from Hacker News

Unknown 3rd party auto-scans emails for EDU recipients

by pentium10 on 9/19/22, 4:47 PM with 3 comments

After a newsletter email campaign we are observing spike in return traffic to our Frontends. Unusual, as we don't see campaigns going viral immediately. We have a good open rate, but what we see is an order of magnitude.

Turns out after a quick investigation, that an unknown 3rd party scans the content and opens the links which generate request to our site.

It turns out all recipient domains that are involved in this traffic pattern, are from the Education industry, as they have "school" and other similar words in the domains.

- Have you noticed unsusual return traffic generated by auto scans?

- Especially/only for EDU industry recipients?

With the recent cyber attacs to EDU systems last week, could be a spamfilter/antivirus, or load balancing armor, that does this content analyses? All IPs that made this traffic pattern are from AWS, somebody pays the bills. Could be a module just turned on recently for email industry either by antispam/antivirus, whatever?

What's your take on this.

  • by comprev on 9/19/22, 6:34 PM

    It might be an email security product which scans links in emails before forwarding onto the users inbox. This does sometimes cause havoc with email based OTP login flows.

  • by sp332 on 9/19/22, 4:53 PM

    Do you track the IP addresses that hit your tracking pixels?