/operate/ - Endchan Operations

Let us know what's up

Posting mode: Reply

Drawing x size canvas

Remember to follow the rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Catalog | Bottom

Expand All Images

PSA: Block bypass has been enabled for some IPs Balrog Board volunteer 05/17/2016 (Tue) 14:23:15 [Preview] No. 4154
I found where that spam full of random garbage is coming from. It doesn't have any discernable pattern so we can't use the autoban addon to remove it, but it's all coming from the same /24 range of IPs in Russia so we can just rangeban it. The problem is that Lynxchan currently only does /16 rangebans, which would result in substantial collateral damage. To counter this I'm enabling the block bypass function.

If you are rangebanned, you can use the block bypass function to solve a CAPTCHA and bypass the rangeban. This requires your browser to store a "bypass" cookie. No CAPTCHA will be required to post if your IP has not been subject to a rangeban. Block bypasses last for 24 hours or 50 posts.

I've already asked StephenLynx about adding a second, smaller rangeban level.

Anonymous 06/05/2016 (Sun) 04:38:41 [Preview] No. 4445 del
Why can't I post replys to /tech/ or /pol/ ?

odilitime Board owner 06/05/2016 (Sun) 11:25:18 [Preview] No. 4453 del
I dunno, what is it telling you?

Anonymous 06/30/2016 (Thu) 22:39:14 [Preview] No. 4713 del
this is the best workaround at this point. thanks!

Anonymous 10/06/2016 (Thu) 14:54:52 [Preview] No. 5044 del
Can't you just ban all the IPs in the /24 individually?

Anonymous 12/02/2016 (Fri) 22:19:29 [Preview] No. 5417 del
Please help, /librejp/ is getting wiped.

odilitime Board owner 12/06/2016 (Tue) 01:31:07 [Preview] No. 5427 del
globals can only help delete spam. It's really up to your BO manage the settings and choose what risks he wants to accept. We recommend using higher (less risky) settings when under attack, such as CAPTCHAs. But all boards should have a thread creation limit.

Maybe someone can type up a guide to the settings better than:

Anonymous 01/21/2017 (Sat) 13:35:37 [Preview] No. 5615 del
I can't post anywhere without javascript, no matter how many times I filled the captcha.
http://endchan5doxvprs5.onion/blockBypass.js says 'You have a valid block bypass.' but Trying to post without js opens http://endchan5doxvprs5.onion/replyThread.js which 302 redirects to http://endchan5doxvprs5.onion/login.html Please fix it!

Anonymous 01/21/2017 (Sat) 17:47:45 [Preview] No. 5616 del

can confirm this.

I'm using Tor browser with js disabled and after filling in CAPTCHA I'm not redirected to my post (actually my post does not get posted either).

Workaround for now is to fill in the CAPTCHA, redirect to board manually and then write a post, which is kind of annoying.

Can you look into it somehow?

Anonymous 01/21/2017 (Sat) 18:04:22 [Preview] No. 5617 del
3rd to confirm this. I brought this up on tech and while I am grateful for the tor support. After the block bypass was implemented I have not been able to post without enabling some sort of cookies or javascript. It may have to do with the redirection. You can not post in a lightweight browser or a heavily about:configured firefox fork without being redirected to the login page.

odilitime Board owner 01/22/2017 (Sun) 23:04:08 [Preview] No. 5619 del
I can't reproduce. I'm logged out, go to /test/ (Tor Browser, JS off, cookies on), create post, either takes to the block bypass page if I don't have one, or just creates the post.

>I have not been able to post without enabling some sort of cookies or javascript
Cookies have to be enabled

I can post fine with torbrowser with JS off and cookies on. And I can't fix anything I can't reproduce since I can't dig into to get the details. So anything more you can provide would be really helpful, settings, version numbers (OS, browser), net capture, etc.

Anonymous 01/23/2017 (Mon) 04:01:41 [Preview] No. 5620 del
Alright. Lets use the links2 modified for tor use with the settings in /os/. That is one example of this. I do not know why it does this in firefox so maybe that can help deduce the issue.

Anonymous 01/23/2017 (Mon) 08:31:11 [Preview] No. 5622 del


Are you sure redirection happens automatically after typing CAPTCHA in block bypass page?

I'm using Tor browser in gentoo 64bit multilib with js disabled (cookies on) but I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.

Can you show us your about:config?

