Sudden spike in opens/clicks right after campaign send (Bot activity?)

Product Support
, , ,
1

Your software
My Mautic version is: 5.0.4
My PHP version is: 8.2+

Hi everyone,

I’m using Mautic 5.x and recently sent a campaign to about 1,000+ contacts. Immediately after sending, I noticed that open and click counts shot up within seconds — much faster than any realistic user engagement.

After checking the logs, I found that multiple actions came from IPs like:
136.227.178.3
118.194.228.7

and user-agents such as:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

According to IP lookup, these seem to belong to data center / hosting providers (for example, “The Constant Company, LLC”), which suggests these might be email security bots or link scanners opening the messages before they reach the recipient’s inbox.

My questions:

  1. Why does Mautic register these as real opens/clicks — can it differentiate bots?
  2. Is there a recommended way to filter or flag such bot activity in Mautic 5+?
  3. Are there known best practices or plugins to minimize this (e.g., open tracking delay, unique tokens, header changes)?
1 Like
2

I think we all have the same issue, and yes, is something that I have to live with also.

If someone tells me how to recognize bots from humans, I might build a plugin to handle that before december.

3

Those are typical sources of those behavior:
Apple Mail / Apple Mail Privacy Protection (MPP) — Apple preloads images through a proxy so tracking pixels fire even if a human never opened the message. This inflates “opens” dramatically for Apple Mail users who opted into MPP. customer.io

  1. Gmail Image Proxy / image caching — Gmail routes images through Google’s proxy servers; this can result in automated pixel fetches or image caching behavior that looks like an open. Warmup Inbox

  2. Microsoft Defender / Safe Links (and other Microsoft scanning features) — Microsoft’s link protection scans and time-of-click checks can cause immediate automated “click” activity or follow-throughs on rewritten links. These are commonly seen for Office 365 recipients. Microsoft Learn+1

  3. Secure Email Gateways / Email Security Products (Proofpoint, Mimecast, Barracuda, Cisco, Trend Micro, etc.) — These services often (a) open images to inspect content and (b) follow links in mail bodies (or rewrite and re-check them) to protect users. That generates opens and clicks from their scanners. Proofpoint+1

    There are different strategies that can be used to distinguish a bot from a real browser. One is using a list of user agents, that will be normally slightly different from real users. That list would need to be created empirically.
    The second option would be using certain signals. Bots would react within seconds of sending an email, reside in a Cloud IP address, with a limited IP pool, and open all links, which is different from a real user just open the links that are revelant for them. Using some AI it would be surely possible to spot those patterns.
    The third option would be to include a Javascript that will be executed on the destination page of the link click. Probably it is difficult to control all the landing pages, but it could be technically feasible to inject a javascript when hitting the Mautic redirect link.

    Just some ideas to get you going.

4

Will work with that then. Thanks!

Currently we are finishing the full WABA plugin (to work in pair with a helpdesk/chatbot and auto trigger answers via Mautic and multichannel) and the “rewrite all messages via AI” plugin, after we finish that, we will jump on this. Mid or end december will be ready.

If you have more ideas, please let me know.

5

We introduced a honeypot tracking link mechanism and a 60-second correlation filter to identify and remove automated bot actions from email performance reports.

:one: Honeypot Link Setup

We include a special invisible link in every outgoing email.
This link acts as a “trap” for automated email scanners that prefetch or click links before users open them.

Example patterns:

/trackable/...

or with a title:

"Trackable"

:green_circle: Real users never see or click this link — only bots or security scanners do.
:gear: This link is automatically included by Mautic’s core email generation process,
so there’s no need to add it manually for each campaign or email.

:two: Bot Detection Logic

We log all page hits (page_hits) and email events (email_stats), then match:

page_hits.url LIKE '%/trackable%'
OR page_hits.url_title = 'Trackable'

If a lead clicked such a link, we classify it as a bot-like interaction.

:three: Time-Based Correlation (60-Second Window)

To improve accuracy and reduce false positives, we only consider an event a bot action if it occurs within 60 seconds of a honeypot hit.

Applied in Our Custom Reports

We applied this filtering logic in both open and click calculations.

:white_check_mark: Open Statistics

  • Subtract honeypot-related opens

  • Count unique opens only if the remaining opens are greater than zero.

:white_check_mark: Click Statistics

  • Exclude clicks:

    • On honeypot URLs (/trackable/...), or

    • Within 60 seconds of a honeypot click.

1 Like
6

This is a mautic core functionality or a plugin?
If it’s core, for which version?

7

This is not a Mautic core functionality — it’s a custom modification that we implemented. It doesn’t come built-in with any version of Mautic, so we had to modify the code to achieve this behavior.

1 Like
8

will try with a simple hidden link then, it might work. Your idea is really good.