2026-03-13T09:20:39  <matrix-o-o> <Lubos Kocman> Hello folks! one Q, I'd like to deploy a kudos matrix bot, but I kinda struggle with account creation because I'd like to use some bot email. I know that openSUSE bots are creating something like serviceName+bot@opensuse.org so it's not tied to my personal email or similar. How can I create one? I'll be setting gravatar etc for it, so I should somehow be able to access to its email inbox as well
2026-03-13T10:59:48  *** mdogg_ is now known as mdogg
2026-03-13T14:42:42  <mia> btw i don’t know to what extent the scraping/ddos botnet (kimwolf) has been a problem here, but because existing tools (i recommend go-away over anubis btw) aren’t enough for my use case, i’ve begun work on a new nginx module for part of the ja4+ fingerprinting suite to gain insight about suspicious traffic (the other ones have problems like requiring patched openssl, or a dozen forks that each have different bugs like null pointer derefs)
2026-03-13T14:43:44  <mia> i run a public anonymous file hoster/pastebin so i get lots of bot traffic to begin with and have a bit of experience dealing with such
2026-03-13T14:44:17  <mia> IP range blocks and DNSBLs have exhausted their usefulness
2026-03-13T14:44:55  <matrix-o-o> <bmwiedemann> Indeed, source IPs are usually spread over ISPs
2026-03-13T14:46:48  <mia> one simple thing you can do with just webserver config… if it’s an https conection: if the request has a web browser UA string but the tls clienthello has no ALPN extension, that is definitely not a browser
2026-03-13T14:47:35  <mia> or one that is more than 10 years old
2026-03-13T14:50:35  <matrix-o-o> <bmwiedemann> My nagios sends this type for monitoring.
2026-03-13T14:50:58  <matrix-o-o> <bmwiedemann> Except with a proper user agent
2026-03-13T14:52:35  <mia> boringssl has a callback API that allows rejecting such before completing the tls handshake, but nginx doesn’t expose it yet. i’m using it for fingerprinting because it lets me look at the unprocessed clienthello
2026-03-13T14:53:46  <mia> well, not with the UA string because at that point it’s not even http yet, but with other factors
2026-03-13T14:55:43  <mia> for now i have a daemon (not fail2ban because that is far too slow to handle peak times) monitoring the journal and adding temporary ipset entries to the firewall when a bot has been identified
2026-03-13T14:56:21  <mia> it also writes those to a database for later analysis
2026-03-13T15:01:22  <mia> mildly annoyed that there’s no structured logging support in nginx itself and the best you can do is use json for the log templates. which means you can choose between human-readable and machine-readable but you cannot have both, and even with lnav the former is awkward to handle and slow to query. people keep asking “how do i log to the journal” but get told to use the syslog facility every time :(
2026-03-13T15:02:09  <mia> s/the former/the json template approach/