Email bot clicks are a problem for all marketing automation platforms. People complain on the /Pardot subreddit, the Marketo forums. Eloqua only recently (2022) started dealing with “Auto Opens”… . These clicks come from corporate email security systems (like Microsoft Defender for Office). Security systems follow every link in an email and check whether the destination page has malicious code running on it.

Many marketing automation systems let you define your own set of “bot” IP ranges so they can filter them out. You will get more accurate clickthrough reporting by adding more bot IP/domain ranges to your system.

Below is a list of known email click bots. It includes the default list from Pardot, and also extra ranges from my own personal investigations into this. Feel free to use these ranges & domains in your system. Do you have your own IP ranges? Know of extra ranges that are not here? If so, please write me a note in the comments!

The list is below:

(Caveat – these IPs are North-America centric. If you need to eliminate bot clicks from Europe/Asia, follow the referenced URLs and copy down these organizations’ European ranges)

Name IP/Domain Updated Notes
Jacob Barracuda domain *.barracuda.com 1/20/2022 15:42 https://campus.barracuda.com/product/essentials/doc/73702190/barracuda-email-security-service-ip-ranges/
Jacob Barracuda Australia 3.24.133.128 – 3.24.133.255 9/27/2021 16:42 ditto
Jacob Barracuda Canada 15.222.16.128 – 15.222.16.255 9/27/2021 16:42 ditto
Jacob Barracuda Germany 35.157.190.224 – 35.157.190.255 9/27/2021 16:42 ditto
Jacob Microsoft Office 1 40.92.0.0 – 40.93.255.255 11/5/2021 17:15 https://docs.microsoft.com/en-us/defender-for-identity/prerequisites
https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
Microsoft Office 365
Microsoft Defender for Office
Jacob Microsoft Office 2 52.100.0.0 – 52.103.255.255 11/5/2021 17:15 ditto
Jacob Microsoft Office 3 104.47.0.0 – 104.47.127.255 11/5/2021 17:15 ditto
Jacob Microsoft Office 4 52.238.78.88 11/5/2021 17:16 ditto
Jacob Microsoft Defender Azure *.atp.azure.com 9/27/2021 16:43 ditto
Jacob Mimecast 1 207.211.30.1 – 207.211.30.255 9/27/2021 16:41 https://support.excelmicro.com/index.php?/Knowledgebase/Article/View/mimecast-data-centers-and-urls—north-american
and an additional ASN search for Mimecast reveals more ranges:
https://bgp.he.net/search?search%5Bsearch%5D=mimecast&commit=Search
Jacob Mimecast 2 216.205.24.1 – 216.205.24.255 9/27/2021 16:41 ditto
Jacob Mimecast 3 63.128.21.1 – 63.128.21.255 9/27/2021 16:41 ditto
Jacob PaloAltoNetworks 1 154.59.123.106 9/27/2021 16:43 (Wildfire appliance)
https://live.paloaltonetworks.com/t5/general-topics/traffic-from-pan-ip-adresses/td-p/119774
https://ipinfo.io/AS54538
Jacob PaloAltoNetworks 2 154.59.126.106 9/27/2021 16:44 ditto
Jacob PaloAltoNetworks 3 64.74.215.0 – 64.74.215.255 9/27/2021 16:44 ditto
Jacob Proofpoint 1 185.183.28.0 – 185.183.31.255 9/27/2021 16:40 https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/000_gettingstarted/020_connectiondetails
Jacob Proofpoint 2 185.132.180.0 – 185.132.183.255 9/27/2021 16:40 ditto
Jacob Proofpoint 3 67.231.144.0 – 67.231.149.255 9/27/2021 16:40 ditto
MSN Keyword Spam Bots 65.55.109.* 5/1/2018 0:00 https://social.microsoft.com/forums/en-US/33a5cd11-5ecf-4e1e-a4bc-2fd30d473002/spoofed-useragents-coming-from-msn-ip-ranges
MSN Keyword Spam Bots 2 65.55.110.* 5/1/2018 0:00 ditto
MSN Keyword Spam Bots 3 65.55.232.* 5/1/2018 0:00 ditto
Pardot Support Suggested… 40.107.* 9/27/2021 16:35 (this turned out to be one of the outlook ranges under *.mail.protection.outlook.com listed at https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide)
Your internal traffic/VPN Don’t forget to put your own traffic on the filter list… 11/11/2019 8:59
[PD SYS] Barracuda UK 1 64.235.158.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Barracuda UK 2 35.176.92.96 – 35.176.92.127 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Barracuda US 1 64.235.144.0 – 64.235.159.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Barracuda US 2 209.222.80.0 – 209.222.87.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Microsoft Office 365 40.107.194.0 – 40.107.248.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast EU 1 195.130.217.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast EU 2 91.220.42.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast EU 3 185.58.84.0 – 185.58.87.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast Offshore 1 213.167.75.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast Offshore 2 213.167.81.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast South Africa 1 41.74.192.0 – 41.74.207.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast South Africa 2 103.13.69.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast South Africa 3 124.47.150.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast US 1 207.211.31.0 – 207.211.31.127 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast US 2 207.211.30.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Mimecast US 3 205.139.110.0 – 205.139.111.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 1 65.154.226.109 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 2 74.217.90.250 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 3 70.42.131.170 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 4 70.42.131.106 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 5 65.154.226.101 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Palo Alto Networks 6 74.217.90.10 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint EU 1 91.209.104.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint EU 2 91.207.212.0 – 91.207.213.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint EU 3 62.209.50.0 – 62.209.51.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint EU 4 185.132.180.* 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint EU 5 185.183.28.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint US 1 67.231.152.0 – 67.231.156.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint US 2 67.231.144.0 – 67.231.148.255 11/12/2018 12:10 Pardot default list from Nov. 2018
[PD SYS] Proofpoint US 3 148.163.128.0 – 148.163.159.255 11/12/2018 12:10 Pardot default list from Nov. 2018

Note: I am aware of bot activity coming from a particular organization that had a security appliance running on OVH / OVH Cloud – which is a massive hosting provider (like Amazon AWS) in France. They have a lot of different IP ranges, and I saw the bot traffic always coming from different IP blocks under OVH control. Blocking / listing their IPs was too time consuming for me.

Want to discover potential bots uniquely affecting your system? You can use the hidden redirect link trick from Carl Mortimer.