There are software engineers whose career it is to beat sneaker bots.
So we’d better find out what they’re up to.
“It’s said that if you know thy enemy and know yourself, you need not fear the result of a hundred battles”Sun Tzu, The art of war
You know what’s a real pain in the ass?
And they exist because bots too, are pains in the ass.
Both contribute to this sort of automation arms race with each other, endlessly one-upping the other’s proficiency – for being a pain in the ass.
If you understand your adversary, you can position yourself to avoid captchas, and other bot mitigation efforts.
Let’s see what measures are taken to beat sneaker bots, and the best ways to deal with them.
- How to beat sneaker bots #1: Captchas
- How to beat sneaker bots #2: Queue Lines
- How to beat sneaker bots #3: Browser Fingerprinting
- How to beat a sneaker bot #4: Shock Drops and Scavenger Hunts
How to beat sneaker bots #1: Captchas
Captchas are meant to filter out bots.
Earlier versions prompt you with a puzzle that (should be) simple for humans, and nearly impossible for bots to solve.
The more contemporary captchas (like Google reCaptcha version 3), assess website traffic and assign risk-scores to visitors.
Risk-scores essentially range from 1 to 10, or definitely a bot to definitely human. As a result, website administrators can set custom thresholds that block users or launch additional puzzles to prove their human core.
The most common bot behaviors that trigger captchas are:
- Surpassing the number of requests possible for human activity. Websites monitor traffic and assume the limits of human activity. If your bot exceeds those limits, it will be tested by captcha.
- The use of direct links to check-out. Bots get a huge head-start on other buyers if they use a direct link to go to the check-out page. But many websites have caught on and prompt captchas for anyone who doesn’t follow the normal buyer’s journey.
- Botting on older versions of browsers. Some bots stop working after browser updates and a lazy, yet surprisingly common solution is to just not update. That in itself won’t encourage a website to ban you, but you can expect more captchas.
- Leaving browser fingerprints. The more unique your fingerprint, the more easy it is to single you out. You can’t help leaving a trace on the internet, but you can get your fingerprints look like pretty generic.
Counter-measure: Play human
In short, if you raise enough suspicion, you’ll trigger a captcha. So you have to convince websites that you’re a ‘safe’ visitor.
- Mask your IP with a proxy. The best proxies to mask your IP address are rotating residential proxies. Not only do residential proxies make you look like any other real human user, they rotate and change your IP address very often. That way, you appear as a different human user each time you send a request.
- One-click captchas. If you have a low-risk score with Google, you’ll only have to solve one-click captchas most of the time. You can cultivate risk-scores by farming gmail accounts. We’ll get deeper into it another time, but for now check out some farming and automation tools like AYCD or Kodai Essentials.
- Choose your bots wisely. A good bot will imitate human browsing as close as possible – enough to assure website surveillance that there’s nothing automatic about your activity. Remember that some bots require manual adjustment to delay requests and modify automation to match human capacities.
Sometimes, captchas are a standard greeting for all visitors, without exception. In this case, there are some bots that allow you to solve captcha puzzles directly through their interface. An example is Nike shoe bots.
If you manage captchas well enough, they won’t be much of an obstacle. In spite of their intention to beat sneaker bots, captchas can actually work to your advantage because they slow everyone else down.
How to beat sneaker bots #2: Queue Lines
Queue lines stagger traffic to prevent websites from overload. They’re like virtual waiting rooms – and for sneaker bots – they’re a little tough to work around.
Bot intervention applications like Queue-it, will direct website visitors to a virtual waiting room. After some time passes, occupants can then continue to shop.
Some of these waiting rooms have additional screening protocol and some may even select occupants at random to continue through to purchase. This eliminates many advantages that bots – or anyone else for that matter – may have.
Needless to say, it’s another pain in the butt.
Counter-measure: VIP passes
- Bypass queue. Bots are still faster to cop once they do leave the queue line, but there isn’t much else you can do. However, some bots have queue bypasses built into them, or acquire bypasses for a limited number of sneaker drops.
For example, Cybersole bot can exclusively bypass queues for Footlocker in Europe. So depending on where you want to cop, you’ll need to find out whether there’s a queue, and if there is – what bot can bypass it.
- Pose as Googlebot. Long story short, queue lines won’t send google bots (aka google spiders) to a waiting room. Websites depend on them to catalogue their new content, including their product listings. So to avoid offending the spiders, websites treat them like VIPs and let them pass through. I found this article about bypassing queues to try out for yourself.
How to beat sneaker bots #3: Browser Fingerprinting
Simply put, browser fingerprinting is data collection. But instead of collecting personal information, it gathers data about your:
- Browser and operating system
- Screen resolution and color depth
- Language, time zone, and fonts
- Plugins and any applications like ad-blockers
- And other behavioral trends
The interesting thing is what can be done with this data. Digital fingerprints compile over time to create user profiles similar to buyer profiles that are used for ad-targeting. That way, websites can show different pages or products to different user profiles.
Online retails have been known to direct bots to alternate prices, limit their inventory selection, or even set traps.
Counter Measure: Blend in and use proxies
A completely hidden fingerprint is not possible, but a boring fingerprint is. Your main objective is to appear to be like the average user with no qualities to write home about. The best way to do this is to use residential proxies and blend in.
Okay, proxies are simple – but how to blend in?
The easy way. Control your browser fingerprint with a virtual browser management system like Multilogin. It allows you to store and load different digital fingerprints when you need to. For example, when using a sneaker bot.
How to beat a sneaker bot #4: Shock Drops and Scavenger Hunts
Sneaker retailers have come up with some pretty creative ways to close the gap between bots and human buyers.
A shock drop is where little to no notice is given for a sneaker release, or when sneaker inventory is restocked weeks to months after the official release date – while no one’s looking. Some sneaker enthusiasts eyeball their SNKR app in hopes that they’re one of the first to be shocked. Tip-offs do float around cook groups as well.
The best way to beat a sneaker bot is to take them out of the equation entirely. Sneaker retailers like Nike and Adidas have had success experimenting with in-person drops and scavenger hunt-type releases.
Counter Measure: Well Played, Sir
Will anti-bots ever bury sneaker bots for good?
If humans can make it, then humans can break it – as long as there’s $ufficient incentive to do so.
In other words – if it’s profitable for bot developers to keep being a pain in the ass, they will be.
So hold onto your butts.