Email bot clicks are a problem for all marketing automation platforms. People complain on the /Pardot subreddit, the Marketo forums. Eloqua only recently (2022) started dealing with “Auto Opens”… . These clicks come from corporate email security systems (like Microsoft Defender for Office). Security systems follow every link in an email and check whether the destination page has malicious code running on it.
Many marketing automation systems let you define your own set of “bot” IP ranges so they can filter them out. You will get more accurate clickthrough reporting by adding more bot IP/domain ranges to your system.
Below is a list of known email click bots. It includes the default list from Pardot, and also extra ranges from my own personal investigations into this. Feel free to use these ranges & domains in your system. Do you have your own IP ranges? Know of extra ranges that are not here? If so, please write me a note in the comments!
The list is below:
(Caveat – these IPs are North-America centric. If you need to eliminate bot clicks from Europe/Asia, follow the referenced URLs and copy down these organizations’ European ranges)
| Name | IP/Domain | Updated | Notes |
|---|---|---|---|
| Jacob Barracuda domain | *.barracuda.com | 1/20/2022 15:42 | https://campus.barracuda.com/product/essentials/doc/73702190/barracuda-email-security-service-ip-ranges/ |
| Jacob Barracuda Australia | 3.24.133.128 – 3.24.133.255 | 9/27/2021 16:42 | ditto |
| Jacob Barracuda Canada | 15.222.16.128 – 15.222.16.255 | 9/27/2021 16:42 | ditto |
| Jacob Barracuda Germany | 35.157.190.224 – 35.157.190.255 | 9/27/2021 16:42 | ditto |
| Jacob Microsoft Office 1 | 40.92.0.0 – 40.93.255.255 | 11/5/2021 17:15 | https://docs.microsoft.com/en-us/defender-for-identity/prerequisites https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide Microsoft Office 365 Microsoft Defender for Office |
| Jacob Microsoft Office 2 | 52.100.0.0 – 52.103.255.255 | 11/5/2021 17:15 | ditto |
| Jacob Microsoft Office 3 | 104.47.0.0 – 104.47.127.255 | 11/5/2021 17:15 | ditto |
| Jacob Microsoft Office 4 | 52.238.78.88 | 11/5/2021 17:16 | ditto |
| Jacob Microsoft Defender Azure | *.atp.azure.com | 9/27/2021 16:43 | ditto |
| Jacob Mimecast 1 | 207.211.30.1 – 207.211.30.255 | 9/27/2021 16:41 | https://support.excelmicro.com/index.php?/Knowledgebase/Article/View/mimecast-data-centers-and-urls—north-american and an additional ASN search for Mimecast reveals more ranges: https://bgp.he.net/search?search%5Bsearch%5D=mimecast&commit=Search |
| Jacob Mimecast 2 | 216.205.24.1 – 216.205.24.255 | 9/27/2021 16:41 | ditto |
| Jacob Mimecast 3 | 63.128.21.1 – 63.128.21.255 | 9/27/2021 16:41 | ditto |
| Jacob PaloAltoNetworks 1 | 154.59.123.106 | 9/27/2021 16:43 | (Wildfire appliance) https://live.paloaltonetworks.com/t5/general-topics/traffic-from-pan-ip-adresses/td-p/119774 https://ipinfo.io/AS54538 |
| Jacob PaloAltoNetworks 2 | 154.59.126.106 | 9/27/2021 16:44 | ditto |
| Jacob PaloAltoNetworks 3 | 64.74.215.0 – 64.74.215.255 | 9/27/2021 16:44 | ditto |
| Jacob Proofpoint 1 | 185.183.28.0 – 185.183.31.255 | 9/27/2021 16:40 | https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/000_gettingstarted/020_connectiondetails |
| Jacob Proofpoint 2 | 185.132.180.0 – 185.132.183.255 | 9/27/2021 16:40 | ditto |
| Jacob Proofpoint 3 | 67.231.144.0 – 67.231.149.255 | 9/27/2021 16:40 | ditto |
| MSN Keyword Spam Bots | 65.55.109.* | 5/1/2018 0:00 | https://social.microsoft.com/forums/en-US/33a5cd11-5ecf-4e1e-a4bc-2fd30d473002/spoofed-useragents-coming-from-msn-ip-ranges |
| MSN Keyword Spam Bots 2 | 65.55.110.* | 5/1/2018 0:00 | ditto |
| MSN Keyword Spam Bots 3 | 65.55.232.* | 5/1/2018 0:00 | ditto |
| Pardot Support Suggested… | 40.107.* | 9/27/2021 16:35 | (this turned out to be one of the outlook ranges under *.mail.protection.outlook.com listed at https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) |
| Your internal traffic/VPN | Don’t forget to put your own traffic on the filter list… | 11/11/2019 8:59 | |
| [PD SYS] Barracuda UK 1 | 64.235.158.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Barracuda UK 2 | 35.176.92.96 – 35.176.92.127 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Barracuda US 1 | 64.235.144.0 – 64.235.159.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Barracuda US 2 | 209.222.80.0 – 209.222.87.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Microsoft Office 365 | 40.107.194.0 – 40.107.248.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast EU 1 | 195.130.217.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast EU 2 | 91.220.42.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast EU 3 | 185.58.84.0 – 185.58.87.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast Offshore 1 | 213.167.75.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast Offshore 2 | 213.167.81.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast South Africa 1 | 41.74.192.0 – 41.74.207.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast South Africa 2 | 103.13.69.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast South Africa 3 | 124.47.150.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast US 1 | 207.211.31.0 – 207.211.31.127 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast US 2 | 207.211.30.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Mimecast US 3 | 205.139.110.0 – 205.139.111.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 1 | 65.154.226.109 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 2 | 74.217.90.250 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 3 | 70.42.131.170 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 4 | 70.42.131.106 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 5 | 65.154.226.101 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Palo Alto Networks 6 | 74.217.90.10 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint EU 1 | 91.209.104.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint EU 2 | 91.207.212.0 – 91.207.213.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint EU 3 | 62.209.50.0 – 62.209.51.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint EU 4 | 185.132.180.* | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint EU 5 | 185.183.28.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint US 1 | 67.231.152.0 – 67.231.156.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint US 2 | 67.231.144.0 – 67.231.148.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
| [PD SYS] Proofpoint US 3 | 148.163.128.0 – 148.163.159.255 | 11/12/2018 12:10 | Pardot default list from Nov. 2018 |
Note: I am aware of bot activity coming from a particular organization that had a security appliance running on OVH / OVH Cloud – which is a massive hosting provider (like Amazon AWS) in France. They have a lot of different IP ranges, and I saw the bot traffic always coming from different IP blocks under OVH control. Blocking / listing their IPs was too time consuming for me.
Leave a Reply