What are email click bots? Is your click data in danger?

It seems simple: you put together an email campaign, send it out, and watch the click data pour in.

You can count on the fact that the click data you are watching and analyzing (aggregate counts, percentages, WHO is clicking, heatmaps, etc.) is representative of a real person that is interacting with your super well thought out email marketing campaign, right?

Wrong. 

When I first started managing email campaigns, I was fixated on one thing: the click-through rate. I’d pore over the numbers, interpreting every rise as a victory and every dip as a sign that something needed fixing. I assumed these clicks were a direct reflection of my audience’s engagement. But as I dove deeper into the world of email marketing, I learned something that turned my understanding on its head: not all clicks are created equal. In fact, some of them aren’t even human.

So what is this additional force at work?

In short, it’s email bots clicking links in emails as a security measure.

What is an email click bot?

An email click bot is a program that automatically clicks on links within emails to determine if they are safe or not, preventing spam from reaching the recipient’s inbox. However, this can affect metrics such as email clicks, as it may appear that recipients are interacting with the email when it is actually the anti-spam filter doing the clicking.

“A bot-click is just that: a click generated by a bot. A bot can be any type of computer program that performs automatic operations on behalf of another user or system. In an email ecosystem, these robots read email to assess the validity and trustworthiness of the content. Part of this process may be following the links. As these robots do their work, they generate “clicks” on the links in your email. Those clicks show up in your overall metric reporting.  Depending on how the robots are configured and installed, the severity of this can range from negligible to “oh my gosh, what on earth happened here?!?!?”

– Paul Christmann, Chief Innovations Officer of rasa.io

What is the difference between an email spam bot vs an email click bot?

Email spam bots and email click bots are two different types of bots that can affect your email marketing metrics.

Email spam bots are designed to send spam emails to a large number of email addresses. They can be used to spread malware, phishing scams, or other types of malicious content. Email spam bots can also be used to inflate email marketing metrics such as open rates and click-through rates by artificially generating clicks on links in emails. This is also also known as ad fraud. 

On the other hand, email click bots are designed to click on links in emails as a way to explore, find, and exploit potential vulnerabilities, as mentioned previously. 

What are email security gateways?

Email security gateways, or email security systems, or email spam filters, are just a few of the common terms for the services that organizations employ in order to scan their inbound email content for viruses and other IT security threats.

These solutions typically consist of several technologies working together to enforce a set of rules around inbound email. 

One of these ways for these software technologies to “scan” incoming emails is by clicking on the links within the emails with these email security bots.

And in some cases, these click bots can do a lot of clicking.

So much so that each link in an email to one user could be clicked, for example, five times within just a minute of receipt of that email, that’s a lot of fake clicks.

What types of emails do these spam filters impact?

The short answer is all of them.

Bot activity affects the big players in the email space like Mailchimp and Sendgrid all the way down to mom-and-pop email service providers. Mailchimp says this about users who notice sky-rocketing click rates: “Unfortunately, there’s no way for us to see if a link has been clicked by a spam filter or your intended recipient, but if you see an unusually high number of clicks from a single domain, it’s likely to be a spam filter.” 

And this is not a data and analytics problem that will disappear soon.

These software providers are gaining popularity as they become less expensive and easier to implement. Of course, these services are ultimately performing essential and much-needed functions to eliminate IT threats, but they give email senders far and wide quite the headache. 

What does this mean for interpreting my click data?

Keep in mind that even though it might be tempting, filtering out what you think are from suspect IP addresses and/or domains entirely from your email analytics reports could cause you to be throwing the baby out with the bathwater, so to speak. 

That is, you might be ignoring some real, natural click data as a result.

Furthermore, any IP address associated with these spam filter clicks will constantly be in flux and never published for certain. These providers want their services to continue to perform as under the radar as possible. 

Case Study: The Bot Menace

A client recently changed their sending domain to a brand-new, never been warmed up but fully authenticated domain.  Here is a graph representing just their bot-generated clicks over the course of 4 sends.

At steady state, they generally average around 10,000 bot clicks per send.  On the 2 sends after they sent with a brand-new domain, the bot clicks skyrocketed to a peak of 90,000, before returning to steady state levels. 

The rapid return to steady state levels along with steady “non-bot” clicks suggest that after 2 weeks of sends, the Microsoft detection services reached a conclusion that the email from this new sending domain could be trusted, and no longer needed the same level of evaluation.

This case illustrates two important points about the volume of bot clicks that might exist in your data:

  1. Know your “steady state”: This client normally receives around 5,000 “valid” clicks a day.  At steady state, their bot-click traffic represented a doubling of their “real clicks”.  That is their norm, and what they expected to see.  Consider this in your email metrics – even when everything appears steady and normal, are you seeing what you expect to see?
  2. Isolating bot clicks in analytics: The impact of a change in the email ecosystem can be massive.  In 2 weeks, the click volume rose by an order of magnitude and then disappeared.  This leads to the “What on earth did we do right?  Or wrong?”  By isolating these clicks in analytics, we could observe a normal volume of clicks, indicating that overall deliverability and engagement remained the same.

We have found the timing of click traffic to be a clear indicator of whether a click originated from a human or a bot. Many bot providers will scan emails and generate clicks on all of the links within a split second.

– Paul Christmann, CIO of rasa.io

This chart below shows the inbound click count by second for the client referenced above. Within 30 seconds after the send of the email, inbound clicks were arriving at a rate of approximately 1000 per second. This spike tailed off rapidly, and within 4 minutes of the delivery clicks were back to “normal”.  That rapid pace of traffic is a clue that something is generating traffic (even though we would all LOVE to believe that our readers respond that quickly to our emails, the reality is they aren’t THAT quick!)

How rasa.io tackle bot clicks

With rasa.io’s Suspect Click feature, the bot clicks that muddy the waters of your email newsletter are filtered out. Using artificial intelligence to handle bot activity in email campaigns. Our AI system expertly sifts through email interactions, separating genuine human engagement from automated bot activity. This feature is already enabled across their entire account for consistent filtering.

All in all?

At rasa.io, we recommend a few things to any email sender in order to get a better grasp of what their reports are telling them:

  • Observe your marketing email metrics: pay more attention to unique click rates over total click rates, as the validity of the total rates is the greatest victim of a security spam filter
  • Validate the click data: validate the click data on links to your own website content by looking at Google Analytics and other website analytics reports. Google Analytics likely will not register any corresponding bot traffic from these artificial clicks. However, you do need to be wary of discrepancies between analytics tools and email tool dashboard data: whereas your email service might have higher than normal numbers because of email security gateways, tools like Google Analytics often underreport data due to a few factors, including analytics opt-out tools, and their inability to thoroughly track traffic from all email browsers.
  • Ask the right questions: Your email service providers will likely have some insight as to how they identify and treat bot activity.

If you’ve got any questions about email data or sending a more successful email newsletter, schedule a demo with us today.

Our users love to brag about the growth of their businesses.

Start seeing better results by sending better emails.

Read more from the Pushing Send Blog!

The Impact of AI Email Marketing

When I first dipped my toes into email newsletters, I thought they were just a fancy way to send out promotions and updates. But, oh, how wrong I was! As someone who’s navigated the ups and downs of digital marketing, I’ve come to appreciate newsletters as much...

Read More