I made Anubis, a lightweight, open-source Web Application Firewall designed to block automated bot attacks without frustrating real users. Anubis uses techniques like TLS fingerprinting and JavaScript proof of work to keep your site safe while staying flexible, fast, and easy to deploy.
Afaik, almost every browser uses “Mozilla/5.0” as part of the user agent, Mozilla mentions it as well in developer docs about User agents, it’s a historical compatibility thing apparently.
Great interview! The whole proof-of-work approach is fascinating, and reminds me of a very old email concept he mentions in passing, where an email server would only accept a msg if the sender agreed to pay like a dollar. Then the user would accept the msg, which would refund the dollar. So this would end up costing legitimate senders nothing but would require spammers to front way too much money to make email spamming affordable. In his version the sender must do a processor-intensive computation, which is fine at the volume legitimate senders use but prohibitive for spammers.
Why does default config check Mozilla specifically?
{ "name": "generic-browser", "user_agent_regex": "Mozilla", "action": "CHALLENGE" }Guess that’s why I’ve seen Anubis check screen quite a few times.
Afaik, almost every browser uses “Mozilla/5.0” as part of the user agent, Mozilla mentions it as well in developer docs about User agents, it’s a historical compatibility thing apparently.
Interesting, thanks!
Guess it’s the same kinda thing as amd64 on Intel lol
The creator of Anubis did an interview on the Selfhosted Show podcast a little while back and explains this in detail, and it’s worth a listen.
Here’s a time stamped link for the interview
Great interview! The whole proof-of-work approach is fascinating, and reminds me of a very old email concept he mentions in passing, where an email server would only accept a msg if the sender agreed to pay like a dollar. Then the user would accept the msg, which would refund the dollar. So this would end up costing legitimate senders nothing but would require spammers to front way too much money to make email spamming affordable. In his version the sender must do a processor-intensive computation, which is fine at the volume legitimate senders use but prohibitive for spammers.
Thanks!