We have been having an issue where we receive multiple Open Events via SNS. These events happen withing a split second of each other, and all come from cloud watch ip addresses. This doesn't appear to happen for every recipient, but it loooks to be around 50%.
Below are events we have received (with sensitive data removed) to give you an idea of what we're seeing.
- Why are there multiples happening?
- Why are they in such quick succession?
- Why are they reporting cloudfront IP addresses?
Additional Info
- We are sending from a domain setup in cloudfront
- WE only receive a single Sent and Delivered Event.
- Click events can exhibit this behaviour as well
Event 1
{"eventType":"Open","mail":{"timestamp":"2022-01-31T21:00:01.769Z","source":"xxxxx","sendingAccountId":"xxxxx","messageId":"0108017eb1effb69-5ce6a9ca-e8f4-4d57-9aa8-1d6d55e89433-000000","destination":["xxxxx"],"headersTruncated":false,"headers":[{"name":"From","value":"xxxxx"},{"name":"Date","value":"Tue, 01 Feb 2022 08:00:01 +1100"},{"name":"Subject","value":"xxxxx"},{"name":"Message-Id","value":"<YNOLANVQYFU4.CDP4G8YK0B121@xxxxx>"},{"name":"To","value":"xxxxx"},{"name":"MIME-Version","value":"1.0"},{"name":"Content-Type","value":"multipart/mixed; boundary=\"=-bSeeSpdqGZ87P9P4desJPg==\""}],"commonHeaders":{"from":["xxxxx"],"date":"Tue, 01 Feb 2022 08:00:01 +1100","to":["xxxxxx"],"messageId":"0108017eb1effb69-5ce6a9ca-e8f4-4d57-9aa8-1d6d55e89433-000000","subject":"xxxxxx"},"tags":{"ses:operation":["SendRawEmail"],"ses:configuration-set":["xxxxxx"],"ses:source-ip":["203.55.35.200"],"ses:from-domain":["xxxxxx"],"ses:caller-identity":["xxxxx"]}},"open":{"timestamp":"2022-01-31T21:14:02.524Z","userAgent":"Mozilla/4.0 (compatible; ms-office; MSOffice 16)","ipAddress":"64.252.184.86"}}
Event 2
{"eventType":"Open","mail":{"timestamp":"2022-01-31T21:00:01.769Z","source":"xxxxx,"sendingAccountId":"xxxxx","messageId":"0108017eb1effb69-5ce6a9ca-e8f4-4d57-9aa8-1d6d55e89433-000000","destination":["xxxxx"],"headersTruncated":false,"headers":[{"name":"From","value":"xxxxx"},{"name":"Date","value":"Tue, 01 Feb 2022 08:00:01 +1100"},{"name":"Subject","value":"xxxxx"},{"name":"Message-Id","value":"<YNOLANVQYFU4.CDP4G8YK0B121@xxxxxx>"},{"name":"To","value":"xxxxxx"},{"name":"MIME-Version","value":"1.0"},{"name":"Content-Type","value":"multipart/mixed; boundary=\"=-bSeeSpdqGZ87P9P4desJPg==\""}],"commonHeaders":{"from":["xxxxxx"],"date":"Tue, 01 Feb 2022 08:00:01 +1100","to":["xxxxxx"],"messageId":"0108017eb1effb69-5ce6a9ca-e8f4-4d57-9aa8-1d6d55e89433-000000","subject":"xxxxx"},"tags":{"ses:operation":["SendRawEmail"],"ses:configuration-set":["xxxxx],"ses:source-ip":["203.55.35.200"],"ses:from-domain":["xxxxx"],"ses:caller-identity":["xxxxx"]}},"open":{"timestamp":"2022-01-31T21:14:02.601Z","userAgent":"Mozilla/4.0 (compatible; ms-office; MSOffice 16)","ipAddress":"64.252.184.77"}}
```~~~~
Event 3
Much the same, but with
timestamp: 2022-01-31T21:14:05.990Z
ipaddress: 64.252.184.74
useragent: Mozilla/4.0 (compatible; ms-office; MSOffice rmj)
This is still occurring, any ideas out there? I'm getting flooded with click and open events. In some scenarios a single recipient has 97 opened events, and they all come from cloudfront ip addresses. So I am curious to know what's causing this.
did you figure out why this is happening? have the same issue...