If you’re a B2B marketer, then email marketing must be one of your main channels, which means you use one kind of ESP or MAP system like Marketo or another to execute on it. In that case, you may have heard about an emerging, fearsome enemy: email security bots. These bots form parts of security systems used by increasingly more companies to secure their email transport against various threats. Such bots click each link in emails sent to the domain they protect in order to verify them before marking them as either safe for internal delivery or flagging them as spam.

In case the full meaning hasn’t sunk in, I’ll repeat, in capital letters:


At this point, you’re supposed to go like:


The implications are quite significant, but first, let’s isolate the issue and make sure we fully understand it.

What are email security bots

Email security bots are a feature of email security software or online services, like Barracuda. They are automated scripts that, much like search engine spiders, crawl through each inbound email and ‘click’ each link in the email to ensure it does not constitue a threat.

It is unclear how widely spread is the use of such bots. While researching for this  post (because we’re serious publishers, yessir we are) we ran extensive searches and found very few direct references to the issue, which may be indicative of its novelty. Phrases like ’email security bot clicks’ and ’email click bots’ yielded almost no helpful results.

What are the implications of email click bots

For marketing automation experts, this is quite a headache. Bot clicks:

  1. Mess up your metrics, obviously. Especially if your database includes multiple recipients from the same organization.
  2. Create false positive triggers for action-based marketing programs. For example, let’s say you send a series of emails, and you either stop or enable the next step based on the recipient’s interaction. Fake bot clicks will mess it up.
  3. Fu** up your phased lead nurture program. Some marketers like to deploy sophisticated lead nurture programs, where leads are promoted from one stage to the other based on email engagement.
  4. Will make you look really good, until the questions start.

How to tell your campaigns are being affected by email click bots

This issue has been reported by marketers who noticed a surge in email click metrics. After the initial giddiness with the results, these marketers also noticed one or more of the following behaviors (hat tip Idan Hershkovich for sharing a few of these from his valuable experience):

  • in the activity log timeline of the recipient, within Marketo for instance, a click event will be registered prior to a delivery event
  • many clicks by email addresses from the same company or domain
  • very rapid consecutive clicks reported by the system for the same recipient
  • high volume of clicks occuring within the first minute of an email going out

The best method we’ve heard of so far, which we were tipped off on by marketing sorceress Yifat Danieli, is to ‘listen’ to clicks on a dummy link, e.g. a link colored in white which the user isn’t expected to see, or otherwise on a real link that she expects no clicks on (like the G+ social button, because who ever clicks it, sorry Google), which she includes in her emails. Once a click is recorded on this link, she immediately knows a bot is implicated.

How to minimize click bot damage

Here’s a few measures you can take to reduce the effect of email click bots, should you feel it. Note that some of the tips refer to Marketo, so if you’re using another system, then shame on you, and we trust you’ll be able to make the necessary adaptations.

1. Don’t rely on plain email stat reports

Seriously, don’t. First of all, they mean little, because what you should care about is the real goal of the program: to drive sign-ups; to increase registrations; to bump cold leads for inside sales treatment, or otherwise any other meaningful, lead-lifecycle-changing eventuality. But if you do need to use email stats, and begin to notice exceptional metrics in your programs, dig in a little bit and look for the signs we noted above for email click bot activity.

Note that cleaning out your reports from suspicious clicks may or may not be possible, depending on the system you use and its reporting features.

2. Use smart lists in your reaction workflows

When analyzing campaign effects or otherwise setting up triggerss for secondary campaigns that rely on email click triggers, make sure to filter out suspicious bot activity. Leverage the indicative bot patterns we mentioned about. Below is a Marketo filter example you might use:

Filter 1: selects recipients of the specific emails.
Filter 2: selects those who did not click the email 5 times or more
Filter 3: selects those who did not click the specific “link bait”
Logic between the filters: 1 and (2 or 3)


Example of a Marketo smart list to filter out false positive email engagements

3. Use triggers to populate program statuses, filtering out suspect recipients

Marketo has super useful mechanisms for reporting on program results, and they can be easily filtered to remove records potentially ‘smeared’ by bot activity. Design your channel tags and program steps to reflect your program’s funnel, and apply filters like the above when triggering them.

4. Minimize your use of email clicks as a trigger for meaningful program decisions

Many marketeres use lead nurture flows that take into account specific clicks on contents linked in emails to trigger actions such as: sending the person to another stream; applying a score increase, removing them from the program; sending internal alerts, and so forth.

Since bot clicks are in essence false positives, ignoring them puts your programs at risk of causing completely wrong flows to take place. For example, let’s say you have a flow that responds to a click by alerting your inside sales team that the lead is now actively reading his email and therefore should be approached more directly, e.g. via a personal email or, if your organization is that aggressive, a phone call. You can imagine the result of sending such alerts based on false alarms…


Have you noticed bot activity in your reports or logs? let us know in the comments, and include any additional useful tips and strategies for dealing with this rather phenomenon.

Top photo credit: peace6x @flickr

Join the conversation! 10 Comments

  1. Very interesting article since I was just searching the web for “Mysterious Clicks in Emails”. I think we may be encountering this issue so thank you for the insight!

  2. We are seeing this and are having a few issues with using the above solutions. Instead of every link being clicked like we have seen in the past, only one link will be clicked. A bunch of clicks will come in from one company and every from that company will only click our logo, they are not clicking at the same exact time but there is a few minutes in between.

    We’ve tried using the hidden link in our testing with a few companies that were known to use bots and no one clicked the hidden link. Scratching our heads over here, any other tips/ tricks would be great!

    • That’s a head scratcher alright. seems like very sophisticated bot activity. I’m still waiting for ESP and MA vendors to pay more attention to this issue.

  3. Thank you for this article! I asked Marketo about this but their response contained no solution or suggestion for how to solve it. Your suggestion of a hidden link sounds like the way to go – thanks again!

  4. This is a GREAT post, thanks. We’ve been struggling with this for at least a year now, and so far haven’t gotten anywhere (other than sending separate emails to domains where we suspect there are these kinds of bots, so we can exclude those sends from our results). Hopefully a real solution soon…

  5. Hello, we saw better results that seemed less bot like when we used two filters (vs. triggers) to look for both Click Activity and a Registered Web Page Visit to the page clicked.

  6. We are currently experiencing this problem with HubSpot. There has been a surge in false positives recently which is impacting on our workflows. We rely on the clicks as you said to take people down the funnel.

  7. It’s a relief to finally see someone really talking about this problem. It’s been an issue for me for years, across multiple platforms. I currently use the hidden link method to catch the bots, but find that it’s not really reliable. Sometimes the bot click surge just hits another link instead of the hidden one. I’ve also dived deeper into specific users’ logs and found many instances of people bot-clicking the hidden link, but then showing real activity later on. It’s really wrecking our reporting abilities and the ability to do action-based behavioral campaigns. Total bummer.

  8. Has anyone found anything relevant in google analytics? I found when the bots were clicking from one particular company all clicks started registering from Oslo Norway. I stop tracking clicks from this city.

    This is specific to just one company. Has anyone seen any similar patterns?


Leave a Reply

Your email address will not be published. Required fields are marked *

About Idan Carmeli

A B2B marketing veteran with a penchant for the written word and a geeky fascination with technology. Through Converto, a marketing services agency he's founded, Idan combines his professional passions to deliver the benefits of marketing automation to B2B organizations large and small, especially through intelligent, well crafted lead nurturing programs.


Lead-Nurturing, Marketing Automation, Useful