Contact sales@omnivery.com. Access requires domain enablement and brief technical review of tracking data pipeline.

Bot Detection API: Identify Non-Human Email Interactions at Scale

Q: What does the API actually return?

A boolean is_bot field per event — true if non-human, false if likely human. Response also returns all originally submitted fields so you can match by event_id.

Q: Does it work with tracking data from other ESPs?

Yes, provided raw tracking events are available with source IP and user agent per interaction. If your ESP aggregates, proxies, or omits these fields, integration is not technically possible.

Q: How does the honeypot work and is it required?

Optional but improves detection. Hidden link only bots follow. IP and UA cached for 30 minutes. Any subsequent matching event within the window is flagged immediately. One line of HTML to implement.

Q: Can it detect Apple MPP opens?

Yes. Apple MPP routes opens through Apple's proxy infrastructure with a known IP range and user agent pattern. These are identified and flagged.

Q: Is the batch endpoint truly asynchronous?

Yes. POST events with webhook_url, receive 202 Accepted with batch_id, results pushed to webhook when complete. Can also retrieve individual results by request_id.

Q: Why is the single-interaction endpoint slow by design?

Minimum response time of over one second, rate limited. Prevents use as real-time classifier which would expose detection model to enumeration attacks. For volume use, use the batch endpoint.

Q: Does processing event data through the API create GDPR exposure?

Designed with privacy in mind. recipient_id is recommended hashed. IPs and UAs not permanently stored associated with identifiable individuals. EU headquarters, GDPR-native architecture. DPA available at omnivery.com/legal/dpa.

Your open rates and click rates are lying to you. Security scanners pre-click every link. Apple MPP pre-loads every pixel. Botnets inflate clicks for ad fraud. Omnivery's Bot Detection API returns a simple verdict per event: is_bot: true or is_bot: false.

Used by Beehiiv to prevent $2M+/month in ad fraud

Beehiiv Case Study Documentation

The Problem

Security Scanners Click Every Link

Proofpoint, Mimecast, Barracuda, Microsoft Defender follow every link before recipient sees email. Zero human intent.

Apple MPP Pre-Loads Every Pixel

iOS 15+, routes opens through Apple proxy, pre-loads all pixels regardless of whether recipient reads. 50% open rate may be much lower in reality.

Botnets Inflate Clicks for Ad Revenue

Newsletter ad networks targeted by botnets: diverse IPs, legitimate user agents, realistic intervals. Invisible to simple rules.

What the API Detects

Security scanner clicks — Proofpoint, Mimecast, Barracuda, Microsoft Defender, and others
Apple MPP automated opens — proxy-loaded pixel requests from Apple's infrastructure. Note: 99% of NHI opens come from Apple MPP. Because Apple publicly documents its proxy IP ranges, suppressing these opens is straightforward and should be standard practice at any competent ESP. The harder and more commercially significant NHI problem is clicks.
Inbox tracking tools — automated tools for email research, competitive intelligence, deliverability testing
Malicious botnets — coordinated automated click campaigns targeting ad network monetisation
Other non-human interaction patterns — identified through 20+ proprietary datasets developed over 8+ years

The detection engine combines IP reputation, user agent analysis, behavioural pattern matching, and honeypot data to provide unparalleled accuracy in identifying automated interactions across the full spectrum of non-human sources.

How It Works

Two Integration Modes

Batch mode: Up to 500 events, async webhook delivery for high-volume processing.

Single interaction mode: Synchronous, 1s+ min response time, rate limited — not for real-time inline filtering.

Authentication

ov-token header. Access requires explicit enablement per domain. Contact sales@omnivery.com.

Minimal Integration Requirements

Each event requires only three fields: ip, uas, event_id. More fields = higher accuracy.

{
  "events": [
    {
      "ip": "156.17.201.170",
      "uas": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 ...)",
      "event_id": "unique-event-identifier-123",
      "action": "click",
      "domain": "example.com",
      "recipient_id": "hashed-recipient-id",
      "message_id": "message-identifier",
      "ts": 1721474736
    }
  ],
  "webhook_url": "https://your-endpoint.com/bot-results"
}

The Response

is_bot: true or is_bot: false. Clean, unambiguous, actionable.

