{"id":34610,"date":"2021-01-11T03:59:19","date_gmt":"2021-01-11T10:59:19","guid":{"rendered":"https:\/\/bamf.com\/?p=34610"},"modified":"2021-01-19T05:24:02","modified_gmt":"2021-01-19T12:24:02","slug":"bamf-expert-guest-post-linkedin-automation-safety","status":"publish","type":"post","link":"https:\/\/bamf.com\/bamf-expert-guest-post-linkedin-automation-safety\/","title":{"rendered":"BAMF Expert Guest Post: LinkedIn Automation Safety (Insights from the Developer of an Automation Tool That Was Detected)"},"content":{"rendered":"\n
This contributing article does not reflect the views and opinions of BAMF Media, its subsidiaries, employees or its management. Its feature on the BAMF platform is to educate, inform, and help our users and clients.<\/p>BAMF Media Management<\/cite><\/blockquote>\n\n\n\n
Who am I?<\/strong><\/h2>\n\n\n\n
My name is Alexander Erin, I founded Linked Helper in October 2016 and was the sole developer and CEO of Linked Helper 1, a chrome extension, that I made completely on my own. Lately, I co-developed with 7 other guys Linked Helper 2, the standalone app which is a new web browser and not an extension.<\/p>\n\n\n\n
I not only saw the early algorithm LinkedIn used to catch the Meet Alfred Chrome extension (one of our main rivals back then) but a year later, in a few weeks of August 2019 I successfully coped with the new LinkedIn detection algorithm. This was when some of the users of Linked Helper 1 reported getting warning messages from LinkedIn.<\/p>\n\n\n\n
The article covers a lot of technical aspects of LinkedIn automation, which many of the readers may find somewhat complicated.<\/p>\n\n\n
\nTable of Contents<\/div><\/div><\/div>
- Who am I?<\/a><\/li>
- The TL;DR<\/a><\/li>
- Behavioral and technical detections<\/a>
- Behavioral approach<\/a><\/li>
- How many actions of some kind do you usually make?<\/a><\/li>
- How exactly do you do these actions?<\/a><\/li>
- How do your prospects react to your actions?<\/a><\/li>
- Parallel access to your LinkedIn account<\/a><\/li><\/ul><\/li>
- Technical approach<\/a>
- Chrome or browser extensions<\/a><\/li>
- 1st extensions detection algorithm<\/a><\/li>
- 2nd extensions detection algorithm<\/a><\/li>
- Cloud solutions that work via LinkedIn API<\/a><\/li>
- Browser-based solutions (cloud or desktop apps)<\/a><\/li>
- Which one is safer: Cloud browser-based or Desktop browser-based solutions?<\/a><\/li><\/ul><\/li><\/ul><\/div><\/div><\/div>\n\n\n
The TL;DR<\/h2>\n\n\n\n
To make things a bit easier, and before we go into the ins-and-outs of it, I\u2019ll begin by unveiling our key findings:<\/p>\n\n\n\n
- Even if you work manually on LinkedIn, Even if you work manually on LinkedIn, this isn\u2019t a guarantee by any means that your account won\u2019t be restricted or banned,\u00a0or you won’t receive a warning message from LinkedIn one day, saying you might be using an automation tool<\/strong>.<\/li>
- If you trust an assistant or a cloud-based solution to manage your LinkedIn account on your behalf, you should know that LinkedIn analyzes the IP and location of your machine. If it finds that you access your account from different countries, they may restrict it, and you\u2019d need to explain how comes one entry was registered from the Philippines and the second one \u2013 from the United States on the same day.<\/li>
- Even if you stick to very low activity limits, but are using a sloppy LinkedIn automation tool, you are still under the risk of getting restricted or banned on LinkedIn.<\/li>
- Chrome or browser extension tools can never be 100% safe due to extensions\u2019 technical limitations.<\/li>
- Cloud API based solutions are as safe as extensions (hint: they aren\u2019t safe)<\/li>
- Browser-based or cloud browser-based solutions are the safest on the market so far. Having said that, only LinkedIn developers or developers of a given tool can attest to the security of that tool.<\/li>
