The Mautic community has shipped a series of improvements to how the platform identifies and filters out bot traffic. The result is cleaner analytics, more accurate contact data, and better compliance with privacy regulations. Here’s what changed.
The Problem
Out of the box, Mautic tracked everything: crawlers, monitoring tools, browsers preloading links on behalf of users. This inflated page view counts, email open rates, and polluted your contact database with false touches. It was accurate in the technical sense, but not meaningful.
The fix required a coordinated effort across multiple layers: IP/user-agent filtering, bot library integration, privacy signal handling, and multi-metric bot scoring. These PRs ship that work.
What Got Fixed
1. Bot Ratio Scoring with Smart Heuristics (#14593)
Instead of relying solely on blocklists, Mautic now calculates a “bot ratio” from several lightweight metrics that don’t require expensive database queries:
· Email timing: If a page is hit within 2 seconds of email send, it’s suspicious
· IP reputation: Known datacenter or bot IP ranges
· User agent: Matches against known bot signatures
If two or more of these signals fire, the request is not tracked. Both the timespan (default: 2 seconds) and the threshold ratio (default: 0.6) are configurable, so you can tune detection for your environment.
This approach catches behaviors that blocklists miss. For example, a real bot with a spoofed browser user-agent, or an automated tool that respects the official blocklist but still hits your page at inhuman speeds.
2. Matomo Device Detector Integration (#15870 & #12750)
Mautic has supercharged its integration with the Matomo device-detector library. Instead of just using it to identify a contact’s browser or device, Mautic now leverages its massive database to automatically recognize and filter out 500+ bots out of the box.
This means bot filtering is no longer a static list you have to manually curate yourself; it is automatically applied to every incoming tracking request. The detector catches all the usual suspects:
· Google, Bing, and DuckDuckGo crawlers
· Security scanners and uptime monitoring tools
· Email client preview bots (Gmail, Outlook, etc.)
· Third-party link validators and SEO audit tools
Before, blocking pesky actors like Codewisebot or random security scanners required manual regex configuration in your system settings. Now, it just works.
3. Privacy-aware tracking validation with bot detection and DNT support (#15844)
Mautic now respects explicit privacy signals from the browser and HTTP headers:
· HEAD Requests: Automated uptime monitors and security tools often send HEAD requests just to see if a page is live. Mautic no longer counts these as human page visits.
· Do Not Track (DNT): Reinforces existing privacy compliance; if a browser sends a DNT signal, Mautic drops the tracking request.
· Speculative Purpose Headers: Browsers frequently prefetch or prerender pages they think a user might click on next. Mautic now detects headers like Purpose: prefetch and ignores them so your analytics aren’t artificially inflated.
· Global Privacy Control (GPC): Mautic now honors the Sec-GPC header—a privacy standard legally recognized under frameworks like California’s CCPA/CPRA, Colorado’s CPA, and Connecticut’s CTDPA.
This is especially relevant for teams operating under CCPA, GDPR, or other privacy frameworks. It’s also pragmatic: why count a page hit from a browser that’s just preloading a link the user might click?
4. Privacy and Bot Filtering Unified
All of these mechanisms are now applied consistently across Mautic’s tracking surface:
· Page hits (landing pages, website pages)
· Email opens
· Asset downloads
· Contact tracking endpoints
There’s no configuration burden here either. Privacy filtering and bot detection run by default on every single request.
The Impact
When you upgrade, expect to see:
- Lower page view counts but more honest ones. The drop is typically 15-20% depending on your traffic mix and how much bot traffic you were getting
- Cleaner contact timelines with fewer false touches from scanners and crawlers
- Better email metrics since Gmail image proxy requests no longer artificially inflate open rates
- Compliance built-in with DNT, GPC, and prefetch handling that respects user intent by default
What These Fixes Do Not Address
These changes filter bot traffic from your analytics. They do not prevent bots from:
· Submitting forms or filling out contact fields
· Clicking list unsubscribe links (which will still process as real unsubscribes)
· Interacting with your website in other ways
If you need to prevent bots from submitting forms or taking actions, you’ll need separate defenses: CAPTCHA, rate limiting on form endpoints, honeypot fields, or form-level validation. This work focuses on keeping your analytics honest, not on blocking bot interactions at the form layer.
Looking Forward
These PRs represent a shift in philosophy: instead of Mautic assuming you know which bots exist and manually listing them, the platform now understands bot behavior and privacy signals natively. That means fewer configuration headaches and better analytics accuracy without extra work.
If you’re running Mautic 7.1+, you’re already getting these improvements. Further developments are going on right now, e.g. on how to prevent the unsubscribe clicks by non-human interactions.
Thanks to everyone who worked on this: the bot detection work touches core tracking logic and required careful testing across multiple bundles. The community’s diligence in review and verification made it solid.
