard.
- Adding a hidden form field to all web-based signup forms.
- Tracking the source of signups closely.
- Creating a “new registant, non-responder” rule.
- Implementing an alert system for spikes in the number of email registrations.
- Applying segmentation criteria to limit the volume of email you send to unengaged subscribers.
For a full discussion of each of those, read Spamhaus Risk and the Future of Email Acquisition.
The newest email click bots fall into a category that lies between beneficial and malicious.