Bot Finder advanced configuration

After the initial Bot Finder setup, most senders can use the defaults and get accurate results. Advanced configuration lets you fine-tune detection behavior for your specific email program — especially useful if you are seeing false positives from specific privacy proxies or security scanners.

Bot score threshold

Bot Finder assigns a confidence score from 0 to 100 to every event. The bot threshold determines where the boundary between “suspicious” and “bot” is drawn.

Classification	Default score range	Description
Human	0–24	Low bot confidence
Suspicious	25–39	Moderate signals
Bot	40–100	High confidence — treat as bot

You can raise or lower the bot threshold (the boundary between suspicious and bot) in Integrations → AWS SES → Settings → Bot threshold.

Raising the threshold (e.g. to 60):

Fewer events are classified as bot
More events classified as suspicious instead
Reduces false positives; may allow some real bots through
Recommended if your program sends to corporate-heavy audiences with many security scanners

Lowering the threshold (e.g. to 30):

More events classified as bot
More aggressive filtering
May increase false positives for privacy proxies
Not recommended unless you have a very clean list and Bot Finder feedback data showing consistent patterns

Detection rule categories

Bot Finder’s 6-layer analysis engine applies 28 detection rules organized into categories. You can disable entire categories if they are causing false positives for your use case.

Rule categories

Category	Rules it contains	When to disable
Privacy proxy	Apple MPP, Gmail Image Proxy, Yahoo Mail proxy, Outlook prefetch	Almost never — these are the most important rules
Security scanner	Proofpoint, Barracuda, Mimecast, Microsoft Defender pre-click	If your audience is entirely consumer (no B2B recipients)
Timing	Sub-second opens, rapid sequential clicks, impossible open→click gap	If you have legitimate high-speed automation opening emails
IP intelligence	Cloud IPs (AWS/GCP/Azure), AbuseIPDB, DNSBL zones, IP fanout patterns	If many legitimate subscribers use corporate VPNs or cloud environments
User agent	Bot UAs, extinct browsers, missing UAs, repeated UA patterns	If your audience uses unusual or custom email clients
Trap detection	Honeypot clicks, typo domains, role accounts (abuse@, postmaster@), disposable emails	If you intentionally send to role-based or internal addresses

To disable a category:

Go to Integrations → AWS SES → Settings in the InboxEagle app
Under Detection rules, toggle off the category you want to disable
Click Save — changes apply to events processed after saving

How the scoring pipeline works

Understanding the pipeline helps you make informed decisions about threshold and rule adjustments.

The bot confidence score is computed in 6 sequential layers:

Layer A — Deterministic flags If a deterministic rule fires (e.g. honeypot click, known spam trap), the score is set to 100 immediately. No further layers run.

Layer B — Behavioral scoring The 28 behavioral rules run in parallel. Each rule that fires contributes a weighted score. The combined behavioral score is capped at 60.

Layer C — Confidence multiplier A confidence multiplier (0.7× to 1.15×) adjusts the score based on how many signals agree. Events with multiple corroborating signals get a small boost; events with a single weak signal get a small reduction.

Layer D — Historical deviation If the event deviates significantly from the per-recipient baseline (e.g. this recipient normally opens via Apple Mail but this event has a different user agent pattern), the score is adjusted.

Layer E — Cross-tenant reputation IP addresses and ASNs with consistent bot activity across multiple InboxEagle tenants receive a reputation bonus of up to +20 points. This is the cross-tenant shared intelligence layer.

Layer F — Recipient history Per-recipient history (false positive cap, false negative floor) from classification feedback is applied last, capping or flooring the score based on known human or bot recipients.

Final score: round((cappedLayerB × multiplier) + reputationBonus)

Sequence detection

Bot Finder detects machine-first / human-followup sequences — a common pattern where a bot opens an email (triggering the open pixel) before a human reads it and clicks a link.

When Bot Finder detects this sequence:

The bot open is classified as Bot
The human click that follows is classified as Human (not bot, even though it came after a bot open)
The sequence is marked with engagementStage: human_followup

This ensures that legitimate human clicks are not penalized because a privacy proxy or security scanner happened to open the email first.

Verbose payload mode

When verbose payload mode is enabled, Bot Finder’s delivery payload includes the full bot confidence vector (BCV) — a detailed breakdown of every rule that fired and its score contribution.

To enable verbose payloads:

Go to Integrations → AWS SES → Settings
Enable Verbose payload under Delivery settings
Save changes

The verbose payload is included in webhook deliveries, SNS messages, and S3 uploads. It adds approximately 2–5 KB per event.

Example verbose payload addition:

{
  "botConfidenceVector": {
    "applePrivacyProxy": { "fired": true, "score": 15, "suppressor": true },
    "cloudIp": { "fired": true, "score": 12 },
    "subSecondOpen": { "fired": false, "score": 0 },
    "abuseIp": { "fired": false, "score": 0 },
    "layerC_multiplier": 1.05,
    "layerE_reputation": 8,
    "finalScore": 35,
    "classification": "suspicious"
  }
}

Verbose payloads are useful for:

Building custom classification logic on top of Bot Finder’s output
Auditing specific events for false positive analysis
Integration with your own data warehouse for ML model training

Classification feedback

Classification feedback lets you correct Bot Finder’s classifications — teaching it about false positives (real humans classified as bots) and false negatives (real bots classified as humans) for your specific program.

Submitting feedback adjusts the per-recipient score cap and floor in Layer F of the scoring pipeline. After enough feedback on a recipient, Bot Finder learns that this person consistently triggers Apple MPP (for example) and stops classifying their events as bot even if the IP intelligence rules fire.

To submit feedback via the InboxEagle app:

Open the Recent detections table in the Bot Finder dashboard
Click any event you want to correct
Select Mark as human (false positive) or Mark as bot (false negative)
The feedback is applied immediately and affects future scoring for this recipient

To submit feedback programmatically (via API):

POST /feedback
Content-Type: application/json

{
  "eventId": "evt_abc123",
  "correction": "human",
  "note": "This is our CEO — he reads email on a corporate network"
}

correction: "human" for false positive, "bot" for false negative
note: optional; helps InboxEagle support understand the pattern

Honeypot links

For the highest-confidence bot detection on click events, add a honeypot link to your email templates. A honeypot is a hidden link that is invisible to human readers but often triggered by link-scanning bots.

Any click on a URL containing ?_ie=hp (or &_ie=hp for URLs with existing query parameters) is given a score of 90+ and classified as bot.

Example hidden link:

<a href="https://your-domain.com/track?_ie=hp" style="display:none;font-size:0">.</a>

Do not use _ie=hp on any visible, intentional links — this will cause real human clicks to be misclassified as bot.

Next steps

Bot Finder setup — Initial connection
Bot Finder dashboard — Monitor detection results
Bot Finder troubleshooting — Diagnose issues
Intelligence Agent — Ask questions about your bot data in natural language

Open Bot Finder settings →