Barracuda filters clicking all links

Earlier this month I mentioned that a number of people were seeing issues with multiple links in emails being clicked by Barracuda filters. I invited readers to contact me and provide me with any information or evidence they had. Not only did a number of senders contact me, but one of the support reps at Barracuda also contacted me.
At issue is a part of the Barracuda email filter call the intent filter. There are 3 different modules to this filter.

  • Intent analysis – Markers of intent, such as URLs, are extracted and compared against a database maintained by Barracuda Central.
  • Real-Time Intent Analysis – For new domain names that may come into use, Real-Time Intent Analysis involves performing DNS lookups against known URL blocklists.
  • Multilevel intent analysis – Use of free websites to redirect to known spammer websites is a growing practice used by spammers to hide or obfuscate their identity from mail scanning techniques such as Intent Analysis. Multilevel Intent Analysis involves inspecting the results of Web queries to URLs of well-known free websites for redirections to known spammer sites.

According to Barracuda support it is the multilevel intent analsysis module responsible for clicks on links. From the behavior descriptions I’ve seen from different people, it appears at least some ESP click tracking domains are included in the “redirectors” category.
Barracuda recommends users keep both settings on, and each setting is defaulted to on. Barracuda users can access the configuration panel through  Basic -> Spam checking -> Intent.
There are a couple things that senders should remember when considering the impact on their email marketing programs.

  1. This behaviour is not going to change engagement rates as calculated at ISPs. Barracuda is a filter that’s used primarily at businesses and unlike ISPs, businesses (and the filters directed at that market) don’t include engagement in their delivery decision making process.
  2. This behaviour may affect one-click unsubscribe links. If clicking the link in an email automatically processes the unsubscribe, then Barracuda may unsubscribe users without their knowledge.
  3. This behaviour may affect opt-in confirmation links.

Marketers can prevent accidental unsubscribes by adding a confirm button on the visited web page and requiring a second click before processing the unsubscribe.
Confirmations are a little more difficult, as senders really do want to keep the transaction as low friction as possible. Adding a confirm button may result in people abandoning the confirmation process.
Auto clicks may be identifiable because all or most of the links in an email are clicked. Many marketers track how active a link is and links that are not often clicked may be markers for auto clicks. Another suggestion some senders are trying is to set up a “stealth” link, that human readers won’t see or click on but that parsing software might. Clicks on that link are a sign that the click was not done by the recipient.
While right now this appears to be limited to Barracuda filters, I expect more filters will adopt this behaviour over time. Some ISPs may even start following links to some URLs. This is one of those cases where the anti-virus technique is actually not a bad practice, even when it creates issues for senders. I recommend senders put some thought into how to identify auto-clicks and compensate for them in statistics and engagement measures.

Related Posts

Unsubscribe rates as a measure of engagement.

Over at Spamtacular Mickey talks about the email marketers’ syllogism.

  1. Anyone who doesn’t want our mail will opt-out.
  2. Most people don’t opt-out.
  3. Therefore, most people want our mail.

This clearly fallacious reasoning is something I deal with frequently with my clients, particularly those who come to me for reputation repair. They can’t understand why people are calling them spammers, because their unsubscribe rates and complaint rates are very low. The low complaints and unsubscribes must mean their mail is wanted. Unfortunately, the email marketers’ syllogism leads them to faulty conclusions.
There are many reasons people don’t opt-out of mail they don’t want. Some of it may be practical, the mail never hits their inbox, either due to ISP level filters or their own personal filters. Some people take a stance that they do not opt out of mail they did not opt-in to and if they don’t recognize the company, they won’t opt-out.
In any case, low levels of opt-outs or even this-is-spam hits does not mean that recipients want that mail. The sooner marketers figure this out, the better for them and their delivery.

Read More

Yahoo changes

Thanks to tips by a couple blog readers and some clients, I have been looking into Yahoo disabling links in the bulk folder. It does appear Yahoo is no longer allowing users to click on links in emails that Yahoo places in the bulk folder.
In fact, some of the spam in my Yahoo mailbox even has a notice about this.

Read More

Bad unsubscribe processes

We recently renewed our support contract with VMWare. It’s a weirdly complicated system, in that we can’t buy directly from VMWare, but have to buy through one of their resellers. In this case, we purchased the original hardware from Dell, so we renewed our contract through Dell.
Dell sends my email address over to VMWare as part of the transaction.
My only role in this is as CFO. I approve the purchase and pay the bill. I don’t do anything technical with the license.
The email failures start when VMWare decides that I need to receive mail about some user group meetings they’re holding all over the US. First off, I’m not the right person to be sending this mail to inside our company. I’m the billing contact, not the user contact. Then, they send me mail about meetings all over the US, when they know exactly where I’m located. Would it be so hard to do a semi-personalized version that highlighted the meetings in my local area then pointing out the other locations? Apparently, yes, it is so hard.
The biggest failures, though are in the unsubscribe process.
unsubscribe option
The unsubscribe page is no big deal. I get to unsub from all VMWare communications, and submit that request without having to figure out what my VMWare password is or anything.
After I hit submit, I’m taken to this page.
VMWareThank you
Wait? What?
“Thank you for registering?” I didn’t register! I don’t want you to contact me. Plus, this is a HP co-branded page when I’m not a customer of HP. VMWare knows this, they know they got my address from Dell.
The biggest problem is that I’m not sure that my address was actually unsubscribed. I suspect that someone copied a form from elsewhere on the site to use as an unsubscribe form. This person forgot to change the link after the “submit” button was clicked. But what else did they forget to change? Is the unsubscribe actually registered in the database?
I suppose only time will tell if VMWare actually processed my unsubscribe. If they didn’t they’re technically in violation of CAN SPAM.
The lesson, though, is someone should check unsubscribe forms. Someone in marketing should own the unsubscribe process, and that includes confirming that unsubscribe pages work well enough.

Read More