Anonymous 01/23/2017 (Mon) 11:53:50 [Preview] No. 5623 del
>I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.
That is the expected behaviour.
What is not expected behaviour is being directed to the login page and not being able to post.

Anonymous 01/23/2017 (Mon) 22:28:52 [Preview] No. 5630 del
I found the problem, it requires sending HTTP-referers ('network.http.sendRefererHeader' value at least 1). 8chan has this sh*t too. Referers are the 2nd worst privacy invaders after third-party cookies. I don't understand why should we need it. It has 0 benefits. I don't want to copy every outside url manually to open them.

odilitime 01/23/2017 (Mon) 22:46:23 [Preview] No. 5631 del
Good research. Yes, that's an antispam measure, so it has benefits.

I've found the section in the lynxchan code that causes this. Maybe we can find compromise but StephenLynx needs to explain the anti-spam side better.

exports.checkReferer = function(req) {

if (!req.headers.referer) {
return false;

var parsedReferer = url.parse(req.headers.referer);

var finalReferer = parsedReferer.hostname;
finalReferer += (parsedReferer.port ? ':' + parsedReferer.port : '');

return finalReferer === req.headers.host;


exports.getAuthenticatedPost = function(req, res, getParameters, callback,
optionalAuth, exceptionalMimes) {

if (!exports.checkReferer(req)) {

if (getParameters) {

exports.getPostData(req, res, function(auth, parameters) {

accountOps.validate(auth, function validated(error, newAuth, userData) {
if (error && !optionalAuth) {
} else {
callback(newAuth, userData, parameters);

}, exceptionalMimes);
} else {

accountOps.validate(exports.getCookies(req), function validated(error,
newAuth, userData) {

if (error && !optionalAuth) {
} else {
callback(newAuth, userData);


Anonymous 01/23/2017 (Mon) 23:55:23 [Preview] No. 5632 del

The issue was that I forgot to include the check for the authentication being optional when it failed the check for the referrer.

So when your authentication failed due to your referrer mismatch, it sent you to the login screen, even though you didn't had to authenticate to begin with.

With this fix your referrer won't impact anything at all when you post, unless you expect to post using role signatures.

Anonymous 01/24/2017 (Tue) 00:00:33 [Preview] No. 5633 del
As to why the referrer is required:
It is only required when you are not using js and you are authenticating your request, as logged in.

The issue is that if someone puts a form to any other site, your browser will still perform whatever the form does using the cookies the destination site set on your browser.

But if I require these requests to come from the same site that is being requested, this is nullified.

tl,dr; its a CSRF protection that is used minimally.

Anonymous 01/24/2017 (Tue) 00:35:45 [Preview] No. 5634 del
Still not working for me in links2 browser. You can modify how you receive and send headers and referrers though so I am willing to change some settings to get it working.

odilitime 01/24/2017 (Tue) 00:50:27 [Preview] No. 5635 del
I haven't applied the fix to EndChan yet

Anonymous 01/24/2017 (Tue) 00:53:45 [Preview] No. 5636 del
I figured it was the same error that you get on 8ch when it says "invalid referrer". Thanks for looking into it though this is wonderful.

Anonymous 01/25/2017 (Wed) 18:12:29 [Preview] No. 5642 del
>I don't want to copy every outside url manually to open them.
The latest Tor browser update is for you:
>Tor Browser 6.5 -- January 24 2017
> * Bug 17334: Spoof referrer when leaving a .onion domain
Allowing referrers on per-site basis is a bit harder to do. You still need to use about:config and manually set it, post somewhere and set it back when you are done.

>Yes, that's an antispam measure, so it has benefits.
Well, it worth just as much as relying on the browser's user-agent for anti-spam. Nothing. Even the most simple spambots include referrer spoofing. And when referrers are used for "security purpose" (like at Webfaction), I become so confused: I don't know whether I should cry or laugh.

odilitime 01/28/2017 (Sat) 02:02:48 [Preview] No. 5643 del
fix has been applied

>it worth just as much as relying on the browser's user-agent
it's more like, if it stops one piece of spam, it's worth implementing

Czwarty 02/21/2017 (Tue) 19:34:56 [Preview] No. 5713 del
there's more spam incoming lately. I don't know if it's just some bored scamdude (only one post appearing in latest thread on my board in random time with big intervals) or shitty spambot. Leaving the post for you and the link he gave (added xxx among numbers there, if you remove it you will get actual link) - don't know if it will be of any use for you but whatever


Top | Return | Catalog | Post a reply