/operate/ - Endchan Operations

Let us know what's up


New Reply on thread #4154
X
Max 20 files0 B total
[New Reply]

[Index] [Catalog] [Banners] [Logs]
Posting mode: Reply [Return]


thumbnail of Song _ Trust me I'm a engineer!-RvRTK0Z_6GA.mp4
thumbnail of Song _ Trust me I'm a engineer!-RvRTK0Z_6GA.mp4
Song _... mp4
(11.12 MB, 640x360 h264)
I found where that spam full of random garbage is coming from. It doesn't have any discernable pattern so we can't use the autoban addon to remove it, but it's all coming from the same /24 range of IPs in Russia so we can just rangeban it. The problem is that Lynxchan currently only does /16 rangebans, which would result in substantial collateral damage. To counter this I'm enabling the block bypass function.

If you are rangebanned, you can use the block bypass function to solve a CAPTCHA and bypass the rangeban. This requires your browser to store a "bypass" cookie. No CAPTCHA will be required to post if your IP has not been subject to a rangeban. Block bypasses last for 24 hours or 50 posts.

I've already asked StephenLynx about adding a second, smaller rangeban level.





 >>/5417/
globals can only help delete spam. It's really up to your BO manage the settings and choose what risks he wants to accept. We recommend using higher (less risky) settings when under attack, such as CAPTCHAs. But all boards should have a thread creation limit.

Maybe someone can type up a guide to the settings better than:
http://endchan.xyz/.static/moderation.html

I can't post anywhere without javascript, no matter how many times I filled the captcha.
http://endchan5doxvprs5.onion/blockBypass.js says 'You have a valid block bypass.' but Trying to post without js opens http://endchan5doxvprs5.onion/replyThread.js which 302 redirects to http://endchan5doxvprs5.onion/login.html Please fix it!

 >>/5615/

can confirm this.

I'm using Tor browser with js disabled and after filling in CAPTCHA I'm not redirected to my post (actually my post does not get posted either).

Workaround for now is to fill in the CAPTCHA, redirect to board manually and then write a post, which is kind of annoying.

Can you look into it somehow?

 >>/5615/ 
3rd to confirm this. I brought this up on tech and while I am grateful for the tor support. After the block bypass was implemented I have not been able to post without enabling some sort of cookies or javascript. It may have to do with the redirection. You can not post in a lightweight browser or a heavily about:configured firefox fork without being redirected to the login page.

 >>/5615/
I can't reproduce. I'm logged out, go to /test/ (Tor Browser, JS off, cookies on), create post, either takes to the block bypass page if I don't have one, or just creates the post.

 >>/5617/
> I have not been able to post without enabling some sort of cookies or javascript
Cookies have to be enabled

I can post fine with torbrowser with JS off and cookies on. And I can't fix anything I can't reproduce since I can't dig into to get the details. So anything more you can provide would be really helpful, settings, version numbers (OS, browser), net capture, etc.


 >>/5619/

 >>/5619/

Are you sure redirection happens automatically after typing CAPTCHA in block bypass page?

I'm using Tor browser in gentoo 64bit multilib with js disabled (cookies on) but I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.

Can you show us your about:config?

 >>/5622/
> I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect. 
That is the expected behaviour.
What is not expected behaviour is being directed to the login page and not being able to post.

I found the problem, it requires sending HTTP-referers ('network.http.sendRefererHeader' value at least 1). 8chan has this sh*t too. Referers are the 2nd worst privacy invaders after third-party cookies. I don't understand why should we need it. It has 0 benefits. I don't want to copy every outside url manually to open them.

 >>/5630/
Good research. Yes, that's an antispam measure, so it has benefits. 

