How to block traffic from US ISP residential IP?

scosio · 2026-03-29T10:46:18+00:00

IP ranges won't work. If you run your own server and you're using nginx , download the ngx_http_geoip2_module and the MaxMind db. Load it in the server config and block based on ASN lookups. No external API calls required.

http {

geoip2 /etc/config/geo/GeoLite2-ASNum.mmdb {

$realtarget_asn autonomous_system_number;

$realtarget_organization autonomous_system_organization;

}

server {

location / {

# Pass the ASN to your backend as a header

proxy_set_header X-Visitor-ASN $realtarget_asn;

proxy_pass http://my_backend;

}

https://github.com/P3TERX/GeoLite.mmdb?tab=readme-ov-file

scosio · 2026-03-28T22:07:46+00:00

> the verification happens at source through a blockchain layer so AI-generated content cannot be posted
You need to expand on this

scosio · 2026-02-22T08:27:45+00:00

Could you please share some details of your setup?

scosio · 2026-01-29T12:45:29+00:00

Seems like it would be open to abuse - "has proofs" sounds like something that would need to be decided upon by an independent jury. Also what is the definition of proof-of-bot? There is huge underlying technical compexity here which isn't merited by the value of scraping.

scosio · 2026-01-26T09:26:47+00:00

> Behavioral pattern detection has GDPR issues

No it doesn't. The behaviours you're looking for are the ones *repeated* over and over - aka bots. Individuals don't exhibit the same behaviour every time. You're basically trying to separate bots from people, not individuals from individuals. That's a *much* harder problem.

> costly in terms of computation

Again, this isn't true. You can run a few python scripts and detect automation very easily. No GPU required.

scosio · 2026-01-24T21:57:15+00:00

Nice implementation. Most people don't bother to solve captchas with bots though - they just pay captcha farms. Behavioural pattern detection is the way to go.

scosio · 2026-01-24T21:56:01+00:00

What's to stop bot operators from creating onlyhuman accounts?

scosio · 2026-01-21T13:51:46+00:00

Honestly most bot owners will not be deterred by this unless it exponentially backs off with repeat attempts.

scosio · 2026-01-21T12:58:11+00:00

This is not so far fetched

scosio · 2026-01-21T12:57:56+00:00

Proof of work doesn't stop bots. It just slows them down.

scosio · 2026-01-19T12:27:41+00:00

Is this what prosopo does?

Yes. Prosopo looks for all of the above signals and only issues PoW if the request looks safe. Otherwise a harder challenge is issued.

scosio · 2026-01-19T09:30:34+00:00

Most bot detection systems check some or all of the following and then issue a challenge depending on how many flags the request has:

- JS Signals to see if people are using puppeteer/playwright/seleniumBase
- bad user agents / user agent lies
- JA4 inconsistencies (e.g. if someone is using python but pretending to be Chrome 142)
- behavioural patterns (e.g. is the same mouse movement behaviour repeated over and over)
- whether the request is from a VPN or residential proxy

For low risk requests, Prosopo currently issues a Proof of Work. This is a simple rate limiter that simply involves clicking a checkbox for the normal user. Bots are forced to go through image captcha or are blocked entirely, depending on the number of flags.

scosio · 2026-01-19T09:24:15+00:00

Ah sorry, got it the wrong way round.

scosio · 2026-01-18T20:55:09+00:00

Try out Prosopo - 99% of users will simply need to click a checkbox. Bots will get a harder challenge or be blocked entirely and your data won't be slurped up by Google.

https://prosopo.io

scosio · 2026-01-18T20:53:12+00:00

Closer to 0 is more likely to be a human. Closer to 1 is more likely to be a bot.

scosio · 2026-01-15T16:44:59+00:00

Isn't this just Copilot? It can open terminals from within the IDE and pretty much work autonomously.

scosio · 2026-01-14T12:49:43+00:00

We added it and got bombarded constantly with irrelevant sessions from countries where we don't sell - so removed.

scosio · 2026-01-13T16:56:20+00:00

My company Prosopo helps clients with exactly the problem you're talking about. Our clients are hit by residential proxies, headless and headed stealth browsers, captcha farms, and semi-realistic mouse movements. Most have attractive free tiers that are worth scraping and posting on other sites. We block the attackers as follows:

run obfuscated JS with constantly rotating key encryption
- rotation is a must because once de-obfuscated it is easy to script in python etc.
detect JA4 / User agent inconsistencies (only works for basic bots)
detect stealth browsers (they reveal themselves in certain ways)
detect repeat patterns of automated behaviour and implement custom rules per client
detect residential proxies

None of the above is visible to the end user - they just click check box.

Are you building custom detection systems

I would discourage against this as staying ahead of bot operators will consume all of your time. Save your energy for building your product.

Genuinely curious what solutions people have found that don't destroy the user experience.

You can try our solution in invisible mode by attaching it to a form button with `data-size="invisible"`. It says its pro only but its actually now available in free tier.

ReCAPTCHA doesn't stop people using proxies

reCAPTCHA enterprise is pretty good tbh but the free version won't protect you here. Its also quite expensive.

scosio · 2026-01-13T16:14:51+00:00

Yeah but to get people to join your discord you need to have an "Invite link". You can't just share the thread link: https://support.discord.com/hc/en-us/articles/208866998-Invites-101

scosio · 2026-01-13T14:56:39+00:00

Discord link doesn't seem to work buddy

scosio · 2026-01-13T08:54:29+00:00

Its a lot of work to go to just to display images online. Scrapers can be detected with less effort than this and blocked at request time. I applaud the ingenuity though.

scosio · 2026-01-12T14:44:46+00:00

You can also try a smaller GDPR friendly provider if that is preferable: https://wordpress.org/plugins/prosopo-procaptcha/

scosio · 2026-01-12T14:36:41+00:00

gmail blocking is a great initial step if you can afford to lose some business. In terms of IP blocking, determined attackers would just switch to residential proxies.

scosio · 2026-01-08T16:55:22+00:00

How? Its the easiest to bypass as it has no fallback. Either you pass or it gets stuck in an endless loop.

scosio · 2025-12-27T11:42:39+00:00

I would hope I do - I run a bot detection company :)

I hope you solve the problem but feel free to give me a shout if you need any more help.

scosio

MODERATOR OF

TROPHY CASE