The next evolution in email click bots: exploitive bots pretending to be engaged subscribers

May 14, 2019 | 5 minute read
Chad S. White
Head of Research, Oracle Digital Experience Agency
Text Size 100%:

Bots are having a profound effect on how the internet functions and may even outnumber people on some platforms like Twitter. Email marketing is not immune to click bots, with the newest activity being from bots that mimic human subscribers in order to collect information to power data service businesses.

“We’ve been seeing more email click bot activity with some of our clients,” says Heather Goff, strategic director of deliverability services at Oracle Marketing Cloud Consulting. “In one case, we had a retailer with transactional email behavior from 7,000 recipients that could not have been organic human behavior. It’s likely that lots of brands have no idea it’s going on if they aren’t looking closely enough.”

The problem with these kinds of email click bots is that they create activity that inflates performance numbers and causes false positives that trigger automated campaigns and muddy targeting efforts. All in all, they simply make it more difficult to see how subscribers are truly responding. That can cause brands to make tactical or strategic changes that serve bots rather than actual subscribers.

We’ll explore these bots in more detail, but let’s do so in the broader context of all email click bots. We think of these bots as falling into three categories, with each one requiring its own potential remedies:

1. Beneficial email click bots

These bots are helpful and positive contributors. For example, some email click bots scan every link for malware before passing the email along to the intended recipient.

“Most beneficial bots clearly announce themselves,” says Kent McGovern, senior strategic consultant of deliverability services at Oracle Marketing Cloud Consulting. “That makes these the easiest to address.”

“The vast majority of email service providers—including Oracle Responsys, Oracle Eloqua, and Oracle Bronto—have some processes in place to filter bot-related clicks,” he says, “so brands don’t need to take additional action. ESPs can filter by IP after doing a WHOIS lookup to determine the IP network owner and they can also filter by user-agent string.

“What makes things hard is that not all bots identify themselves,” says Kent. “The rDNS for the signup IP may not point to an obvious filtering company like Barracuda or McAfee. Instead, it may point to a network provider like Microsoft or a security company like Palo Alto Networks.”

Most of the bots that don’t identify themselves fall into one of the two remaining email click bot categories.

2. Malicious email click bots

These bots are harmful by design. They are created to explore, discover, and exploit vulnerabilities.

During the second half of 2016, Spamhaus blocklisted many well-known, popular brands because malicious bots entered the email addresses of tons of unwilling people into the brands’ open email signup forms. As a result, brands flooded those people’s inboxes with emails.

In the wake of those bot attacks, Dan Deneweth, head of deliverability services at Oracle Marketing Cloud Consulting, advised brands to protect themselves by...

  1. Adding CAPTCHA to all web-based email signup forms.   
  2. Adopting a confirmed opt-in (COI) permission standard.
  3. Adding a hidden form field to all web-based signup forms.
  4. Tracking the source of signups closely.
  5. Creating a “new registant, non-responder” rule.
  6. Implementing an alert system for spikes in the number of email registrations.
  7. Applying segmentation criteria to limit the volume of email you send to unengaged subscribers.

For a full discussion of each of those, read Spamhaus Risk and the Future of Email Acquisition.

The newest email click bots fall into a category that lies between beneficial and malicious.

3. Exploitive email click bots

These bots can be unintentionally harmful. These email click bots are created by competitive intelligence services, ‘smart seeds’ from inbox monitoring services, and similar services that use the bots to collect data that is then sold.

As mentioned earlier, the biggest problem caused by exploitive email click bots is that they mess up your email performance data and targeting. They can make it difficult to see what your subscribers are actually doing, which makes it difficult to determine how to respond.

“One of our consumer packaged goods clients had issues with this last year,” says Wade Hobbs, senior consultant of strategic services at Oracle Marketing Cloud Consulting. “Since their model is content discovery and recipe curation rather than direct-to-consumer retail, they were most worried about the impact on content measurement and reporting. We rebuilt their reporting to use unique opens and clicks to reduce the bots’ ability to materially impact content performance metrics. When the click bots represent a small percentage of total contacts, this can be a simple and effective fix.”

In other cases, when bot activity affects unique metrics more strongly, that hasn’t been enough.

Bradford Johnson, senior director of strategic services at Oracle Marketing Cloud Consulting, says, “We recently identified several hundred potential email click bots for a client when leveraging a highly predictive machine learning model we built for targeting. Digging in to explore our click-bot suspicions, we looked at non-human activity related to frequency, timing, sequence, source, and more.”

When Oracle Marketing Cloud Consulting’s Strategic Services team works with clients to address email click bot activity, we typically pass these suspect records and suspicious patterns to the client for their IT and security teams to vet and address.

“For the ones that the client is concerned about, we remove them from performance reporting,” says Bradford. “We also recommend removing them from their active mailing list, either by unsubscribing or suppressing them. If a client does unsubscribe them, we recommend applying a distinct reason code that identifies them as click bots.”

Along with periodic checks to address email click bot activity, we also recommend some structural and operational changes to deter bots. To augment the CAPTCHA placed on email signup forms, brands should consider adding reCAPTCHA v3 across their sites’ pages and using it to trigger security confirmation emails to accounts that are suspected of being bots.

Brands should also consider moving to unique coupon codes that are tied to individual subscribers. This helps reduce coupon abuse and discourages bots since coupon codes are a favorite target of bots.

In the years ahead, bots will help people become more productive and help businesses serve customers better. But bots will also be used nefariously and for exploitive purposes. If you’ve never examined your email list for bots before—especially if you still have open email signup forms that aren’t protected by CAPTCHA or a confirmed opt-in process—it’s likely time to do so. You might find that some of your most active subscribers are actually unwanted bots.


Need help with your email deliverability? Oracle Marketing Cloud Consulting has more than 500 of the leading marketing minds ready to help you to achieve more with the leading marketing cloud, including a dedicated email deliverability practice within our Strategic Services Group.

Learn more →



Chad S. White

Head of Research, Oracle Digital Experience Agency

Chad S. White is the Head of Research at Oracle Digital Experience Agency and the author of four editions of Email Marketing Rules and nearly 4,000 posts about digital and email marketing. A former journalist, he’s been featured in more than 100 publications, including The New York Times, The Wall Street Journal, and Advertising Age. Chad was named the ANA's 2018 Email Marketer Thought Leader of the Year. Follow him on LinkedIn, Twitter, and Mastodon.

Previous Post

4 Ways to Increase Customer Engagement

Serenity Gibbons | 3 min read

Next Post

The Importance of Content Marketing

John Rampton | 4 min read