Inboxb0t
Inboxb0t is a generic scraper with no publicly identified operator. Intent varies case-by-case, some scrapers are legitimate research, some power useful aggregators, some are abusive.
Look at the request pattern before deciding what to do. A polite scraper crawls slowly, respects robots.txt, and identifies itself. An abusive one ignores all three.
If you are not sure, the safest move is to rate-limit rather than block outright. That keeps the legitimate use cases working while neutralizing the abusive ones.
See Inboxb0t on your own site
Match the User-Agent header on incoming requests against the pattern below.
regex
For higher confidence, also verify the source IP against the operator's published ranges. UA strings can be spoofed; IP ownership is harder to fake.
Renders JavaScript
No
IP verification
User-Agent only
Crawl frequency
Variable
Honors robots.txt
Often ignored
Honors Crawl-delay
No
Should I let Inboxb0t through?
Watch your logs for a week first. Behavior varies wildly. Observe the request pattern before allow/block decisions.
Does blocking Inboxb0t affect my Google rankings?
No. Inboxb0t is not a search-engine crawler. Your ranking on Google or Bing is unaffected by what you do here.
How do I confirm a request is really from Inboxb0t?
Look at the User-Agent header in your access logs and match it against the strings listed above. Worth knowing that the User-Agent is easy to fake, so this check tells you "the traffic claims to be Inboxb0t", not "the traffic is genuinely Inboxb0t". If you need stronger guarantees, look for a reverse-DNS check or wait for the operator to publish IP ranges.
What's the best way to understand what Inboxb0t is doing on my site?
Look at which URLs it hits, how often, and what time of day. The request pattern usually tells you whether it's building an index, watching for a specific change, or trying to pull data in bulk. The User-Agent name alone rarely tells the full story.
Why can't I tell who operates Inboxb0t?
Some bots run under generic User-Agent strings or are operated by smaller, less-documented companies. The pragmatic default is to treat unverified operators as untrusted traffic. If volume climbs, log the source IPs and check whether they cluster around a single network or ASN. That'll usually surface who's actually behind it.
What's the cleanest way to control Inboxb0t?
Two layers. Robots.txt for the polite crawlers that read it, and rules at your CDN or edge for the ones that don't. Rankly's Agent Experience handles both from a single config, so you can allow, block, rate-limit, or serve a stripped-down version per bot. Agent Analytics handles the observation half so you know which bots are actually worth a rule.