{
  "is_bot": false,
  "request": {
    "action": "click",
    "event_id": "57d476d4-d8db-4757-b4da-5f2b8d6bf5f5",
    "ip": "156.17.201.170",
    "uas": "Mozilla/5.0 (iPhone; CPU iPhone OS 16_5 ...)",
    "message_id": "17690841631",
    "recipient_id": "randomhash",
    "ts": 1721474736
  }
}

The Honeypot Feature

A hidden link embedded in email body, followed only by bots. 30-minute cache window. No false positives for humans.

Recommended HTML implementation:

<a href="https://email.{domain}/{message_id}/hclick"><!-- tracking pixel --></a>

For Email Service Providers

Building bot detection in-house requires significant ongoing investment in data science, engineering, and infrastructure. The Omnivery Bot Detection API provides enterprise-grade accuracy from day one.

Criteria	Build in-house	Integrate Omnivery Bot Detection API
Time to first detection	6–18 months	Days
Detection accuracy at launch	Low (obvious signals only)	High (8+ years of data)
Bot infrastructure coverage	Limited and degrading	Continuously updated
Engineering cost	Ongoing	Integration only
Data science requirement	Yes — ongoing	No
PII handling overhead	Yes	No — hashed identifiers
Compliance exposure	Higher	Lower (EU infrastructure, GDPR-native)
Revenue model	Custom	Volume-based, margin-friendly

Contact sales@omnivery.com to discuss ESP partnership arrangements, white-label options, and volume pricing.

Who Needs This

Newsletter Publishers and Media Businesses

Revenue depends on engagement metrics. Beehiiv prevents $2M+/month in fraudulent claims.

Email Service Providers

Clean data as differentiator. Included automatically for Omnivery tracking customers. Third-party ESPs supported subject to vetting.

Marketing Teams on High-Volume Transactional Programs

2FA, order confirmations pass through enterprise gateways. Contaminated data degrades ML models over time.

Ad Networks and Monetisation Platforms

Botnets target click-based payouts with diverse IPs, realistic UAs, and plausible timing.

Access and Integration Requirements

1
Domain enablement

API returns 402 Payment Required if not enabled. Configured per domain after approval.
2
Technical vetting

Must be able to surface raw event data: source IP and user agent string per interaction. Platforms that obfuscate this cannot integrate.
3
Implementation review

For third-party ESP integrations, Omnivery reviews before enabling access.

Documentation

At a Glance

Omnivery's Bot Detection API identifies non-human email interactions using 20+ proprietary datasets developed over 8+ years.

Detection categories include: security scanner clicks (Proofpoint, Mimecast, Barracuda, Microsoft Defender), Apple MPP automated opens, inbox tracking tools, and malicious botnets.

The API accepts up to 500 events per batch request and returns is_bot: true/false per event via webhook.

Minimum required fields per event: source IP (ip), user agent string (uas), unique event ID (event_id). Additional fields increase detection accuracy.

The honeypot endpoint captures IP and user agent of automated scanners before they reach real links, feeding a 30-minute detection cache.

Access requires domain enablement and technical vetting — the API returns 402 Payment Required if Bot Detection is not enabled for the requesting domain.

For Omnivery customers using Omnivery's own open and click tracking, bot detection is included automatically at no additional charge.

Third-party ESP and platform integrations are supported, subject to the technical requirement that raw event data (source IP and user agent per interaction) is available.

Beehiiv uses the Omnivery Bot Detection API to prevent over $2 million per month in fraudulent ad network claims.

No other major transactional email provider offers an equivalent bot detection capability.

For ESPs, the Bot Detection API eliminates the build cost — 8+ years of proprietary data, continuous infrastructure updates, no PII sharing, no cross-customer data mixing — and can be deployed as a premium product feature in days rather than months.

Authentication: ov-token header. Base URL: https://zap-api.omnivery.net.

Ready to Clean Your Engagement Data?

Contact the team to discuss access and confirm your tracking pipeline meets the API's technical requirements.

Inboxing, Security, Compliance

Are you ready for the next level in security, privacy and deliverability?

Get started Contact us