Not necessarily - I don't know the details of these security providers, but they could use a proxy scraping service like BrightData, which proxies requests through real users mobile and residential IPs, thus making it look like real users are clicking.
I don't know this exact thing to be happening, but it could, so I don't think using IP location as the signal of "Human vs Not" is accurate.
Using time clustering of clicks vs send is a good one, also I've noticed that these security providers will click _every_ link in the email, all within a few minutes, so filtering out multiple clicks by one IP in a short time frame would work.
I don't know this exact thing to be happening, but it could, so I don't think using IP location as the signal of "Human vs Not" is accurate.
Using time clustering of clicks vs send is a good one, also I've noticed that these security providers will click _every_ link in the email, all within a few minutes, so filtering out multiple clicks by one IP in a short time frame would work.