Post B2fFldAaK80VYHlMMy by phnt@fluffytail.org
(DIR) More posts by phnt@fluffytail.org
(DIR) Post #B2eVltRxCNgI9W4fL6 by phnt@fluffytail.org
2026-01-25T10:10:13.101258Z
1 likes, 1 repeats
@p @graf @sun A very rare good fediblock. Scraper with a non-existent repo in UA.EDIT: Other IPs: 81.27.102.249; 2a04:3544:8000:1000:f8c8:92ff:fec1:7d06 (see thread)RT: https://social.grautier.eu/users/sandfrog/statuses/01KFS8VAWH4QR4FEQS3REZECWA
(DIR) Post #B2eVluShR5s7I7Qm8m by graf@poa.st
2026-01-25T10:15:28.542603Z
2 likes, 0 repeats
@phnt @p @sun @sandfrog >122103 requests since Jan 24 6am UTC funny. blackholed the whole /24 just in case
(DIR) Post #B2eVlv9arcBPR9V200 by phnt@fluffytail.org
2026-01-25T10:18:03.831325Z
1 likes, 1 repeats
@graf @p @sun @sandfrog On my end it is mostly the v6 address I posted above and 81.27.102.249
(DIR) Post #B2eVlw5jNSggLShScK by graf@poa.st
2026-01-25T10:36:07.842427Z
3 likes, 0 repeats
@phnt @p @sun @sandfrog check for this too 110.172.148.110110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/boseph HTTP/2.0" 200 1015 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/boseph/followers?page=1 HTTP/2.0" 200 293 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/boseph/followers HTTP/2.0" 200 307 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/Auti HTTP/2.0" 200 1287 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/boseph/following HTTP/2.0" 200 333 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/BD HTTP/2.0" 200 1203 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/Ozzy HTTP/2.0" 200 1209 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:44 +0000] "GET /users/Rapist1488 HTTP/2.0" 200 1099 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:45 +0000] "GET /users/Dale HTTP/2.0" 200 1101 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:45 +0000] "GET /users/lol HTTP/2.0" 200 970 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"110.172.148.110 - - [10/Jan/2026:01:55:45 +0000] "GET /users/Cammy HTTP/2.0" 200 1444 "-" "Go-http-client/2.0" "Langenzersdorf" "3" "AT" "-"
(DIR) Post #B2eVlx0Rya3dBNEl1c by graf@poa.st
2026-01-25T10:38:25.039675Z
2 likes, 0 repeats
@phnt @p @sun @sandfrog also 87.157.142.217, same user agent and same behavior
(DIR) Post #B2eVlyHVEfIB8YDtFA by graf@poa.st
2026-01-25T10:41:09.165043Z
2 likes, 0 repeats
@phnt @p @sun @sandfrog 128.0.64.11
(DIR) Post #B2eVlzlfhz1DkPLUuG by graf@poa.st
2026-01-25T10:43:28.956141Z
2 likes, 0 repeats
@phnt @p @sun @sandfrog 82.64.8.238
(DIR) Post #B2eVm1UjHwef6RQzmC by phnt@fluffytail.org
2026-01-25T10:47:36.005187Z
1 likes, 1 repeats
@graf @p @sun @sandfrog This on has RDNS to mapper dot space hosted on yunohost, interesting.
(DIR) Post #B2eWExpfz1NE8v23Um by graf@poa.st
2026-01-25T10:48:24.660343Z
1 likes, 0 repeats
@phnt @p @sun @sandfrog 5.1.64.146
(DIR) Post #B2eWEz9Z4YsQEtLS8O by graf@poa.st
2026-01-25T10:51:30.714597Z
2 likes, 0 repeats
@phnt @p @sun @sandfrog wait a minute, is some software misrepresenting itself? These are all the same Go-http-client UAs and most are all datacenters (contabo, hetzner, etc)
(DIR) Post #B2eWEzqSV5BiNvPhzc by phnt@fluffytail.org
2026-01-25T10:52:16.069568Z
1 likes, 1 repeats
@graf @p @sun @sandfrog It's a default UA for Go's http library. I have that UA on my nginx 444 list, because I kept getting retarded vuln scanners with it.
(DIR) Post #B2eWF0To8mfCLxp8KG by mint@ryona.agency
2026-01-25T10:54:51.409841Z
3 likes, 2 repeats
@phnt @p @graf @sun @sandfrog Congratulations, you've blocked the bloat client.
(DIR) Post #B2eWM1QJ1zKdJ4WylE by phnt@fluffytail.org
2026-01-25T10:56:37.438579Z
1 likes, 1 repeats
@graf @p @sandfrog @sun I think it's some pwned sites doing scraping or proxying. According to shodan:110.172.148.110 -> devol.it (newsletter and slop blog powered by ghost)5.1.64.146 -> adventure.knubbel.me (some travel planning service)
(DIR) Post #B2eWMuCjMA9XCtbPjk by phnt@fluffytail.org
2026-01-25T10:57:13.801142Z
0 likes, 1 repeats
@mint Don't care, I don't use it.
(DIR) Post #B2eWm333bzkHsM4CbQ by mint@ryona.agency
2026-01-25T10:58:37.155716Z
3 likes, 1 repeats
@phnt You should.
(DIR) Post #B2fFldAaK80VYHlMMy by phnt@fluffytail.org
2026-01-25T10:16:13.270535Z
1 likes, 1 repeats
@graf @p @sun Yep this can go in the kys bucket. IPv6 is: 2a04:3544:8000:1000:f8c8:92ff:fec1:7d06Also tried scraping a bunch of profiles on my end.
