Summary
Unusual click activity concentrated on a single link, predominantly from Amazon EC2 IPs, likely stems from a combination of automated security measures, bot activity, and email client behavior. Security solutions, including those from email providers like Gmail and Microsoft Safe Links, actively scan and rewrite URLs for malicious content, often utilizing AWS infrastructure. These scans, along with bot management tools (Cloudflare, Akamai) and evolving bot mitigation efforts, contribute to artificial clicks. Bot traffic itself can skew metrics, especially if targeting specific vulnerabilities. Additionally, prefetch clicks and changes in email client security protocols play a role. Analyzing IP addresses, MX records, and the link's attributes helps pinpoint the source and nature of the activity.
Key findings
- Automated Security Scans: Email providers and third-party security solutions actively scan links for malicious content, generating artificial clicks concentrated from Amazon EC2 IPs.
- Bot Traffic and Mitigation: Bot activity can inflate click-through rates, and evolving bot mitigation efforts can lead to increased interactions from identified bots.
- Prefetch Clicks: Email clients may pre-emptively load links in the background, resulting in multiple clicks.
- Infrastructure Origin: Amazon EC2 provides virtual servers used by various services to scan links in emails.
- URL Rewriting: Email security solutions rewrite URLs as part of their validation process, routing them through their servers for analysis.
Key considerations
- IP Address Analysis: Investigate the IP addresses associated with the clicks to determine the source of the activity.
- MX Record Evaluation: Check MX records to identify if the issue is related to specific email providers.
- Link Attribute Review: Examine the specific link being clicked for suspicious attributes.
- Security Protocol Changes: Consider recent changes in email client security protocols or bot mitigation efforts.
- Vulnerability Assessment: Assess whether the specific link is being targeted due to a perceived vulnerability.
What email marketers say
7 marketer opinions
Unusual click activity concentrated on a single link, originating primarily from Amazon EC2 IPs, can be attributed to several factors related to automated security measures, bot traffic, and email client behavior. Security protocols, such as automated click protection and link scanning by email providers and security services, generate artificial clicks while assessing URLs for malicious content. Furthermore, bot traffic, actively targeting vulnerabilities, and prefetch clicks, where email clients load links preemptively, can inflate click counts. Evolving bot mitigation efforts and aggressive email verification also contribute to this phenomenon.
Key opinions
- Automated Security Scans: Email providers and security services actively scan links for malicious content, creating artificial clicks concentrated from specific IP ranges like Amazon EC2.
- Bot Traffic: Bot activity can significantly inflate click-through rates, particularly if bots are targeting specific URLs or if bot mitigation efforts have evolved.
- Prefetch Clicks: Email clients loading links in the background for faster browsing can result in multiple, potentially misleading, clicks.
- Evolving Mitigation: Email providers are getting better and more aggressive at scanning and verifying emails.
Key considerations
- Security Protocol Changes: Changes in email client security protocols or the introduction of new security features may trigger increased link scanning.
- Vulnerability Exploitation: The single link experiencing high click activity may be targeted due to a perceived vulnerability.
- Bot Detection: Implementing robust bot detection and mitigation strategies is crucial to accurately interpret email campaign performance.
- Internal Filtering: Internal security policies and scanners may pre-emptively click links
Marketer view
Email marketer from Marketing Forum user JohnS suggests that email providers are actively scanning links for malicious content. A surge in clicks from AWS IPs could be a new security feature which is scanning and validating links.
28 Mar 2023 - Marketing Forum
Marketer view
Email marketer from Litmus shares that automated click protection mechanisms used by email providers can generate artificial clicks. Security protocols sometimes prefetch or scan URLs, which may manifest as concentrated click activity from particular IP ranges.
10 Oct 2023 - Litmus
What the experts say
5 expert opinions
Unusual click activity concentrated on a single link, primarily originating from Amazon EC2 IPs, points towards automated security measures and potential third-party involvement. Analyzing the IPs reveals the source of activity, which is likely security software or third-party threat monitoring services rewriting URLs for scanning and validation. Examining MX records and the specific link's attributes can help pinpoint if the issue is related to specific email providers or a suspicious link. The activity indicates aggressive link scanning by security tools.
Key opinions
- IP Analysis: Checking IP addresses associated with the clicks is essential for identifying the source.
- Third-Party Threat Monitoring: The use of Amazon EC2 IPs suggests a potential third-party threat monitoring or filtering service.
- Aggressive Link Scanning: Security software and automated tools rewrite and scan URLs, leading to concentrated click activity.
- URL Rewriting: URL's are rewritten as part of the email security solutions' validation process.
Key considerations
- MX Record Analysis: Checking MX records can determine if the issue is specific to certain email providers.
- Link Attribute Examination: Examining the specific link being clicked for suspicious attributes is crucial.
- Security Software Configuration: Check if security software configurations are causing the unusual click activity
Expert view
Expert from Email Geeks suggests, based on Amazon IPs (EC2), a potential third-party threat monitoring or filtering service is involved.
6 Jul 2023 - Email Geeks
Expert view
Expert from Email Geeks suggests checking the IP addresses associated with the clicks to identify the source of the activity.
2 Sep 2021 - Email Geeks
What the documentation says
5 technical articles
Unusual click activity concentrated on a single link in an email campaign, originating primarily from Amazon EC2 IPs, is likely due to automated security scans and bot management tools. Amazon EC2 provides the infrastructure for running security tools and custom scripts, including those used by email providers like Gmail and Microsoft (Safe Links) to scan links for malicious content. Security solutions such as Cloudflare's bot management and Akamai's web application firewall also prefetch and analyze URLs, generating clicks as part of their security process.
Key findings
- EC2 as Infrastructure: Amazon EC2 provides virtual servers used to run security tools and custom scripts that automatically interact with links in emails.
- Email Provider Security: Email providers like Gmail and Microsoft (Safe Links) scan links for phishing and malicious content as a standard security measure. These scans may originate from their servers, utilizing cloud infrastructure like AWS.
- Bot Management Tools: Bot management tools from vendors like Cloudflare and Akamai prefetch and analyze URLs, generating clicks as part of their automated security process. This includes web application firewalls (WAFs) with bot management features
- URL rewriting: Microsoft Safe Links rewrites URL to check their validity.
Key considerations
- Security Implementation: Assess whether the click activity is due to legitimate security measures implemented by email providers or third-party security solutions.
- False Positives: Consider the possibility of false positives, where legitimate links are flagged and repeatedly scanned by security tools.
- Configuration: Review the configuration of security tools/settings
Technical article
Documentation from Microsoft explains the Safe Links feature in Microsoft Defender for Office 365 rewrites URLs in incoming email messages. When a user clicks a link in a message, the URL is checked before the site is opened. If the URL is found to lead to a malicious website, the user is taken to a warning page, this scan will register as a click.
25 Jan 2022 - Microsoft Documentation
Technical article
Documentation from Google Support shares that Gmail's built-in security features may scan links in emails to protect users from phishing or malicious content. These scans can originate from Google's servers, which sometimes utilize cloud infrastructure, potentially including AWS.
1 Feb 2022 - Google Support
How can honeypots be used in B2B emails to identify and filter out bot clicks effectively without impacting deliverability?
How can I detect and segment bot clicks in email campaigns?
How can I identify and handle suspicious bot clicks in email marketing campaigns?
How can I prevent bot clicks from hurting my email reputation?
How can I prevent bots from signing up for my newsletter and marking it as spam?
How do I identify and handle spam bot clicks in email reporting and how can they affect deliverability?
