LiquidFiles Documentation
LiquidFiles Documentation

Unexpected Download Activity from Email Security Scanners

Automated security tools frequently access LiquidFiles links without any human involvement. This can manifest in two ways: unexpected FileLink downloads appearing in logs before the sender has shared the link with anyone, or "Session Expired" log entries for message validation links. Both are caused by the same underlying mechanism.

If you see a FileLink accessed or downloaded from one or more unexpected IP addresses — particularly shortly after the link was created and before it was shared — this is almost always an automated security scanner, not a compromise of your server or the link.

Modern endpoint security products, browser extensions, and email clients scan URLs the moment they appear on a user's device: when a link is copied to the clipboard, typed into a compose window, or pasted into a chat application. Cloud-based scanning infrastructure often operates from multiple geographically distributed nodes, which is why you may see two or more download events from different countries within seconds of each other.

Common sources include:

  • Microsoft Defender for Office 365 Safe Links (scans links as they are composed, not just when received)
  • Proofpoint, Mimecast, Barracuda, and similar email security gateways
  • Browser-based Safe Browsing services (Google Chrome Enhanced Protection, etc.)
  • Endpoint DLP or antivirus products that monitor clipboard and browser activity
  • Slack, Teams, and other messaging platforms that generate link previews

To confirm, check the User-Agent string in the download log entry. Automated scanners typically identify themselves with non-browser strings such as python-requests, curl, Mimecast, Microsoft Office, or similar — rather than a standard browser User-Agent.

Session Expired errors from message validation links

When LiquidFiles sends a notification email to an external recipient, the email contains a validation link the recipient must click to authenticate. If you see log entries like:

Session Expired, please enter your email address again to continue

this is almost always caused by an email security scanning tool, not by the recipient themselves. The scanner fetches the validation URL automatically, has no browser session, and LiquidFiles responds with a "Session Expired" error.

The IP address in the log entry will typically belong to the email security vendor's infrastructure — a cloud data centre IP, often in a different city or country from the recipient.

This is harmless. The validation token is bound to both the recipient's email address and the token value, so a scanner fetching the link does not consume or invalidate it. The actual recipient can click the same link at any time and will be prompted to enter their email address as normal.

Is my server compromised?

Unexpected download events from automated scanners are not an indicator of a server compromise. If you want to rule out a compromise independently, you can review the following:

  • Check Admin → Logs for any admin-level configuration changes you did not make.
  • Check Admin → Users for any unknown accounts.
  • Review the System Console login history (last command via SSH) for unexpected logins.

If any of those checks reveal unexpected activity, please contact support immediately.

What you can do

No action is required for scanner activity. These log entries can safely be ignored. If your organisation's email security product supports URL rewriting or link-click auditing, you may also see the scanner's IP address in logs for subsequent authenticated sessions — this is also expected behaviour.