- If you work on LinkedIn manually or use the safest automation tool, don\u2019t ignore the safety rules: stick to the daily activity limits (send only 50-70 invites), cancel pending unaccepted invites every 3 weeks, and keep an eye on your invites\u2019 conversion rate.\u00a0<\/li><\/ol>\n\n\n\n
Behavioral and technical detections<\/strong><\/h2>\n\n\n\n
LinkedIn is known to use two main approaches to catch the use of automation tools:<\/p>\n\n\n\n
- behavioral<\/li>
- technical<\/li><\/ul>\n\n\n\n
Behavioral approach<\/strong><\/h3>\n\n\n\n
This kind of analytics is looking at:<\/p>\n\n\n\n
- How many actions of some kind do you usually make?<\/li>
- How exactly do you make these actions?<\/li>
- How do your prospects react to your actions?<\/li>
- Parallel access to your account<\/li><\/ol>\n\n\n\n
How many actions of some kind do you usually make?<\/strong><\/h3>\n\n\n\n
It is a common fallacy among many LinkedIn users, fueled by not-so knowledgeable LinkedIn coaches, that if you work on LinkedIn manually, you will never get banned.<\/p>\n\n\n\n
We ran our own tests, and just like many other LinkedIn users who shared on Facebook and forums, found that it wasn’t true.<\/p>\n\n\n\n
If you want some proof, see for yourself:<\/p>\n\n\n\n
1. Try sending 500 connection requests every day during a month, and you will soon \u2013 probably in 2 weeks\u2019 time – find out that LinkedIn has restricted your profile and you must now enter a valid email address of every person you are trying to connect with.<\/p>\n\n\n\n
2. Go to the LinkedIn search page, select the 2nd<\/sup> relationship level, then go through every page of the search results and keep adding people by clicking the \u201cconnect\u201d button every 5 seconds. What happens next is LinkedIn kicks you out of the platform. Log in again, repeat what you did 3-4 times, and you will eventually get restricted on LinkedIn.<\/p>\n\n\n\n
How exactly do you do these actions?<\/strong><\/h3>\n\n\n\n
It is not only the number of actions that a user does that helps LinkedIn track the use of automation, but how they do it. By clicking Ctrl+Shift+I in your Chrome you will open the DevTools panel that shows what API-requests LinkedIn sends to its servers.<\/p>\n\n\n\n
Here\u2019s an example.<\/p>\n\n\n\n
There are two ways to open a profile on LinkedIn:<\/p>\n\n\n\n
- Paste the profile\u2019s URL link into the browser address bar and hit Enter<\/li>
- Type the name of the person you are looking for on LinkedIn and select the right contact among options that start to appear.<\/li><\/ol>\n\n\n\n
On the surface of it, there\u2019s no difference.<\/p>\n\n\n\n
But LinkedIn hsd been looking at many automation tools and found that all of them were using the URL method. Clearly, you can\u2019t block users after just a couple of profile openings via URL: this isn\u2019t good evidence that they are using an automation tool.<\/p>\n\n\n\n
But opening 50 profiles via URL within 12 hours is a good indicator, they think.<\/p>\n\n\n\n
So, LinkedIn has now introduced this limitation, except for the Sales Navigator and Recruiter platforms.<\/p>\n\n\n\n
Try opening every profile from the search result in a new tab, and you will likely get logged out before you reach the seventh page.<\/p>\n\n\n\n
After you log back in, go on with this practice until you see a warning message from LinkedIn saying that they suspect you of using an automation tool.<\/p>\n\n\n\n
At Linked Helper 2 we chose the second, name-search method of opening profiles, as it is naturally used by many people when they browse LinkedIn without any automation tools.<\/p>\n\n\n\n
How do your prospects react to your actions?<\/strong><\/h3>\n\n\n\n
The main metric you should care about is your acceptance rate \u2013 what percent of your sent invitations get accepted.<\/p>\n\n\n\n
Given that for many users LinkedIn limits how many invitations they can send per week, you would benefit if you focus on the quality of your connection requests and learn how to write highly-converting ones.<\/p>\n\n\n\n
