Why targeting "All Clickers" is a trap

Your CTR looks great—but is it real?

July 15, 2025

Click Integrity Sprint — Cloudflare vs. Security Scanners (Safe Links, URL Defense, URL Protect)
Help My Newsletter
Tuesday, July 15, 2025 • Cloudflare • Azure • Bot Clicks vs Real Humans
Case Brief

Security Scanners Are “Clicking” Your Links

Microsoft Defender’s Safe Links, Proofpoint’s URL Defense, Mimecast’s URL Protect, and Barracuda’s Link Protection all rewrite newsletter URLs and often perform time-of-click checks. Those automated checks frequently originate from cloud IPs (often Azure) and can inflate your clicker segments if you treat every redirect as a human.

Today’s orders: detect & bucket scanner clicks, verify humans with Cloudflare Bot scores/Challenges, and sanitize “clicker” segments so automations don’t chase bots.

Symptoms We’re Seeing
Bursts of clicks seconds after sendReferrers like safelinks.protection.outlook.comLinks rewritten to urldefense.com (Proofpoint)HEAD/GET with no page assets loadedMany “clicks” from a handful of Azure IPs
(Proofpoint rewrites to urldefense.com; Microsoft Safe Links performs time-of-click checks.)
Primary Diagnosis

Security-Scanner Clicks Inflating “Clickers”

Enterprise gateways rewrite and auto-visit links to pre-check destinations (Safe Links, URL Defense, URL Protect). These requests often come from cloud networks (frequently Microsoft 365/Azure ranges). If you promote raw “clickers” into high-touch automations, you’ll chase bots.

  • Identify scanners by rewritten hosts (safelinks…, urldefense.com, protect.mimecast.com) and by burst timing.
  • Leverage Cloudflare Bot scores (cf.bot_management.score) < 30 to bucket likely bots; don’t count them as humans.
  • Use challenges sparingly (Cloudflare Managed Challenge/Turnstile) when traffic looks automated; minimize friction for real readers.
Secondary Factors

Azure/AAD orgs may enable Safe Links with stricter settings; Proofpoint/Mimecast policies can prefetch at click-time repeatedly. Your site logs will show concentrated IPs and uniform user-agents around send time.

Risk gauge: [■■■■■□□□] Click inflation risk at ~60% until scanner traffic is bucketed
Treatment Plan (Ship in 7 Days)
1) Bucket Scanner Clicks
  1. Tag referrers/hosts: safelinks.protection.outlook.com, urldefense.com, protect.mimecast.com, Barracuda Link Protect.
  2. Flag HEAD/rapid GETs < 2s after send with no assets fetched.
  3. Store UA + ASN; create an exclude list for Azure/M365 scanner ranges as needed.
2) Verify Humans (Light Touch)

Gate only the conversion page (not the first click): use Cloudflare Bot score + Managed Challenge or Turnstile if score < 30 or patterns look automated.

3) Azure WAF Option

Hosting on Azure? Enable Front Door bot protection rules to allow good bots and log/block bad ones; export logs to verify patterns before excluding from metrics.

4) Clean Your “Clickers”

In beehiiv, create a Human Clickers segment that excludes scanner hosts and low bot-score hits; keep a separate Scanner Clicks segment for reference so you can monitor policy shifts (Safe Links/Proofpoint/Mimecast updates).

Vitals (Next 30 Days)
HVCR ≥ 70% (Human-Verified Click Rate) • Scanner share ≤ 20% • Bot-score <30 bucketed 100% • Azure/M365 ranges tagged in logs
Observed Outcome
“After bucketing scanner traffic and gating our signup page with a Managed Challenge only for low bot scores, our ‘clicker’ automation list shrank 22%—but trial starts rose 11%.”
— Growth Ops, 90K-sub B2B newsletter
Grab the Click Integrity Playbook (free)
Cloudflare rules • scanner allow/deny patterns • beehiiv segments

Copy the exact filters and segments we deploy on client accounts.

Download the Click Integrity Playbook (PDF) →
Free · No pitch · Updated often

Feel free to try using this one, instead.

Click Integrity Playbook.pdf506.47 KB • PDF File