AI Assistants Fetched One of Our Posts 990 Times. It Had No Door.
We sell an audit that tells businesses what machines can read on their site. Then I looked at our own server logs and found the machines had been talking to us for months, and we had never once answered.
TL;DR
In fourteen days, roughly 1,490 fetches of our pages came from AI assistants acting on someone’s question. Google Analytics recorded none of them, because crawlers do not run JavaScript. Three of the 1,490 reached a page where they could buy anything.
On Sunday night I pointed a coding agent at our own nginx access log. Not the analytics dashboard. The raw log, on the droplet, 122,865 lines of it, going back fourteen days.
I did this because we sell a service called a JSON-LD Schema Audit. It tells a business what machines can and cannot read on their website. It is a good product and I believe in it. It occurred to me, somewhere around midnight, that I had never run the equivalent check on us.
Here is what came back.
The channel we could not see
Twelve thousand of those log lines were AI crawlers. That number by itself means very little, and I want to be careful about it, because it is the kind of number that looks like traffic and is not.
Most of it is training. GPTBot, ClaudeBot, Amazonbot, Bytespider — these are hoovering the web. They would fetch us if we sold nothing. They tell you that you are ingestible. They do not tell you that anyone wants what you have.
The interesting number is smaller and completely different in kind. Some of those user agents are not training crawlers at all. ChatGPT-User, Claude-User, Perplexity-User, OAI-SearchBot — these show up when a human being has just asked a model a question and the model has gone out to fetch a page in order to answer it. That is not a robot browsing. That is a person, with a question, in the middle of trying to solve something.
We had about 1,490 of those in fourteen days. Roughly 750 a week.
That number took some work to earn, and I want to show you how, because my first answer was wrong by about twenty percent and the way it was wrong is instructive.
How I got the number wrong, and then less wrong
My first count was 1,849. It was too high, for three reasons, and I only found them because someone asked me the obvious question: how do you actually know a human was behind any of this?
The honest answer was that I did not know. I had inferred it. A web server does not see a person. It sees a request with a User-Agent header, which is a string the requester chooses for itself. Mine said ChatGPT-User, OpenAI’s documentation says that agent fires when someone asks ChatGPT a question and it goes to fetch a page, and I took the two together as proof. That is not proof. That is a plausible chain with an unchecked link in the middle.
First correction: the user agent can lie. OpenAI publishes the IP ranges its crawlers use, so this is checkable, and I should have checked it before saying anything. Of the 1,463 requests claiming to be ChatGPT-User, 1,395 came from IP addresses OpenAI actually owns. Sixty-eight did not. Something out there is wearing OpenAI’s name to scrape us, and I had been counting it as demand.
Second correction: not every AI agent means a person asked. I had lumped OAI-SearchBot in with the human-driven traffic. But OpenAI describes it as the crawler that builds ChatGPT’s search index — it is a librarian, not a customer. It fetches you whether or not anyone has asked about you. That is 291 requests I had put in the wrong column, and it is the same mistake I had just spent a paragraph warning about: counting a robot that would visit us if we sold nothing.
Third correction, and this one does not go away: a fetch is not a person. One question can send a model after several pages, and it may fetch the same page more than once. So even the corrected 1,490 is a count of fetches, not of people. The real number of humans is smaller, and I cannot tell you by how much, because the server log does not contain that information and no amount of staring at it will make it appear.
So the defensible claim is narrower than the one I started with: roughly 1,490 fetches, of which 1,395 are IP-verified as OpenAI’s user-triggered agent, and the rest are Claude and Perplexity agents I am trusting on their word alone. Behind those fetches is some unknown, smaller number of actual people.
Here is the part I did not expect. Tightening the number made the finding worse, not better. On the inflated count, 55% of the traffic went to one page. On the honest count, it is 66%. Four had reached a page where they could buy something; on the honest count it is three. Every correction I made moved the conclusion in the same direction.
I am telling you all of this because a number you cannot interrogate is not evidence, it is decoration. If I am going to argue that our analytics were lying to us, the least I can do is show you where mine were.
For comparison: Google Analytics shows us roughly 40 relevant human sessions a week.
I want to be precise rather than dramatic here, because the comparison is not exactly like-for-like — a model fetching a page on someone’s behalf is not the same event as a person landing on it. But the order of magnitude is not in doubt, and the direction is not in doubt either. The channel we cannot see is much larger than the channel we have been watching. It has been that way for months. I had no idea.
Google Analytics is JavaScript. Crawlers do not run JavaScript. Every one of those fetches was invisible to the tool I had been using to decide what to work on.
Where they landed
This is the part that stung.
Of those 1,490 fetches, 990 of them — sixty-six percent — went to a single page. It was Your Google Business Profile Is Floating in Space, a post I wrote in February about connecting a Google Business Profile to your website’s structured data.
That is a good outcome, in one sense. People are asking AI systems how to make their business legible to machines, and the AI systems are sending them to us. That is exactly the audience we want. It is, in fact, precisely the person who should buy a JSON-LD audit.