(DIR) Post #B2fH2hVJYtGts7A8FU by phnt@fluffytail.org
2026-01-25T10:33:04.494381Z
0 likes, 1 repeats
cc @grips
(DIR) Post #B2fH4gQyVjsv8H4u3s by mint@ryona.agency
2026-01-25T10:31:53.746532Z
2 likes, 1 repeats
@phnt @p @graf @sun @sandfrog Nothing here, /api/v1/directory was only accessed by a few random Friendica instances and 149.165.152.252 with default curl useragent.
(DIR) Post #B2fHovQP6jwuwjrQi8 by mint@ryona.agency
2026-01-25T10:39:23.252899Z
1 likes, 2 repeats
@phnt @graf @p @sandfrog @sun I don't think anything legitimate even uses this endpoint so why not put a 402 on it.
(DIR) Post #B2io0sjKjSYw4UL82i by p
2026-01-27T20:44:57.724739Z
3 likes, 0 repeats
@phnt @graf @sun > (see thread)It's some shithead Pokemon Go To The Social instance and thus their post has not federated and clicking shows me unappealing corporate art ( https://social.grautier.eu/fileserver/01NHPQJ0NHAG9PZEMDRDV5XWXX/attachment/small/01J648EZB770A51JJW2YXDJNGD.webp ) along with some terrible German words that I cannot read.
(DIR) Post #B2io8aOGnpjVVaA3Zg by p
2026-01-27T20:46:21.265000Z
1 likes, 0 repeats
@graf @phnt @sun @sandfrog FSE ices generic UAs like that one.
(DIR) Post #B2io9zm1ujQsWSwlBg by p
2026-01-27T20:46:36.552162Z
1 likes, 0 repeats
@phnt @graf @sandfrog @sun What is the UA that they're using?
(DIR) Post #B2ioFIXXZKKQAnhKmO by phnt@fluffytail.org
2026-01-27T20:47:29.999411Z
0 likes, 1 repeats
@p @graf @sun That was meant for other IPs since I realized you don't support edits. The only things worthwhile in the quost are:UA - FediBigDataIP - 81.27.105.14
(DIR) Post #B2ioFeejLH9SlTEO2a by p
2026-01-27T20:47:37.919479Z
0 likes, 0 repeats
@mint @phnt @graf @sandfrog @sun Ha, did he?
(DIR) Post #B2iozboUF8mXGkhuHw by phnt@fluffytail.org
2026-01-27T20:55:55.093772Z
1 likes, 1 repeats
@p @graf @sun Or to be more precise the full UA is: FediBigData/1.0 (research crawler; https://github.com/example/fedi-big-data)
(DIR) Post #B2irQaPfl04iea5lk8 by p
2026-01-27T21:23:13.360000Z
2 likes, 0 repeats
@phnt @graf @sun Well, what's the actual thing that is going on?Also imagine enabling IPv6.
(DIR) Post #B2irVtZzvKovXsSA0u by p
2026-01-27T21:24:10.927591Z
1 likes, 0 repeats
@mint @phnt @graf @sandfrog @sun Someone's hitting /api/v1/directory?
(DIR) Post #B2irbYpjyCyGwLWBma by phnt@fluffytail.org
2026-01-27T21:25:05.050001Z
1 likes, 1 repeats
@p @graf @mint @sun @sandfrog Yep, and also /api/v1/accounts/?acct=XYZ
(DIR) Post #B2irdveU6QJQI0Nm9A by phnt@fluffytail.org
2026-01-27T21:25:36.131240Z
1 likes, 1 repeats
@p @graf @mint @sandfrog @sun s/?acct=XYZ/:nickname/
(DIR) Post #B2ivSRi3UGGE3WpgaO by p
2026-01-27T22:08:22.728979Z
1 likes, 0 repeats
@phnt @graf @sun > FediBigData Well, the actual UA: "FediBigData/1.0 (research crawler; https://github.com/example/fedi-big-data)";Sorted::mycomputer: if ( $http_user_agent ~* research ) { return 402; }
(DIR) Post #B2iwaRvEgFYWzCNUfo by p
2026-01-27T22:21:01.809938Z
1 likes, 0 repeats
@phnt @graf @mint @sandfrog @sun Looks like they start by hitting nodeinfo:81.27.102.249 -[2026-01-20T09:41:12+00:00] "GET /.well-known/nodeinfo HTTP/1.1" 200 110 "-" "FediBigData/1.0 (research crawler; https://github.com/example/fedi-big-data)"; 0.000 -- -media.freespeechextremist.com ---81.27.102.249 -[2026-01-22T01:44:28+00:00] "GET /.well-known/nodeinfo HTTP/1.1" 200 110 "-" "FediBigData/1.0 (research crawler; https://github.com/example/fedi-big-data)"; 0.000 -- -media.freespeechextremist.com ---81.27.105.14 -[2026-01-23T15:04:16+00:00] "GET /.well-known/nodeinfo HTTP/1.1" 200 110 "-" "FediBigData/1.0 (research crawler; https://github.com/example/fedi-big-data)"; 0.000 -- -media.freespeechextremist.com ---
(DIR) Post #B2jZn7UfqAnfbazDxA by mint@ryona.agency
2026-01-28T05:40:15.664059Z
0 likes, 1 repeats
@p @phnt @graf @sun @sandfrog So it seems.Screenshot_20260128_083953.png
(DIR) Post #B2ja9zwM5fUeq4qLy4 by p
2026-01-28T05:44:27.037444Z
3 likes, 0 repeats
@mint @graf @phnt @sandfrog @sun :pressf:bloat should probably just use a real UA anyway. I think I looked into this at one point but most of the HTTP reqs go through the dang, like, Mastodon client library. I think bloat would actually be leaner if it ignored it. FediBBS just rolled its own client and it's fine. (The only dep is the HTML parser. I don't wanna write an HTML parser.)