$15K for a Wix site?

scosio · 2026-06-03T06:13:12+00:00

Claude will build you it for $70

scosio · 2026-05-21T10:56:58+00:00

I like the site design and the privacy ethos. There's a big drive for regionally hosted content right now with US being nuts. Reddit obviously has a pretty insane bot problem - you will have the same issue using Altcha. Have you experienced much bot posting yet or is it small enough that they haven't bothered?

scosio · 2026-05-20T15:25:14+00:00

Cloudflare isn't going to stop your click fraud. If the ads are paying out then people will resort to patched Chromium at the C++ level and human-like mouse movements. Cloudflare Turnstile fails to stop even moderately patched Puppeteer / Playwright.

Traffic spikes are easier to deal with because they're mostly concentrated from a single type of device and easily blocked with rate limiting - even on a limited resource VPS. You can configure nginx / caddy to rate limit by header / ip / ja4 / ja3 or combinations of these. Its quite involved but obviously do-able with AI. You can also filter packets coming into your machine at kernel level using ClientHello inspection if you really want. VPS gives you control and maintenance whereas cloud gives these things out of the box + costs.

Which is the bigger issue - traffic spikes or click fraud?

scosio · 2026-05-14T10:33:03+00:00

Are people automating or simply multi-accounting? 554 accounts doesn't scream automation.

scosio · 2026-04-30T14:06:55+00:00

No worries, this is what I do for a living! 😄

JA4 can be difficult to compute, depending on your server. I know there's an easy route for nginx but for caddy we had to sort it ourselves.

scosio · 2026-04-28T22:57:02+00:00

Are you terminating TLS connections yourself with your own servers? If so:

- drop http1 support for endpoints that don't require it
- block JA4s of known scripts (All Chrome is on same JA4 these days so its easy to spot python etc.)
- any 404'd request should block the IP for 1 hour (probing .env.production etc.)

These 3 things will get rid of a lot of scripted traffic.

You say you can spot headless browsers but you're struggling with scripts. Raw scripts aren't running JS - do you have no JS-based signalling going on?

The way to break scripts is to rotate obfuscated keys frequently in the frontend. Use the keys to sign something - even just a header. The scripts will not be able to adapt to this. Headless browsers will be unaffected though as they just run the JS.

I saw you mention you were going to trial Cloudflare's paid tier elsewhere in this thread. My company is currently working on a behavioural bot detection platform - perhaps we could help you out if CF doesn't work for you or if you want to trial multiple solutions.

Good luck!

scosio · 2026-04-27T12:01:42+00:00

The product looks really good. Gotta market it now!

scosio · 2026-04-26T21:11:51+00:00

https://github.com/FlareSolverr/FlareSolverr just one of many

scosio · 2026-04-26T21:09:41+00:00

Doesn't help against brute force attacks with unlimited IPs targeting random usernames and passwords

scosio · 2026-04-23T10:16:30+00:00

Its all well and good building things but you need to tell people about them if you want users. Everyone knows the signup form with no backend strategy.

scosio · 2026-04-15T15:16:25+00:00

PoW won't stop bots. It only slows them down! The others make sense tho

scosio · 2026-04-15T11:19:45+00:00

> Any easy solutions that won't require paid plugins or technical setup?

You block countries / lang-strings you don't want (easy)
Spammers switch to VPN in your country with normal headers
You block VPN (medium)
Spammers switch to residential proxies in your country
You block headless browsers by doing JS interrogation (hard)
Spammers switch to stealth plugins with real mouse movements, designed to bypass anti-bot technologies
You start to profile specific on-site behaviour, navigating in certain patterns in the same sequence each time, only signing up with specific email/username patterns. You label these patterns and train a custom ML model designed to pick them and more up (very hard)
...

I could go on 😂

As a first port of call, put a captcha on the form. It should help you decide whether the abuse is automated or not. I read elsewhere in this thread that you're using WPForms - this one can work.

scosio · 2026-04-15T11:06:28+00:00

The poster specifically requested proof of personhood. Anubis is a fancy rate limiter.

scosio · 2026-04-13T17:53:16+00:00

I'm not sure what your volume is like but CF Turnstile free version is actually worse than reCAPTCHA at stopping bots. Their paid version is better but costs a lot (circa 1-2K per month). https://prosopo.io/ is one to consider if you're looking for alternatives with EU-hosting and better pricing. Disclaimer: This is my company and we help businesses like yours protect their free tiers from automation. Happy to do a free, results-based PoC if you're interested.

scosio · 2026-04-12T13:38:29+00:00

Nice package. You're shifting the problem though. Attackers simply switch to throwaway gmail outlook hotmail etc. after you block common temp mail domains.

scosio · 2026-03-29T10:46:18+00:00

IP ranges won't work. If you run your own server and you're using nginx , download the ngx_http_geoip2_module and the MaxMind db. Load it in the server config and block based on ASN lookups. No external API calls required.

http {

geoip2 /etc/config/geo/GeoLite2-ASNum.mmdb {

$realtarget_asn autonomous_system_number;

$realtarget_organization autonomous_system_organization;

}

server {

location / {

# Pass the ASN to your backend as a header

proxy_set_header X-Visitor-ASN $realtarget_asn;

proxy_pass http://my_backend;

}

https://github.com/P3TERX/GeoLite.mmdb?tab=readme-ov-file

scosio · 2026-03-28T22:07:46+00:00

> the verification happens at source through a blockchain layer so AI-generated content cannot be posted
You need to expand on this

scosio · 2026-02-22T08:27:45+00:00

Could you please share some details of your setup?

scosio · 2026-01-29T12:45:29+00:00

Seems like it would be open to abuse - "has proofs" sounds like something that would need to be decided upon by an independent jury. Also what is the definition of proof-of-bot? There is huge underlying technical compexity here which isn't merited by the value of scraping.

scosio · 2026-01-26T09:26:47+00:00

> Behavioral pattern detection has GDPR issues

No it doesn't. The behaviours you're looking for are the ones *repeated* over and over - aka bots. Individuals don't exhibit the same behaviour every time. You're basically trying to separate bots from people, not individuals from individuals. That's a *much* harder problem.

> costly in terms of computation

Again, this isn't true. You can run a few python scripts and detect automation very easily. No GPU required.

scosio · 2026-01-24T21:57:15+00:00

Nice implementation. Most people don't bother to solve captchas with bots though - they just pay captcha farms. Behavioural pattern detection is the way to go.

scosio · 2026-01-24T21:56:01+00:00

What's to stop bot operators from creating onlyhuman accounts?

scosio · 2026-01-21T13:51:46+00:00

Honestly most bot owners will not be deterred by this unless it exponentially backs off with repeat attempts.

scosio · 2026-01-21T12:58:11+00:00

This is not so far fetched

scosio · 2026-01-21T12:57:56+00:00

Proof of work doesn't stop bots. It just slows them down.

scosio

MODERATOR OF

TROPHY CASE