One of our customers recently contacted us to report a strange issue whereby booking requests made through their MIDAS scheduling system were seemingly vanishing from their system.

The “Booking Request” features of MIDAS, allow people to submit booking “requests” which then require approval by an administrator before becoming a “confirmed” booking.

There are a number of reasons why a booking request may legitimately appear to “vanish” from the system; first of all, another administrative user may have already rejected the original booking request, or the original requestor may have changed their mind and canceled their own request.

When a person makes a booking request, MIDAS automatically send them an email notification containing details of the request they’ve submitted. These email notifications also contain a “booking request cancellation link” allowing them to cancel their request if for whatever reason they’ve changed their mind before their request is approved.

Inspecting the provided “Recent Activity Log” for the customer’s MIDAS system, there was no evidence to suggest that another user had simply rejected the missing booking requests.

There was however evidence that the booking request cancellation links, contained within the notification emails sent to original requestors had been clicked.

The customer was confident that no-one had clicked these cancellation links in their emails.

Now, the “Recent Activity Log” within MIDAS is very useful – not only does it record actions performed within a MIDAS system, it also records the user who performed the action (where applicable), the time/date the action occurred, and the IP address of the device which performed the action.

This allowed us to correlate booking request cancellation link clicks with the IP addresses from which each originated.

Interestingly, the IP addresses could all be traced back to Barracuda Networks, Inc, a company offering security products, including email security and spam filters.

So what was going on?

Once upon a time spam filters could easily detect spam email messages, as spammers tended to the same domains in their spam. As a result, spam filtering software could simply scan the content of an email message, and cross-reference any links contained within against a list of known spamming domains (known as a “blacklist”).

Many spam filters still behave in this way, however, in an attempt to stay one step ahead of the spammers, some spam filtering software/services – such as those provide by Barracuda Networks, Inc, go one step further and actively “click” EVERY link in every email they scan. The purpose behind this is to analyze the content and domain every link points to.

Whilst this will most likely help reduce spam further for the recipient, it can have a number of undesired consequences for users!

For example, if the recipient subscribes to any newsletters/mailing lists which contain a one-click unsubscribe link at the bottom, they will be automatically unsubscribed simply by receiving the email itself, before they even open it – let alone click the unsubscribe link!

The same thing was happening for our customer’s booking request notification emails – the booking request cancellation links were being automatically “clicked” by the spam filtering software/services which were scanning the recipient’s email.

Balancing user convenience vs aggressive mail scanners

We’ve always believed in making things as easy as possible for users – which is why we originally made canceling booking requests as simple as a “one-click” link – click once, and your request is canceled.

However, in light of these recent issues, we’re making a small change for MIDAS v4.12. Canceling a booking request will now unfortunately be a two-step process. Clicking a booking request cancellation link in a notification email will take the requestor to a web page where they will need to then click a confirm button in order to cancel their request.

The introduction of this second confirmation step, whilst less convenient for the end-user, will at least prevent aggressive mail filtering software/services which automatically “click” every link in every email, from automatically canceling booking requests without any human interaction.

The same “two-step” behavior will also be applied for links in booking/invoice reminder emails to suppress future reminders from a MIDAS system.

In the meantime, if you’re running an earlier version of MIDAS, and notice your booking requests being automatically canceled without any intervention, please check and adjust the settings in your mail scanning/filtering software to “whitelist” email from your MIDAS system or prevent the automatic following of links within email.

« »