<\/figure>\n\n\n\nWe recommend the following strategy for increasing the acceptance rate for our users:<\/p>\n\n\n\n
- Visit a profile<\/li>
- Like 2-3 recent posts or articles (read how to automate https:\/\/linkedhelper.zendesk.com\/hc\/en-us\/articles\/360018627020-Like-posts-and-articles<\/a>)<\/li>
- Wait 24 hours and follow profiles (https:\/\/linkedhelper.zendesk.com\/hc\/en-us\/articles\/360016777979-Profiles-Auto-Follower<\/a>)<\/li>
- In another 24 hours\u2019 time send your connection requests with a personal message<\/li>
- Once your request was accepted, send several follow up messages until a person writes you back.<\/li><\/ol>\n\n\n\n
LinkedIn is also known to analyze how many people click \u201cDismiss\u201d when they receive your connection request.<\/p>\n\n\n\n
In other words, even if you can boast an 80 percent acceptance rate, but you send as many as 400 invitations every day, chances are, that because of your scope, you\u2019ll end up having too many \u2018Dismiss\u2019 clicks from the crowd in absolute numbers and, as a result – restriction of your profile.<\/p>\n\n\n\n
Therefore, our general recommendation is to keep your pace at about 50-70 invites daily and don\u2019t forget to clear 3-weeks-old pending invitations. https:\/\/linkedhelper.zendesk.com\/hc\/en-us\/articles\/360015365379-How-to-cancel-sent-pending-invites-<\/a><\/p>\n\n\n\n
Parallel access to your LinkedIn account<\/strong><\/h3>\n\n\n\n
The less critical yet existing threat is parallel access to your LinkedIn account. LinkedIn knows the IP of your machine and its geolocation.<\/p>\n\n\n\n
No wonder why if you access your account from 2 countries at the same time, you\u2019ll raise suspicion.<\/p>\n\n\n\n
We\u2019ve seen examples when LinkedIn blocked accounts in such cases until they received an explanation of how this could have happened, claiming they did it to protect users\u2019 accounts.<\/p>\n\n\n\n
The scenario is possible when:<\/p>\n\n\n\n
- You handed over your account to an assistant or a lead generation expert.<\/li>
- You use a cloud-based automation tool, and they took the wrong proxy.<\/li>
- You use a VPN on your machine.<\/li><\/ol>\n\n\n\n
We believe this is not a serious cause for concern anyway.<\/p>\n\n\n\n
We haven\u2019t heard – in 4 years – that someone ever lost their account because they gave control to their assistant. Most likely, you\u2019ll be reminded of the Terms of Use and its part, in particular, that prohibits to hand your account to third parties.<\/p>\n\n\n\n
That said, we recommend at least making sure your assistant enters your account from the same country as you do.<\/p>\n\n\n\n
By the way, it\u2019s quite difficult to find a reliable service that offers a proxy linked to a specific town. Next time, when you hear that another LinkedIn automation tool is safe because they promise unique proxies for your account, remember that in fact the access might be from a different city and LinkedIn can see it.<\/p>\n\n\n\n
To draw a line under this big section, we want to remind that behavioral tactics LinkedIn uses are not just a pain in the neck for the automation tools, but is something to be aware of for everyone who uses LinkedIn today even manually. <\/p>\n\n\n\n
Technical approach<\/strong><\/h2>\n\n\n\n
As you may have guessed from the name, this approach does not deal with your manual work on LinkedIn. Here we will be looking at how the biggest social platform for business is trying to catch automation tools on a technical level.<\/p>\n\n\n\n
There are 3 types of automation tools out there:<\/p>\n\n\n\n
- Chrome or browser extensions. Those are plug-ins that you install in your browser.<\/li>
- Cloud solutions which work via LinkedIn API<\/li>
- Browser-based solutions (desktop apps or cloud)<\/li><\/ol>\n\n\n\n
Chrome or browser extensions<\/strong><\/h3>\n\n\n\n
Creating a chrome extension is not a big deal of work. I spent 2 days on creating the first, chrome extension, version of Linked Helper 1 having zero experience in making extensions for Chrome and some initial knowledge of JavaScript.<\/p>\n\n\n\n