I've found the section in the lynxchan code that causes this. Maybe we can find compromise but StephenLynx needs to explain the anti-spam side better.


exports.checkReferer = function(req) {

  if (!req.headers.referer) {
    return false;
  }

  var parsedReferer = url.parse(req.headers.referer);

  var finalReferer = parsedReferer.hostname;
  finalReferer += (parsedReferer.port ? ':' + parsedReferer.port : '');

  return finalReferer === req.headers.host;

};

exports.getAuthenticatedPost = function(req, res, getParameters, callback,
    optionalAuth, exceptionalMimes) {

  if (!exports.checkReferer(req)) {
    exports.redirectToLogin(res);
    return;
  }

  if (getParameters) {

    exports.getPostData(req, res, function(auth, parameters) {

      accountOps.validate(auth, function validated(error, newAuth, userData) {
        if (error && !optionalAuth) {
          exports.redirectToLogin(res);
        } else {
          callback(newAuth, userData, parameters);
        }

      });
    }, exceptionalMimes);
  } else {

    accountOps.validate(exports.getCookies(req), function validated(error,
        newAuth, userData) {

      if (error && !optionalAuth) {
        exports.redirectToLogin(res);
      } else {
        callback(newAuth, userData);
      }
    });
  }

};

 >>/5630/
 >>/5631/
Fixed:
https://gitgud.io/LynxChan/LynxChan/commit/fa8003017057f9920caae8d493eff7b13933e28a

The issue was that I forgot to include the check for the authentication being optional when it failed the check for the referrer.

So when your authentication failed due to your referrer mismatch, it sent you to the login screen, even though you didn't had to authenticate to begin with.

With this fix your referrer won't impact anything at all when you post, unless you expect to post using role signatures.

As to why the referrer is required:
It is only required when you are not using js and you are authenticating your request, as logged in.

The issue is that if someone puts a form to any other site, your browser will still perform whatever the form does using the cookies the destination site set on your browser.

But if I require these requests to come from the same site that is being requested, this is nullified.

tl,dr; its a CSRF protection that is used minimally.

Still not working for me in links2 browser. You can modify how you receive and send headers and referrers though so I am willing to change some settings to get it working.



 >>/5630/
> I don't want to copy every outside url manually to open them.

The latest Tor browser update is for you:
> Tor Browser 6.5 -- January 24 2017

>  * Bug 17334: Spoof referrer when leaving a .onion domain

Allowing referrers on per-site basis is a bit harder to do. You still need to use about:config and manually set it, post somewhere and set it back when you are done.

 >>/5631/
> Yes, that's an antispam measure, so it has benefits.

Well, it worth just as much as relying on the browser's user-agent for anti-spam. Nothing. Even the most simple spambots include referrer spoofing. And when referrers are used for "security purpose" (like at Webfaction), I become so confused: I don't know whether I should cry or laugh.


there's more spam incoming lately. I don't know if it's just some bored scamdude (only one post appearing in latest thread on my board in random time with big intervals) or shitty spambot. Leaving the post for you and the link he gave (added xxx among numbers there, if you remove it you will get actual link) - don't know if it will be of any use for you but whatever

>  >/4/10531

Please fix binary TorIP lookup, k tks:
https://gitgud.io/LynxChan/LynxChan/commit/9f698d23654cbc34c65ac435477d183793322c36
https://gitgud.io/search?utf8=%E2%9C%93&search=TorIps&group_id=&project_id=610&search_code=true&repository_ref=master

8leaks must feel retarded by now


> #1 we don't use them

Stop bullshitting me: https://gitgud.io/search?utf8=%E2%9C%93&search=TorIps&group_id=&project_id=660&search_code=true&repository_ref=master
> #2 I don't see any problem

replied to you the exact problem on overchan: tl;dr why record at all?
> Wut?

Read the first thread  >>/8leaks/1/

 >>/6243/
> Stop bullshitting me
Well, you see that's called the "Master" branch, it contains the latest source code for LynxChan (1.8/1.9?). We don't use vanilla LynxChan, we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".

> replied to you the exact problem on overchan: tl;dr why record at all?
It's to make sure BOs don't ban tor exit nodes. And again we're not recording, we're download the publicly disclosed database from the tor site to speed the software up and reduce the load on the tor project's website.

