Forest @forestjohnson@pixie.town

@notplants I almost did this...

But I eventually kind of realized why they did what they did.

The problem is that SMTP submission ( as its implemented today) does not support Delivery Failures. The protocol simply doesn't have any place for them. So, if your email message gets rejected by an email server, then you will not be able to know that it happened.

That's why everyone started using a different protocol for submitting transactional email.

Especially for interactive systems like logins, it's crucial that the user can receive a warning when their email provider bounces the email.

For capsul we ended up implementing our own super janky version of this which was based on tailing the logs from SMTPD. https://git.cyberia.club/cyberia/smtpd-delivery-monitor

This is just another lump on the "email is fucking terrible and impossible to work with" Ball of mud. It's no surprise to me that a lot of companies have sprung up around trying to solve these issues and reduce the pain, damn the consequences and burn the old way of doing things.

It's also no surprise to me that the open source community generally has no interest in doing that.

in my opinion, we really should be talking about better email server software and better protocols for email submission. I think that's a prerequisite to Software like Ghost supporting non-commercial email providers.

@decentral1se Jes is on here !! @j3s

@Tak Yeah in the config, there's a bunch of rules that allow certain things thru, git clients being one of them.

@monsieuricon

Right now, I think that these bot deterrents are mostly just functioning similar to a "security thru obscurity" javascript blob.

I don't think the difficulty actually matters at all, you might as well set it to one because if scrapers ever try to solve the proof of work in the future, I think sha256 is categorically not going to work anymore since it's so easy to accelerate and so many accelerators for it already exist (bitcoin).

I actually created a proof of work bot deterrent before the LLM hype even existed. Back then I chose Scrypt as a memory-hard hash function because I wanted it to be as easy as possible for normal website visitors to solve, but as painful as possible for scrapers, even after they perceive it and react to it.

I don't have mine triggering on browser user agents. I just have it trigger all the time by default except for some tools that I allow list like git, npm, go, etc. I also explicitly allow home pages and repository home pages so that search indexers can still find things and display them.

You can see a demo of it here as well as the source code:

https://git.sequentialread.com/forest/pow-bot-deterrent-rp

@Tak I run gitea/forgejo aswell and I made my own, it works pretty well. The config isn't perfect yet but on the off chance you are using docker I do have a docker compose config example on there.

https://git.sequentialread.com/forest/pow-bot-deterrent-rp

Yeah its very cringe how the LLM scraper bots will try to download both zip and tarball of the repo at every single commit.

@dumpsterqueer I think this is what happened to cyberia's old server when it crashed hard, except it was all / most processes. I never really understood it at the time. I believe ZFS was involved, and it was running out of memory.

@dumpsterqueer

so the kernel is refusing to kill these nodeular processes because they made a syscall (probably io...?) that never returned? Or something? TIL

@feliks I have probably committed "oops" at least 1000 times #gitops

@technomancy

I've heard of a lot of different ones of these. Some of them are more black hat than others. But yeah, there's definitely a market for it. It's pretty big.