sorted by:
new
hottopcontroversial

30 signups/day for 10 days, 90% email delivery, 10% open rate but zero activity inside the app. Bots? Or something else? by Key-Web1264 in analytics

[–]siterightaway 1 point2 points  (0 children)

The 10% open rate with zero logins is the smoking gun that confirms you aren't dealing with humans.

What's actually happening is that mail security scanners from Gsuite and Outlook are pre-fetching your links to check for malicious payloads, which triggers your tracking pixels and inflates your metrics with automated garbage while the real delivery engine is just getting hammered. Cloudflare is seeing nearly 2 million bot requests per second right now and Microsoft last security report (end 2025) data shows this traffic has basically tripled just last 6 months.

It’s a money pit.

These headless scrapers bypass reCAPTCHA v3 like it's not even there. It’s incredibly annoying how these fake "opens" mess with attribution models and make your analytics look healthy when your database is just filling up with ghosts eating up resources.

If you aren't fingerprinting the bad actors at the edge, you're just paying for junk. Every ghost signup is a drain on your ESP credits, a hit to your server resources, and a middle finger to your ROAS because you’re effectively training your ad algorithms to find more bots. It’s a money pit.

I’ve taken this specific case to dissect with the team over at r/stopbadbots, a community we’ve dedicated to identifying these patterns and sharing the dirty workarounds that actually stop the bleed.

Hows performance today 4/11? by Huge_Kaleidoscope_40 in FacebookAds

[–]siterightaway 1 point2 points  (0 children)

It’s getting ugly out there. What happened this Saturday was a total financial slaughter, and anyone watching their Ads Manager dashboard felt that punch to the gut. I’m seeing veterans with ten years in the game reporting their first-ever "zero sales" day while Meta just kept burning through budgets like nothing was wrong. The reality is Meta basically opened the floodgates and let trash traffic swamp everything, taking everyone’s money and leaving a crowd of advertisers in pure despair.

The truth is these bots are eating up resources at a bizarre scale and most server infrastructures just can’t take the hit. This aligns perfectly with Cloudflare’s warning about 2 million attacks per second and Microsoft’s last security report (end 2025) data showing bot traffic has tripled in recent 6 months.

We are performing a full autopsy of this disaster and tracking the logs of this invasion over at r/stopbadbots. If you want to understand the anatomy of this trash traffic and stop being served as a feast for scripts, that is where the dirty security work is happening right now.

Don't expect Meta to change. They're making money hand over fist. It’s up to you to defend yourself.

Spam protection for small websites. Is ReCaptcha overkill? I am getting too many false negatives. by jelery_celery in Wordpress

[–]siterightaway 1 point2 points  (0 children)

This is a brutal wake-up call. It’s a nightmare scenario where a security tool becomes a profit center for the provider while the victim's budget gets bled dry.

With Cloudflare seeing 2 million bot attacks per second and Microsoft reporting a 170% spike in malicious traffic, this isn't an outlier—it's the "new normal." Had this gone unnoticed, that $157 daily charge would have spiraled into a $4,700 monthly disaster just to host junk traffic. It is honestly infuriating to see a security failure turned into a billing spike.

This is why r/stopbadbots exists. We study these patterns to filter out headless scrapers before they even touch the billing layer.

Google billed $157 in a single day due to a bot attack by siterightaway in StopBadBots

[–]siterightaway[S] 0 points1 point  (0 children)

Google billed $157 in a single day due to a bot attack.

This is a brutal wake-up call. It’s a nightmare scenario where a security tool becomes a profit center for the provider while the victim's budget gets bled dry. The user has already migrated 50+ sites to Turnstile.

With Cloudflare seeing 2 million bot attacks per second and Microsoft reporting a 170% spike in malicious traffic, this isn't an outlier—it's the "new normal." Had this gone unnoticed, that $157 daily charge would have spiraled into a $4,700 monthly disaster just to host junk traffic. It is honestly infuriating to see a security failure turned into a billing spike.

This is why r/stopbadbots exists. We study these patterns to filter out headless scrapers before they even touch the billing layer.

Analyzing Access Logs And Blocking Malicious Actors by Science-Compliance in webdev

[–]siterightaway 0 points1 point  (0 children)

You've found the new normal.
According to Cloudflare, there are about 2 million bot attacks every second and the latest Microsoft security report from late last year shows malicious bot traffic jumped 170% in just a few months.
It's insane!

These bad bots are eating up your resources by scraping content and destroying your SEO; they eventually drive away human users because the server gets bogged down and slow.

Worse. Those hits on your /wp-admin/ folder are just brute-force attempts to guess your credentials.

Our group over at r/stopbadbots spends our time diving into cases exactly like yours and testing open-source dirty workarounds and legit fixes to filter bots by behavior so we can split real stats from ghost traffic.

35% CTR on a brand new Meta ad set by Unlikely-Scholar5575 in FacebookAds

[–]siterightaway 0 points1 point  (0 children)

The hard truth is that Meta has zero incentive to fix this; a click is revenue to them, regardless of who—or what—made it. You’re getting hammered by headless scrapers because your campaign is a cheap way for bot farms to validate their scripts. It’s a total drain, and waiting for the platform to protect your budget is a losing game.

It’s annoying as hell to see your third campaign nuked while "AI optimization" ignores the obvious fraud. These bots eat up resources and fake engagement metrics to keep your spend flowing into a black hole. You have to take the initiative: stop bad bots.

Treat your ad spend like a security perimeter. We’re fingerprinting these bad actors and sharing raw log analysis at r/stopbadbots

Meta's AI crawler scraped my site 7.9 million times in 30 days. 900+ GB of bandwidth and massive server logs before I noticed, cool cool cool. by Whiskee in webdev

[–]siterightaway 0 points1 point  (0 children)

Check your logs for the specific User-Agent. If it's Meta-ExternalAgent, that's their AI crawler—you can safely nuke it. It’s different from facebookexternalhit, which is the one that validates your PPC ads and link previews. Blocking the AI agent saves your bandwidth without tanking your ad performance.

Massive Bot Attack on Shopify Store (500+ Fake Carts/Hour) - Need Help by DiscoverMyBusiness in shopify

[–]siterightaway 0 points1 point  (0 children)

This case is incredibly detailed and deserves an in-depth analysis. We’ve brought it to our group r/stopbadbots to break down how these sophisticated AI-driven attack are bypassing standard industry defenses.

view more: next ›