 >>/6244/ 
/t/cfece09191990a45b0888942f8b1ac922d22dadf/#b142c609366435fbadafdfb84d83d6e47e321165
& 
> project_id=660

> Showing 1 - 19 of 19 blobs for "TorIps" in project InfinityNow / LynxChan 

> we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".


> to speed the software up and reduce the load on the tor project's website.

tis fine.

since this is about tor I wont make another thread

here's my experience of the endchan.onion links
> wake up monday morning

> go to the endchan.onion links

> 1 open in each tab

> make coffee

> make breakfast

> eat

> shower

> go to work

> come back

> wednesday evening the tabs are fully loaded

> try to post

> takes about 2-3 days for the block bypass to load

> a few weeks later finally the pages loaded and I can post

> refresh the page, go to catalog, go to new threads, block bypass expires

> I die of old age






Oh, and just recount the bumps when a post is deleted. So let's say your threads were layed out like so:

Thread 1.
Thread 2.
Thread 3.
Thread 4.
Thread 5.

Thread 5 is bumped and is now Thread 1. The post that bumped Thread 5 is deleted. Thread 1 returns to Thread 5. This is basically "reverse bumping"

Make it an opt-out feature. It should be the default to prevent spam, imo.

To OdiliTime: Thoughts?





Post linking seems broken and there's a redirect every time I post. Also, no captcha's showing up as it was before, so I have to click on the 'No cookies?'. (Didn't think this needed a separate thread)










thumbnail of I'll take shit that never happened for 400, Alex.png
thumbnail of I'll take shit that never happened for 400, Alex.png
I'll take shit that... png
(309.57 KB, 1600x867)
 >>/9499/
Those are from your other browsing tabs. NoScript keeps a recent history of sites that it's blocked so you can unbreak the "dynamic" webshites that pull scripts in from approximately 2 gorillion third-party domains. We don't do any of that shit. The only third-party request you should see without clicking a YouTube embed link is a test file we try to pull in from https://end.chan/, an OpenNIC domain OdiliTime controls that shouldn't resolve to anything unless you get your DNS from an OpenNIC resolver. (Of course, if you do click on a YouTube embed, who knows what that fucker is going to pull in, so you do that at your own risk. That's why we cache the thumbnail from youtube.com and make the widget click-to-load, so you can choose whether or not to take that risk.)

 >>/9501/
OK, thanks for the info. I do routinely wipe my browser cache/history, I guess I forgot to do that before I came back here. Likely could have been a news site or some video streaming site that had a bunch of scripts trying to follow me around.

This is the 5th time I tried upload a huge ass file on TOR,
and the captcha expires before it can finish uploading.
Is there a fucking way it can verify the captcha first, 
then attempt or fail&report to upload the file?!?
This isn't blockBypass.js cookie, this is board-post captcha.js/captchaImage.

This shouldn't even be a bloody problem: You want to upload a file? 
First checkbox you want to upload a file, 
write your message, 
click take me to upload.js, 
and copy and past this key.

If should instantly fail if it detects a banned file type by just the header,
e.g. .exe, .elf, .out, etc., and reply back such, and link you back to your
thread. 
I prefer the open window/tab method.


 >>/9505/
They need to change the 30 second captcha refresh mandate to at least 2 or 3 minutes. I think this would help, usually when it starts uploading as long as its the same captcha it will successfully post. Sometimes big files take more than 30 seconds to begin uploading and thats when it refreshes and fucks up the post.


 >>/9516/
1: the captcha expiration is configurable
2: the FE can pre-solve a captcha to make it last for one hour.
3: the FE can access the cookie that says when the captcha expires so users can have it to auto refresh or at least know when it expires.






Post(s) action:


Moderation Help
Scope:
Duration: Days

Ban Type:


60 replies | 4 file
New Reply on thread #4154
Max 20 files0 B total