Botid false positive, what now?

alexbjorlig · September 4, 2025, 12:25pm

We are now running with BotID in production, with the deep analysis enabled for our login route.

Works great for most users, but… Today I talked with a customer, she could not get in.

I traced our logs, here it says:

"verification": {
      "bypassed": false,
      "isBot": true,
      "isHuman": false,
      "isVerifiedBot": false
    }

I also tracked this event in Sentry, where I have some more details:
User
Geography Dublin, Ireland (IE)

Browser
Chrome 139

Runtime
node v22.15.1

Operating System
Kernel Version 5.10.239-261.959.amzn2.x86_64
Name Linux

Client Operating System
Name Windows

What now? Why is she being detected as a bot? What are best practices in a case like this?

quuu · September 4, 2025, 12:46pm

hi @alexbjorlig , just confirming - is this for 21risk?

the most immediate thing if a user has reached out about this is to create a firewall bypass rule to let your user through WAF System Bypass Rules

I’ve looked through the logs of botid from your project and I can see some sessions being flagged by our partner Kasada as bots. Can you give me a rough time stamp of when the classification happened? will help narrow down the exact session and reason

alexbjorlig · September 4, 2025, 12:52pm

Thanks for looking into this

Yes, it’s 21RISK. RequestId was lhr1::c4cck-1756987608330-fdfd3db13a58 at Sep 4, 2025 14:06:48 CEST.

Regarding the WAF rule, something like this?

quuu · September 4, 2025, 12:59pm

Not hostname because it’d bypass more than just that user, if that user only accesses your site from a certain ip, or ASN or user agent, you should bypass that

Otherwise in code you can add a feature flag like

If (user.email===…)

Break;

// only if user is not that email, then

CheckBotID()

Sorry for bad formatting, was on mobile

alexbjorlig · September 4, 2025, 5:43pm

Ok, we already deployed that as a hotfix.
But what is the underlying challenge - why was the user identified as a false positive?

quuu · September 4, 2025, 6:03pm

Dug deeper and figured it out - that user is using ZScalar, and it’s acting like a reverse proxy and obscuring signals we rely on for bot protection.

I’m working with the security team to detect usage of VPN’s and not block ZScalar users - but this is a problem with any reverse proxy or zero trust proxy in front.

alexbjorlig · September 4, 2025, 6:06pm

Thank you so much for sharing this insight with us, it’s great to know why. Not that we can do much about it, but you know

Hopefully the strategies can be improved, so legit users are not detected as bots in the future

system · September 11, 2025, 6:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to Properly Use the botId Feature for VPN proxy setup Feedback firewall	3	101	November 26, 2025
3 simple steps to prevent from Bot attacks in Vercel Discussions firewall , bot-protection , ai-bot-protection	1	152	November 14, 2025
Enabling Firewall Bot protection prevent GrapheneOS Vanadium to access Help firewall	1	65	September 20, 2025
BotID Deep Analysis flags all requests as isBot: true Help nextjs	1	79	November 3, 2025
Add IsBot field to Vercel Firewall rules for bot-specific redirects Discussions firewall	3	12	February 13, 2026

Botid false positive, what now?

Related topics