![PrimaryLogo_Trans-2.png]](https://help.instant.one/hs-fs/hubfs/PrimaryLogo_Trans-2.png?height=40&name=PrimaryLogo_Trans-2.png){kind=small}
How does Instant AI handle bot activity?
Bots are automated programs that simulate human behaviour online. In the context of ecommerce, bots can create fake transactions, run fraudulent credit card activity, inflate customer lists, and trigger automated email flows with invalid or fabricated contact details.
No single tool or platform can eliminate bot activity entirely. Effective bot management is a shared responsibility across your ecommerce stack, your store platform, your email tools, and you as the merchant all play a role. This article explains how Instant AI fits into that picture: what we do automatically, what you can configure, and where the limits of our control are.
How It Happens
Bot activity originates at the store level. When a bot completes a checkout or abandons a cart on your Shopify store, it creates a customer record and triggers downstream tools like Instant AI to respond. By the time Instant AI sees that shopper, the bot has already entered your system.
Sophisticated bots are particularly difficult to catch because they are designed to look like real customers. They rotate IP addresses to avoid being blocked by location, mask their geographic origin to appear as legitimate shoppers, and often use realistic-looking names and email addresses that pass standard validation checks. Some are even capable of completing real transactions with stolen payment details, which makes them indistinguishable from a genuine customer at the point of checkout.
Shopify is the first line of defence. It is where transactions originate and customer records are created. Shopify provides native fraud scoring on orders and flags high-risk transactions, but it does not automatically block all bot activity, particularly from sophisticated bots that pass checkout validation. Merchants can extend Shopify's capabilities with third-party fraud detection apps available in the Shopify App Store, and this is often the most impactful place to intervene.
What You Can Do About It with Instant AI
The following protections are applied to all Instant AI customers without any configuration required.
Email Address Validation Before any email is sent, Instant AI runs every address through two industry-standard authentication services — NeverBounce and ZeroBounce. These services check whether an address is real and deliverable, likely to bounce, or associated with known bot or spam activity. If an address fails validation, Instant AI will not send to it and will stop processing that contact's details. This catches a large proportion of bot-generated addresses, which are often randomised, invalid, or tied to known spam infrastructure.
Bounce & Retry Logic Instant AI uses SendGrid for email delivery. If an email is sent and bounces, Instant AI applies delayed retry logic — skipping the next send attempt for that address. This protects your sender reputation if a bot is cycling through the same invalid address repeatedly.
What You Can Configure
Domain Exclusions If you have identified specific domains that are consistently associated with bot activity, you can add them to Instant AI's domain exclusion settings. Any shopper whose email matches an excluded domain will be skipped from flow enrollment entirely. This list can be updated at any time as new patterns emerge.
Examples of domains you might exclude:
- A domain appearing repeatedly in fraudulent orders (e.g.
nyvexis.com) - A foreign institutional domain being exploited (e.g.
edu.tr) - A known test or placeholder domain (e.g.
example.com)
See: How to Exclude Certain Shoppers from Receiving Instant AI Emails
What Is Outside of Our Control
Some bot behaviours fall outside of what Instant AI — or any email tool — can reliably detect or prevent.
Order name or customer name patterns — Instant AI does not filter flow enrollment based on customer names. Name-based detection is unreliable and risks excluding legitimate customers.
Low-value order amounts — Instant AI does not filter based on order or product value. This is better handled upstream at the Shopify or checkout level using fraud scoring.
IP address and location masking — Sophisticated bots rotate IP addresses and spoof their location. Instant AI does not have access to IP-level data and cannot use this as a filtering signal.
Bots using valid email addresses — If a bot uses a real, deliverable address that passes NeverBounce and ZeroBounce validation, Instant AI has no way to automatically identify it as a bot. In these cases, manual identification and domain exclusion is the only available option.