tante
Does anyone know if a Mastodon server can block client applications based on their name?
Mar 25 at 1:34pmWeb
Show threadJanik Besendorf2d ago
@tante of course it can or are you asking if this is already implemented in the code?
Show threadtante2d ago
@besendorf I wonder if that is already available in the configuration UI
Show threadStefan2d ago

@tante

I haven't found a setting, but may have missed it.

@besendorf

Show threadelsa sloth-ringen 🔜🚫GPN :(2d ago
@tante for your own users yes (can be easily done with a web server rule), for someone else's instance's users no
Show threadDaniël Franke 2d ago
@tante Asking for a certain seldo creation?
Show threadtante2d ago
@ainmosni yeah. Since it runs in people's browser's IP blocking or headers don't work, but it registers as a specific Application name with a mastodon server which could be blocked.
Show threadDaniël Franke 2d ago
@tante the problem there is that from another instance you could potentially only block posts that were made by that instance, afaik, you can't see if an app is registered in an account at all.
Show threadtante2d ago
@ainmosni nope all you can do is stop users of your instance from using the tool.
Show threadDaniël Franke 2d ago
@tante That's what I figured, luckily, I doubt my raccoon posting bot will ever run that.
Show threadMx. Eddie R2d ago
@tante
Doesn't currently exist, and might not be possible -- it would require the bad actor's instance to cooperate as well as your own. People like Seldo (this week's LLM bro) just wouldn't play nice.
Show threadtante2d ago
@silvermoon82 tha code uses "Zetgeist" as application name which one could filter. If they start messing around with that thats a whole different story, then he can no longer claim to be a decent citizen
Show threadPreslav Rachev2d ago
@tante @silvermoon82 phew, I thought you meant @murmel_social and got scared 😅
Show threadUriel Fanelli2d ago

@tante

gTs can block based on user-agent. Otherwise, you need some nginx in front, to process headers.

Show threadThomas Cloer2d ago

@tante ChatGPT sez:

"Blocking purely by name is inherently weak because:

* Client names and User-Agents are self-declared and easily spoofed
* A malicious client can just rename itself"

(taken from a much longer answer)

Show threadLars Marowsky-Brée 😷2d ago

@teezeh Did you just reply-person-from-GenAI to * @tante *?

That's ... bold. Very bold. :)

Show threadThomas Cloer2d ago

@larsmb Daredevil me …

@tante

Show threadtante2d ago
@teezeh Sure but when people start messing with their user agents you can consider them explicitly malicious actors.
(you could maybe have come up with that simple fact without using a fascist slop machine)
Show threadThomas Cloer2d ago
@tante Sorry, no offense.
Show threadTekniquelly correct2d ago

@tante Sure, you can block them at the webserver layer like: https://www.xmodulo.com/block-specific-user-agents-nginx-web-server.html

However, if their scraper lies about the user-agent, there's not much you can do.

How to block specific user agents on Nginx web server

This post explains how to block certain user-agent on nginx web server as a way to block malicious bots from accessing your website.

Show threadtante2d ago
@tek the user agent is the user's browser. You need to look into the request
Show threadTekniquelly correct2d ago
@tante There's only so much you can see there, though. And a malicious client could change their agent to be something like "Mastodon/4.5.7 (http.rb/5.3.1 +https://mastodon.soc/)" and they'd look just like another Mastodon server talking to you.
Show threadC.Suthorn 1d ago
@[email protected] I don't know, but it wouldn't make much sense? Only on servers with local-only posts—for example, Mastodon Glitch servers, but not regular Mastodon servers. And on servers that aren't federated. On all other servers, a post could simply be shared via federation to another server and then read on that other server using any client.