Back to the Learning Center

By: Casey Grimes on February 27th, 2018

I Want to Believe, but: You Can’t Coast on What You Did for Anti-Spam Measures a Year Ago

Over the past week, we’ve noticed new patterns “in the wild” for emails sent by two of our clients that haven’t been seen before: anti-spam checkers fully loading pages with JavaScript. This puts a wrinkle in our previous post about using a combination of “Email is Delivered” and “Visited Web Page” as a filter combination to get more accurate clicks.

This first came to our attention when seeing companies such as eBay and Johns Hopkins showing up as having clicked several links in every email along with pages being visited across multiple records. As such, you’d see patterns such as six people from Johns Hopkins clicking eight links each and visiting every page. Because of this odd behavior, we took a look across several different Marketo instances to look for patterns.

Symantec Connect is one anti-spam provider that appears to have implemented this in the past few weeks. However, it is not always possible to determine from outside traffic what anti-spam measures are being used. When looking at the IP addresses of items that have clicked or visited web pages, though, one pattern stands out: Microsoft Azure, Microsoft’s cloud computing platform, is being used by one or more of these services to check web pages before sending information back to the anti-spam provider. Because real humans would not normally go through Azure, this is a reliable signal that the page is not being visited by a person and should be screened out of activity.

Additionally, when looking into this issue, DemandLab noticed a related trend for companies that host their email through Outlook.com: when an email is clicked and a page is visited, Microsoft Azure will also record a second email click and visit to its own IP.

In this case, the first two activities (46080180 and 46079137) are accurate activities logged to the record’s corporate office, but the next two are directly from Microsoft Azure. Similar behavior where Outlook.com specifically clicks and visits an email’s Unsubscribe Page has been recorded regardless of if the person themselves has clicked on Unsubscribe. However, it’s important to stress that Azure does not fill out any unsubscribe forms; it simply records a visit to the page.

As a result, DemandLab now recommends that any activity from Microsoft Azure servers is now screened out from web page visits. Although Azure currently cannot be screened out of other activities (namely “Click Email”), we currently have an Idea in the Marketo community to address this limitation.

How do I make sure I’m getting accurate Marketo activity?

One of the first steps to take is to ensure that any data being recorded on your website is coming from real traffic rather than a third-party server like Microsoft Azure. If you are using a piece of software such as Google Tag Manager or Tealium to manage where your Marketo tags are deployed, the single easiest thing to do is to simply block Munchkin from loading when a Microsoft Azure IP is detected. This can be done with either Google’s dataLayer or Tealium’s UDO. If you are administering your Munchkin tags more traditionally, you should take a look at using a service such as ipify to check your user’s IP before loading scripts.

Microsoft has a publicly-available list of all IP ranges that are used by Microsoft Azure on their website, but so far we’ve only noticed incorrect Marketo traffic from some IPs starting with 40. If you work with records outside of the United States regularly, you may want to use this entire list of IPs instead.

Note: Do not block all of 40.*.*.*, as this also contains legitimate traffic from other companies and ISPs.

In addition to this step to block from the web server side, we recommend blocking from the Marketo side as well. Whenever you need to measure web page activity (whether for clicking on an email or any other purpose), we recommend using “Visited Web Page” and then adding the Client IP Address constraint with “Client IP Address does not start with:

40.64, 40.65, 40.66, 40.67, 40.68, 40.69, 40.70, 40.71, 40.74, 40.75, 40.76, 40.77, 40.78, 40.79, 40.80, 40.81, 40.82, 40.83, 40.84, 40.85, 40.86, 40.87, 40.88, 40.89, 40.90, 40.91, 40.92, 40.93, 40.94, 40.95, 40.96, 40.97, 40.98, 40.99, 40.100, 40.101, 40.102, 40.103, 40.104, 40.105, 40.106, 40.107, 40.108, 40.109, 40.110, 40.111, 40.112, 40.113, 40.114, 40.115, 40.116, 40.117, 40.118, 40.119, 40.120, 40.121, 40.122, 40.123, 40.124, 40.125, 40.126

These numbers are the IP addresses that we’ve seen for US-based companies having anti-spam measures via Microsoft Azure. Again, if you handle international records, you may want to add all two-level IP blocks listed on Microsoft’s site.

As a secondary preventative measure, we also recommend setting up a wait step and listener in your measurement campaign whenever you are recording email link clicks to prevent false positives. Setting a wait step on a “Visited Web Page + Email is Delivered” trigger combination will allow any odd behavior to be caught and subsequently removed:

  1. Wait 30 minutes
  2. If “Member of Smart List” is “Clicked on this email four or more times in past hour”, remove from flow.
  3. Change Program Status to Program -> Clicked Email

As we continue to monitor this not only for our clients but the larger Marketo community, we will provide updates.