Bot Filtering in Email and Website Activity
Bots have become pervasive across the web and in the world of email marketing.
Email bot activity is commonly benign: organizations leverage bots to pre-scan emails and "click" links in an attempt to ensure landing pages are free of viruses, malware, phishing, or other malicious tactics.
Paminga uses multiple techniques to identify and invalidate email clicks and web page views originating from bot activity. Millions of such interactions are invalidated every month.
How Paminga Identifies Bot Activity
Paminga leverages multiple techniques to identity bot activity in relation to emails and website page views.
Behavioral Patterns
It's fairly common for bots to "act like bots". For example, they will "click" every link in an email in 3 seconds.
Paminga uses time-series analysis to invalidate clicks that occur in a short duration or in rapid succession.
Unfortunately, some bots do not exhibit this behavior. They insert random delays between clicks, mimicking human behavior.
User Agents
Every device that visits a web page or clicks a link in an email identifies itself with some text that's known as the "User Agent".
Using a search engine, you can type "what's my user agent" to see your User Agent. Here is an example:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Some bots identify themselves directly in the User Agent – they literally have the word "bot" in that text somewhere.
For example, the bot Google uses to "crawl" the web identifies itself as "GoogleBot".
Paminga watches for a large number of known bots, and that list is updated regularly. Email clicks and web page views are invalidated automatically.
IP Addresses
It's fairly common for bots to be hosted using cloud infrastructure. This allows many bots to be identified via their IP addresses.
Paminga maintains a list of 1,000's of IP addresses associated with bot activity. Email clicks and web page views originating from these IP addresses are invalidated automatically.
But invalidating clicks from every IP addresses where we detect bot activity would not be wise.
Many organizations install antivirus/anti-malware tools inside their own networks, in which case, the IP address of the bot is the same IP address of the legitimate human working from that location.
The Honeypot Link
Every email Paminga sends includes a 1×1 invisible link embedded in the message body. The link points to a Paminga-controlled URL that no human can see and no human would intentionally click. Real recipients never interact with it.
When something does interact with it, Paminga records that as confirmed bot activity tied to a specific IP and User Agent on a specific send. The honeypot link is on for every account — there's nothing to configure.
Enhanced Bot Click Filtering
Enhanced Bot Click Filtering is opt-in. Turn it on under Account Settings → Automation. The other bot-filtering layers above run on every account regardless.
Enhanced Bot Click Filtering decides what Paminga does with subsequent clicks from anything it has already flagged on a given send.
When enabled, the rule works like this: if Paminga has filtered a click on this send for any reason — honeypot interaction, known-bot User Agent, IP blocklist match, or behavioral pattern — and another click arrives within the next 15 minutes from the same IP or the same User Agent, Paminga discards that click too. Each new filtered click extends the window.
The practical effect: a security scanner that walks every link in a delivered email will hit the honeypot on the way through. From that moment, the rest of its clicks on this send are filtered for the next 15 minutes — and so are any other clicks that share its IP or User Agent.
When Off vs. When On
| Off | On | |
|---|---|---|
| Honeypot link in your emails | Yes | Yes |
| Filter clicks from known-bot User Agents | Yes | Yes |
| Filter clicks from blocklisted IPs | Yes | Yes |
| Filter clicks based on behavioral patterns | Yes | Yes |
| Filter follow-up clicks from a session that already tripped a filter | No | Yes |
Why You Might Turn It Off
The honeypot correlation is aggressive by design. In rare cases — a legitimate recipient sharing an IP with a security appliance that scanned the same email moments earlier — a real click could be filtered alongside the bot's. If that's an active concern for your audience, turn the setting off and rely on the other layers.
Where the Filtered Clicks Go
Filtered clicks don't appear in standard reports or contact activity streams as engagement. They are recorded internally so support can audit what was filtered and why if a question ever comes up.
The Challenge In Identifying Bot Activity
The obvious challenge is the massive and ever-growing number of bots, and the variability among them. There is no technology that can identify every bot. It is an ongoing game of cat and mouse.
In addition to variability, bot creators commonly employ tactics to avoid being detected and blocked:
- Bots commonly "spoof" the User Agent to appear to be a human using a web browser. Doing so is trivial
- IP Addresses can be changed at will, and even changed automatically via scripts
- Click timing and patterns can be and commonly are randomized
- Antivirus and anti-malware bots are commonly installed within an organizations own network – the same network (and IP address) that gets associated with your email recipients
Continuous Improvement
Paminga's approach to bot detection and blocking is one of iterative improvement.
Current techniques are reviewed and adjusted multiple times per year.
