This isn't strictly a question about Sender Certification but I'm asking here because I understand the Sender Certification includes an integration with Vade and Proofpoint and expect the community here might have of their usual good insight to share.
We have noticed a big uptick in clicks in emails this year. We have some evidence that a good part of these are coming from end point protection systems installed on the recipient ESPs. For example we can see in the MX records that some are configured to point to Barracuda, we believe others bots are from Proofpoint and Checkpoint. We believe these bots are "clicking" the links in the emails, following our clicktracking redirects and landing on the destination site and scanning it for threats. We understand why someone would want to do this but from our point of view it is quite undesirable as it throws off engagement reporting.
Some questions:
1. Any ideas on how to detect these robotic clicks in order to exclude them from engagement reports? Our CDN has a bot score function so we are considering acting on that, it would be a bit experimental on our part.
2. Assuming we could identify them would it be wise to either block them or to present a captcha? We have some fear that blocking them would make us look more suspicious as they would not be able to verify that our landing pages were free from threats. Perhaps a captcha would also face this risk.
3. Does the participation in the Sender Certification program offer any signal via Vade or any other partner that robotic probes are not necessary?
Excellent questions! You're right to be thinking about experimenting since there isn't one perfect solution to these types of clicks. Most commonly we see companies employ a time-based logic that relies on the speed of the click. A human can't click a link within a few seconds of an email being delivered, so if you see the link(s) are clicked immediately (within 1-5 seconds of delivery), it's safe to assume it's likely not human. To implement this we recommend excluding any click events where the time difference between the "delivered" timestamp and the "click" timestamp is that very small window of time. I recommend starting with the CDN's bot score functionality to see if that has an impact.
Regarding blockiing or adding captcha, I agree, blocking would be risky. If the security system can't verify the links or landing pages, there's a higher risk that they would mark the mail as spam or malicious. Captcha can add a layer of friction that may also result in the security bot to fail. That failure could result in marking the email as suspicious as well, ultimately hurting overall deliverability. I strongly support Captcha for humans, but since we know that most large companies utilize things like Proofpoint or Mimecast, it's best left off for that audience. I suggest you focus efforts on removing those clicks from reporting by using the method outlined above or through the CDN's functionality.
Yes, participation in Sender Certification can help reduce bot clicks (may not eliminate them completely) because you're vetted as a qualified sender. By being in the Sender Certification program, you're sending a strong signal that robotic probes are less necessary.
Excellent questions! You're right to be thinking about experimenting since there isn't one perfect solution to these types of clicks. Most commonly we see companies employ a time-based logic that relies on the speed of the click. A human can't click a link within a few seconds of an email being delivered, so if you see the link(s) are clicked immediately (within 1-5 seconds of delivery), it's safe to assume it's likely not human. To implement this we recommend excluding any click events where the time difference between the "delivered" timestamp and the "click" timestamp is that very small window of time. I recommend starting with the CDN's bot score functionality to see if that has an impact.
Regarding blockiing or adding captcha, I agree, blocking would be risky. If the security system can't verify the links or landing pages, there's a higher risk that they would mark the mail as spam or malicious. Captcha can add a layer of friction that may also result in the security bot to fail. That failure could result in marking the email as suspicious as well, ultimately hurting overall deliverability. I strongly support Captcha for humans, but since we know that most large companies utilize things like Proofpoint or Mimecast, it's best left off for that audience. I suggest you focus efforts on removing those clicks from reporting by using the method outlined above or through the CDN's functionality.
Yes, participation in Sender Certification can help reduce bot clicks (may not eliminate them completely) because you're vetted as a qualified sender. By being in the Sender Certification program, you're sending a strong signal that robotic probes are less necessary.
We do already use some timing measures to filter bot clicks but we do also see a pattern of masses of clicks coming on the top, bottom and quarter hours. We suspect these are scheduled probes, not fired on delivery so harder to spot with a open -> click/click/click filter.
