Newsletrix runs one small automated agent. It signs up to a newsletter on your behalf when you ask to track a domain - nothing more. This page documents exactly what it sends, what it fetches, the limits it respects, and how to identify or block it. No surprises.
By default, every automated request the bot makes carries an honest, contactable User-Agent that points back to this page. If you see this string, that's us.
Newsletrix-Subscriber/1.0 (+https://newsletrix.com/bot)This is our good-faith posture: a clear name, a version, and a link back here so anyone reviewing their logs can find out who we are and how to reach us.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Some WAFs answer the honest bot User-Agent above with an HTTP 403. When that happens, the request is retried once with a realistic desktop-Chrome header set so a legitimate, user-requested signup can still complete - the same request a person using a browser would make. We are transparent about this rather than hide it.
When a Newsletrix user asks to track a domain, the bot tries to complete that site's own newsletter signup using the user's dedicated tracking address. That's the whole purpose.
It fetches the homepage and a few common signup paths (/newsletter, /subscribe, /signup, /join), and follows same-site "subscribe" links, looking for a real form with an email field.
It fills the email field with the user's tracking address, carries hidden fields (CSRF tokens, list ids) through verbatim, leaves honeypot fields empty, and submits the form - exactly as a human visitor would.
Your normal confirmation email lands in the user's tracking inbox and the opt-in is confirmed there. If a form is CAPTCHA-protected or JavaScript-only, the bot stops and the user is asked to subscribe manually.
We keep the scope deliberately narrow. The bot is not a crawler, a scraper, or a training-data collector.
It does not spider your site, build an index, or follow links beyond the small set of pages needed to locate a signup form. Each attempt is capped at a handful of pages on one domain.
It does not collect your pages, articles, or images for AI training or any dataset. It reads just enough HTML to find and submit a form, then stops.
No port scans, no vulnerability probing, no attempts to reach anything other than your public website over standard HTTP/HTTPS.
The bot refuses to connect to private, loopback, or link-local addresses and re-validates every redirect, so it cannot be tricked into reaching internal infrastructure.
Every outbound request goes through one audited, SSRF-hardened path with the same fixed limits.
| Constraint | Value |
|---|---|
| Protocols | HTTP and HTTPS only (ports 80 and 443) |
| Requests per domain | Bounded - at most a dozen pages per subscribe attempt |
| Redirects | Followed manually, re-validated each hop, capped at 3 |
| Timeouts | 5s to connect, 15s to read |
| Response size | Capped at 2 MB; oversized bodies are aborted |
| Rate | Single-process and serial; runs only when a user requests tracking |
| JavaScript | Not executed - no headless browser; JS-only forms are skipped |
That's completely fine. You have two easy options.
Block or rate-limit the User-Agent substring Newsletrix-Subscriber at your WAF, CDN, or edge. The default request always carries it.
Prefer we never attempt a signup on your domain at all? Email [email protected] with the domain and we'll add it to our exclusion list.
The questions site owners ask when they spot us in their logs.
A Newsletrix user asked to track your newsletter. The bot tried to complete your own signup form using their dedicated tracking email, so your confirmation email reaches them. It's a genuine, user-initiated subscription.
No. The bot does not crawl, index, or copy your content. It reads only enough HTML to find a signup form, submits it, and stops. There is no dataset and no training use.
If your WAF returned HTTP 403 to our honest bot User-Agent, the request was retried once with a realistic browser header set so a legitimate signup could still go through. The SSRF and scope limits are identical either way.
Only when a user requests tracking for your domain, and a subscribe attempt is bounded to a handful of pages. It is not a recurring crawler.
No. It refuses private, loopback, and link-local addresses, allows only HTTP/HTTPS on ports 80 and 443, and re-validates every redirect hop. It only talks to public websites.
Email [email protected]. We read these and will exclude your domain or fix behaviour promptly.
Join newsletter creators using AI-powered competitor intelligence to ship better content, faster.
No credit card required · Cancel anytime · All features on every plan