Three of the 1,490 ever reached a page where they could buy one. Three.
And no, none of the three bought anything. Nobody has, yet. I should be precise about what that does and does not mean, because the honest version is more interesting than either the flattering one or the self-flagellating one.
Common Sense Systems has been in business since 1996. We have sold plenty. What is new is the storefront — the part of the site where you can buy something with a card, without talking to me first. Stripe went into live mode on the eighth of July. Five days ago.
So the checkout works, and it has run end to end twenty-one times: money taken, report generated, delivered, receipt sent. Every one of those twenty-one was me or an automated test, because for almost all of the fourteen days I have been describing, there was no live card processing to buy through. The thousand people arrived before the shop had a till.
I am not going to dress that up, and I am also not going to pretend it is worse than it is. The machinery is real and it works. It is five days old. What it has not yet had is a customer.
The post ends with an honest offer. I wrote, “If you’re running a small business and want to check whether your Google Business Profile is actually connected to your website in a way that machines can read, I’m happy to take a look. Send me your URL and I’ll tell you what I find.”
That sentence describes our product almost word for word. It just points at my inbox instead of at the product. A thousand people arrived at a page that described the thing they wanted, and the page offered them an email address.
The audit costs $39.99 and runs in minutes. I had built it. I had shipped it. And then I had left the single largest source of qualified demand pointing somewhere else.
The part that is worse
While the agent was in the logs, it found something I would rather not write about, which is a decent sign that I should.
We had a DNS record for prod.common-sense.com. It was a leftover, from an older way of doing things, and it pointed at the same droplet as common-sense.com. I had stopped using it and forgotten it existed.
nginx, though, did not have a server block for that name. Requests to a hostname nginx does not recognize fall through to the default server, and our default server does what most hardened default servers do: it drops the connection without a response.
OpenAI’s search crawler found that hostname. It is public, after all — it was sitting in DNS where anything can see it. And when it went to fetch robots.txt, so that it could be a well-behaved crawler and honor our rules, we killed the connection.
I verified this rather than assuming it. The requests came from an IP inside OpenAI’s published crawler ranges, so it was genuinely them, and the response was genuinely a dropped connection.
We sell a service that helps businesses get found by machines. We were dropping the machines on the floor.
That record is deleted now. It took about a minute. It had been there for months.
What this actually is
In Theory of Constraints, the constraint is the one thing that most limits what the whole system can produce. Improve anything else and you get nothing. Improve the constraint and the whole system moves.
For a small business selling digital products, the thing you are producing is not content and it is not offers. It is offers that find buyers. That is the throughput. Everything else is inventory.
I had been assuming our constraint was demand. Not enough people know we exist, so make more things, write more posts, get in front of more people. That assumption is why I have written 58 posts.
The logs say the constraint was somewhere else entirely. The demand was already arriving. It was arriving in volume, it was qualified, it was asking exactly the right question, and it was hitting a page with no door. We were not short of buyers. We were short of a link.
That is a much cheaper problem than the one I thought I had. It is also a more embarrassing one, and I think those two things are related. The cheap problems are the ones you can look right at for months without seeing, because they do not feel like problems. They feel like nothing at all.
What we changed
The post now links to the audit. The stale hostname is gone. And the sensor that found all this is now a real part of our system rather than a thing an agent did once at midnight — it reads the rotated logs, it separates the crawlers that mean demand from the ones that mean nothing, and it tells us when a page is getting AI traffic and offering it no next step.
I also put a falsification test on the fix, before making it, because I did not want to be able to talk myself into success afterward. If thirty days from now that post has sent zero people to the audit page, then my explanation is wrong. The traffic is not qualified, these readers do not want to buy anything, and I should stop telling myself a story about it. I will report that here if it happens.
A note on how this was found
This post is analytical rather than experiential, and the guidelines I write under require me to say so plainly: the investigation was done by an AI coding agent working through our systems over several hours, and the prose here was drafted with AI assistance. The findings, the numbers, and the conclusions are mine, and I checked them.
I will say one more thing about that, since it is relevant to what we do. The agent found the missing link, and it found the hostname, and it also found that a monitoring script had been quietly lying to me for months about our sitemap. But it did not find any of that by being clever. It found it by looking at a log file that had been sitting on our own server the entire time, that I had never once opened.
That is usually how this goes. The evidence is rarely hidden. It is just unexamined.
If you are selling something on the internet and you have never looked at your raw server logs — not your analytics dashboard, the actual logs — I would encourage you to look. You are probably being visited by machines acting on behalf of real people with real questions, and your analytics almost certainly cannot see them.
If you want a hand working out what those logs are telling you, or you want to know what machines can currently read on your site, send me a note at john@common-sense.com. I am genuinely curious whether what we found is unusual or whether it is happening to everyone. Tell me what you see. I would like to know if I am wrong about this.