Aller au contenu

How Many of Your Short Link Clicks Are Bots? We Flagged Every Click for 11 Days

We flagged every click on MiniLy short links for 11 days. 56% were bots, and that number is a floor, not a ceiling. Here is the raw data and what it means for your stats.

July 6, 2026
9 min read
12 views

TL;DR: We flagged every click on MiniLy short links in real time for 11 days (21 June to 1 July 2026) and got 5,247 clicks, of which 2,942 (56.1%) were bots. Daily bot share swung between 45.8% and 76.9%. That 56% is a floor, not a ceiling: user-agent detection misses email security scanners like Microsoft Safe Links and Proofpoint URL Defense, which click links using real browser user-agents. If you read raw click totals as people, you are overcounting by a lot.

Every marketer who has ever shared a short link has had the same quiet doubt: is that click number real? You post a link, the counter jumps, and you have no way to tell a human from a script. So we stopped guessing and measured it on our own production data. We tag every incoming click as human or bot at the moment it happens, keep both in the database, and here we are opening the raw numbers.

How many of your short link clicks are actually bots?

On our data, 56.1% of short link clicks were bots. Over 11 full days (21 June to 1 July 2026) we recorded 5,247 total clicks and flagged 2,942 of them as automated. That leaves 2,393 clicks that came from something we could identify as a real browser. So more than half of the raw counter was machines, not people.

This lines up with the wider web. In its 2024 Bad Bot Report, based on 2023 traffic, Imperva found that bad bots alone made up 32% of all internet traffic, with automated traffic overall accounting for nearly half of the web. Short links are an especially juicy target because they get pasted into emails, chat apps, and social feeds where automated scanners live. The result is a click counter that reflects the internet's real composition: a lot of it is not human.

What did the daily bot share look like?

It was volatile. Across the 11 days, the bot share of clicks ranged from a low of 45.8% to a high of 76.9%. On the worst day, more than three of every four clicks were automated. There is no single "bot rate" you can memorize, because it depends on where and when a link gets shared and which scanners happen to reach it.

This is why a single average hides the real risk. If you launched a campaign on a high-bot day and read the raw counter, you could have concluded that a link was three times more popular than it truly was. The swing between 45.8% and 76.9% means the correction you need to apply to any given day's numbers is not stable, which is exactly why filtering has to happen automatically at the click level rather than as a rough after-the-fact discount.

What does a bot click actually look like?

They rarely hide. Looking at the full pool of 3,148 bot clicks we captured since 20 June, 91% had no identifiable browser anywhere in their user-agent string. These are scripts, HTTP libraries, and headless tools that never pretend to be Chrome or Safari. The remaining slice announces itself as a named crawler. In other words, the bulk of bot traffic is not sophisticated, it is just automated.

The geography was concentrated too. Of those bot clicks, 69% came from IP addresses in the United States and 25% came from South Korea. That is a signature of cloud data centers and hosting providers, not of a spread-out human audience. When a quarter of your "traffic" resolves to a single foreign country you were not targeting, that is a strong tell that you are looking at infrastructure, not readers.

Why do click counts overstate the number of real people?

Because one person can click more than once. Even after we strip out bots, the human clicks still inflate the headcount. Our 2,393 human clicks came from 1,960 unique visitors. That means counting clicks overstates the number of real people by roughly 22%. Someone opens your link on their phone, then again on a laptop, and the counter reads two even though it is one reader.

So there are two layers of inflation stacked on top of each other. First, bots roughly double the raw number. Then, among the humans who remain, repeat clicks add another fifth. A raw click counter showing 5,247 on our data corresponds to fewer than 2,000 actual people. If your reporting treats clicks as an audience size, you are working with a number that can be off by more than half.

What do bot clicks do to your other metrics?

They quietly poison every number that has clicks in the denominator. Bots do not just inflate a raw counter, they distort click-through rate, cost per click, conversion rate, and any A/B test you run on links. If half your clicks are automated and never convert, your conversion rate looks half as good as it really is, and the campaign that actually reached people can look like the loser.

The distortion is worst wherever bots concentrate. Because our daily bot share swung from 45.8% to 76.9%, two links shared a day apart can carry very different amounts of noise, so comparing their raw click counts is close to meaningless. The same applies to time-of-day and channel comparisons: an email blast that gets hammered by security scanners will show more clicks than a social post that reached more humans. Unless bots are removed before the math happens, you are optimizing toward whatever attracts the most machines, which is the opposite of what you want.