That was the time necessary to architect 2 simple functions \u2013 auto-inviting and auto-messaging. Such low cost of market entry explains why very quickly about 100 similar extensions sprung up like mushrooms.<\/p>\n\n\n\n
Chrome Store\u2019s role was the distributor and payment processor. Few extensions out of that hundred, however, became a major success like Linked Helper.<\/p>\n\n\n\n
In the times when we were a chrome extension, if you typed \u201cLinkedIn\u201d in the Chrome Web Store, you\u2019d see us #1 in the search results with the 80-thousand audience, followed by 2 official plug-ins from LinkedIn and Dux-Soup in the 4th<\/sup> place.<\/p>\n\n\n\n
Chrome extensions are very popular because by concept they are an add-on for this or that website, and they are easy to start with.<\/p>\n\n\n\n
Sadly, Chrome extensions aren\u2019t 100% safe, and below I will explain why. But first, let\u2019s turn to the algorithms that are currently used to detect extensions-based automation tools. <\/p>\n\n\n\n
1<\/strong>st<\/sup><\/strong> extensions detection algorithm<\/strong><\/h3>\n\n\n\n
The earliest detection algorithm was 100% client-based. This means it worked inside your browser, looked for traces of extensions and sent to LinkedIn\u2019s server the list of extensions it caught.<\/p>\n\n\n\n
It searched for elements of the interface that were specific of a given extension, though it was a rather superficial check. The algorithm also sent local HTTP requests to unique extension\u2019s resources since it was known which files were used by each extension and their IDs in Chrome store. Linked Helper 1 had already been partly protected by that time: we used random HTML tags and got rid of unique resources. <\/p>\n\n\n\n
Instead, the biggest part of the code was loaded from the cloud. Another thing we did to bypass that earliest detection efforts were to block the part of LinkedIn\u2019s API that ran the search for extensions and reported it to LinkedIn.<\/p>\n\n\n\n
This algorithm very quickly caught the use of Meet Leonard, a fast-growing new tool at the time, just in the middle of their promo campaign on App Sumo. We can\u2019t say with confidence that it killed the product, but I know for a fact that their work was then paralyzed.<\/p>\n\n\n\n
Martin Martinez, the founder of Meet Leonard, made the right decision and built Meet Alfred as a standalone app. As I understand, it is a decent browser-based solution. Though I haven\u2019t checked how good it is from the safety point of view. <\/p>\n\n\n\n
2<\/strong>nd<\/sup><\/strong> extensions detection algorithm<\/strong><\/h3>\n\n\n\n
After a while, LinkedIn came up with a more sophisticated algorithm for detecting extensions. At random times, the so-called Web Worker (JS code which runs in the background of the main program code of the page) would launch.<\/p>\n\n\n\n
It scanned for tags without text-like content, pulled script- and style- tags and its content, then encrypted whatever was found, and sent it to the LinkedIn\u2019s server where that piece was inspected to find traces of extensions.<\/p>\n\n\n\n
That second algorithm succeeded in breaking through Linked Helper 1 protection shield in early August of 2019, when users started to report they were caught using Linked Helper 1.<\/p>\n\n\n\n
This happened in big part because my team and I\u2019s efforts were fully focused towards the development of Linked Helper 2 app at the time, rather than defending our extension.<\/p>\n\n\n\n
To me, it was already clear that no chrome extension for LinkedIn can be 100% safe. Although this was a serious punch from LinkedIn, in 3 days we managed to somehow cope with that hole in our security.<\/p>\n\n\n\n
Then it took us another 2 weeks to duly test and release the improved version, but by then we had lost 30% of clients. After the changes I made, every user of Linked Helper 1 had a unique extension.<\/p>\n\n\n\n
