Identifying False Positives in Email Clicks
Introduction
Email servers use a variety of tools to prevent delivery of spam messages. Some of these tools will result in inflated, atypical, or suspicious clickthrough data on your Sent Message reports. For example, if your customers use Barracuda Email Security Suite (ESS), it will scan incoming emails and click the first link in each message you send to them. ESS does not identify itself as an email security system (most similar products do), so Act-On does not automatically exclude these clicks.
Typical spam appliance clickthrough activities:
- High number of clickthroughs on a sent message, often for contacts on the same email domain
- Clicks occurring all at the same time, often just after the message was sent
- Clicks all on the same link (the first link in your message, often the "View in Browser" link)
- Clearly incorrect click data
Investigate MX Records
If you have the Data Studio add-on feature, you can pull a report that shows the IP addresses recorded for your email clicks. Follow the steps below to use this report to confirm whether these clicks are coming from a security provider.
- Use Nslookup in your command line/terminal (Windows steps here) to verify the MX record information
- When prompted, add the IP address and domain name of the customer responsible for the clicks (available from a Data Studio export on the Email Messages data set)
- Check the data that comes back - it should include the name and information for the security provider
- For example, clicks from Barracuda include .ess.barracudanetworks.com
Ignore Scanner's IP Addresses
To exclude the false clicks from your email reports, go to Settings > Other Settings > Internal IP Addresses and add the security system's IP addresses. This setting will result in the Sent Message report ignoring clicks associated with these IPs moving forward.
Performing this change will not remove the e-mail clicks from existing reports - the reports can only be changed moving forward.
Common IP Addresses to Ignore
Barracuda ESS
Barracuda US instance - ignore both of the following IP address ranges:
- 64.235.144.0-64.235.159.255
- 209.222.80.0-209.222.87.255
The range 64.235.144.0-64.235.159.255 is automatically ignored for all accounts created after May 2017.
Barracuda UK instance
- 35.176.92.96-35.176.92.127
Barracuda DE (Germany) instance
-
35.157.190.224-35.157.190.255
Palo Alto Networks
- 65.154.226.100
- 65.154.226.101
- 65.154.226.109
- 65.154.226.159
- 65.154.226.220
Others
These IP addresses have been associated with abnormal click activities in the past:
- 196.16.0.0-196.19.255.255
- 34.192.0.0-34.255.255.255
Comments
3 comments
note: We added a feature to allow you to stop recording "view in a browser" links as click.
https://connect.act-on.com/hc/en-us/community/posts/360035928313-Recent-product-updates-re-cap-from-September-26-Webinar
Why wouldn't you have these IP addresses automatically suppressed in the tool for everyone? Is there anyone who would actually WANT to see these clicks show up in their reports?
Hi Tami, thanks for asking. In short, these IP addresses are suggested to suppress because we've seen a pattern of bot-like behavior, but it's ultimately a guessing game. Most of these email filter companies change IPs and do not publish the ranges that they use, so there's always a chance these are not all associated with bots. So it's something we encourage but want to be sure we're flexible to allow you to add or remove as you wish.
Please sign in to leave a comment.