How do we tell a bot from a human?

We use two independent methods that run at the moment of the click. For bot detection we match the user-agent string against the open source isbot library (currently at version 5), and we additionally count any request with an empty user-agent as a bot. isbot maintains a regularly updated list of known crawler and library signatures and turns it into a single regular expression.

For counting real people without tracking them, we use a cookieless daily hash: a non-reversible SHA-256 fingerprint with a salt that rotates every day. The same visitor is counted once per day, the hash cannot be turned back into an identity, and nothing persists across days. That keeps unique-visitor counts meaningful while staying GDPR-friendly, with no cross-site cookie and no personal identifier stored. You can read more about the free tracking approach in our guide on how to track link clicks for free.

Why 56% is a floor, not a ceiling

Here is the uncomfortable part. Our 56% is almost certainly an undercount, because user-agent matching cannot catch the scanners that click links using a genuine browser user-agent. Corporate email security is the biggest blind spot. These tools fetch and open your links the instant an email is delivered or clicked, and they look like a normal desktop browser while doing it.

Microsoft's own documentation is explicit: Safe Links performs "time-of-click verification of URLs" and, when rewriting is enabled, "links are scanned on click" before the user is sent to the page (page updated 22 May 2026). Proofpoint's URL Defense works the same way: as Stanford's IT service describes, it rewrites links in email and checks the destination when they are clicked. Every one of those security checks can land in your click counter as a "human" visit. So the true bot share is higher than 56%. We would rather show you a scary number we can defend than a scarier one we cannot.

How to filter bot clicks from your own stats

Do not delete bot clicks, exclude them. The right move is to keep every click in the database for audit and security, then remove automated traffic from every chart and total by default. On MiniLy we do exactly that: bots are recorded but stripped out of your analytics, and each link shows a small note like "X clicks, Y bots filtered" so you can see how much noise was removed rather than pretending it never existed.

If you are running your own setup, the practical checklist is short: match user-agents against a maintained library like isbot, treat empty user-agents as bots, count unique visitors with a cookieless daily hash instead of raw clicks, and watch for geographic concentration in data-center countries. If you would rather not build any of that, our analytics does bot filtering and unique-visitor counting out of the box, and it is included from the free plan up. Full per-link and per-tag breakdowns come with Pro at 5 EUR per month.

Frequently asked questions

Are my short link clicks real?

Some are, but on our production data only about 44% of raw clicks came from something identifiable as a real browser, and that share swung daily between 23% and 54% humans. Treat any unfiltered click counter as an upper bound on interest, not a headcount. To know how many are real, you need bot filtering applied at the click level.

How many link clicks are bots on average?

On MiniLy over 11 days we measured 56.1% of clicks as bots, with a daily range of 45.8% to 76.9%. Your own rate depends on where you share links, but expecting roughly half your raw clicks to be automated is a reasonable starting assumption, and the real figure is likely higher because email scanners are hard to detect.

Do email security scanners count as clicks?

Yes, and they are the hardest bots to filter. Tools like Microsoft Safe Links and Proofpoint URL Defense open your link to check it for threats, and they use real browser user-agents while doing so. That means they slip past user-agent-based detection and inflate your "human" clicks, which is why any measured bot rate is a floor.

Why is my click count higher than my number of visitors?

Because one person can generate several clicks. Even after removing bots, our data showed 2,393 human clicks from 1,960 unique people, so clicks overstated real people by about 22%. Opening the same link on two devices, or clicking it twice, both add to the counter while the visitor count stays at one.

How does MiniLy detect bots?

We match every click's user-agent against the open source isbot library and flag any empty user-agent as a bot, both at the moment of the click. Unique human visitors are counted with a cookieless, non-reversible daily SHA-256 hash using a salt that rotates every day, so counts stay accurate without tracking anyone.

Should I delete bot clicks from my database?

No. Keep them for security and auditing, but exclude them from your reporting by default. Deleting them destroys the record you need to spot abuse or attacks, while showing them in your headline stats misleads you about real interest. The best practice is to store everything and filter automatically, showing how many bots were removed.


Found this article helpful?

Join MiniLy to create your own short links and QR codes with detailed analytics.

Unlimited Links
Custom QR Codes
Real-time Analytics

No credit card required