Now if LinkedIn sent the footprint of the page to its servers, it wouldn\u2019t have been able to find any common signs. Largely because Chrome store\u2019 policies are becoming more and more strict; it is challenging for extensions to respond to LinkedIn\u2019s detection measures. We were forced to leave the Chrome store and started to distribute our product through zip files.<\/p>\n\n\n\n
To date, Linked Helper 1 is still alive and working, though the major part of our users has switched to Linked Helper 2 standalone app. <\/p>\n\n\n\n
We have survived two detection campaigns from LinkedIn. Why do we still think that Chrome or browser-based extensions aren\u2019t 100% safe?<\/p>\n\n\n\n
For two reasons. <\/p>\n\n\n\n
One<\/strong>. The screenshot below shows fragments of program code by one of the top Chrome extensions for LinkedIn automation. They block some of LinkedIn\u2019s API which participates in tracking extensions. The bad news is that Chrome continues to limit its API for Chrome extensions, and soon it is likely to force all extensions to use manifest v3. When it happens, the use of such code would be impossible:<\/p>\n\n\n\n
<\/figure>\n\n\n\nTwo<\/strong>. Even older extensions\u2019 API of any browser do not allow to fully imitate human-like actions. Moreover, in all modern browsers there\u2019s a technical possibility for web pages to establish by whom or by what an event was triggered (click, input, mouse move) \u2013 by human or by program code[\u0410\u04151] . Events and actions made by human will have \u2018isTrusted===true` attribute, while those originating from extensions – \u2018isTrusted===false\u2019.<\/p>\n\n\n\n
Luckily for many extensions now LinkedIn isn\u2019t using this approach, but clearly it is a matter of time. If you click on the \u2018Connect\u2019 button, let\u2019s say, they track whether the click originates from a program, and then signal that you are using an automation tool.<\/p>\n\n\n\n
Fairly simple.<\/p>\n\n\n\n
Cloud solutions that work via LinkedIn API<\/strong><\/h3>\n\n\n\n
Such types of solutions are easy to create. It includes automating work with certain LinkedIn API end-points, like retrieving profile data. This is used for tasks where you need to extract profiles from a list of URLs the user gives. Other API end-points are used for sending messages and invites.<\/p>\n\n\n\n
There are plenty of solutions on the market that claim they are safe because they run in the cloud. It is super easy for LinkedIn to detect them, though they aren\u2019t doing it now. The thing is such tools mimic only part of LinkedIn processes, but to repeat everything is nearly impossible<\/p>\n\n\n\n
Thus, LinkedIn can simply compare the API-requests map of a typical user with that generated by a cloud solution, if they sign up for a trial. Or it is even easier by introducing special detect-requests with random API endpoints to destroy such tools with one shot.<\/p>\n\n\n\n
Browser-based solutions (cloud or desktop apps)<\/strong><\/h3>\n\n\n\n
Not every cloud solution for LinkedIn automation works with LinkedIn API. There are browser-based solutions, too.<\/p>\n\n\n\n
An example is Phantombuster. This is the only cloud tool I know, who admit publicly and proves in their API documentation that this is a browser-based tool and is built on https:\/\/pptr.dev\/<\/a> Puppeteer and headless Chrome.<\/p>\n\n\n\n
In other cases, unfortunately, only LinkedIn and the developers of the solution itself can know the exact type of this or that Cloud solution. We certainly expect that after reading this article, all other Cloud solutions will claim to be implemented on headless Chrome.<\/p>\n\n\n\n
Browser-based desktop apps are represented by Linked Helper 2 and Meet Alfred. Both solutions are built on the Chromium engine, which is used in Chrome itself.<\/p>\n\n\n\n
Unfortunately, even if you know for a fact that a certain tool is browser-based, you can\u2019t be fully confident it is safe to use. Here\u2019s why:<\/p>\n\n\n\n