/operate/ - Endchan Operations

Let us know what's up

Posting mode: Reply

Check to confirm you're not a robot
Drawing x size canvas

Board Rules

Max file size: 350.00 MB

Max files: 5

Max message length: 4096

Manage Board | Moderate Thread

Return | Magrathea | Catalog | Bottom

Expand All Images

PSA: Block bypass has been enabled for some IPs Balrog Board volunteer 05/17/2016 (Tue) 14:23 [Preview] No. 4154
I found where that spam full of random garbage is coming from. It doesn't have any discernable pattern so we can't use the autoban addon to remove it, but it's all coming from the same /24 range of IPs in Russia so we can just rangeban it. The problem is that Lynxchan currently only does /16 rangebans, which would result in substantial collateral damage. To counter this I'm enabling the block bypass function.

If you are rangebanned, you can use the block bypass function to solve a CAPTCHA and bypass the rangeban. This requires your browser to store a "bypass" cookie. No CAPTCHA will be required to post if your IP has not been subject to a rangeban. Block bypasses last for 24 hours or 50 posts.

I've already asked StephenLynx about adding a second, smaller rangeban level.

Anonymous 06/05/2016 (Sun) 04:38:41 [Preview] No. 4445 del
Why can't I post replys to /tech/ or /pol/ ?

odilitime Board owner 06/05/2016 (Sun) 11:25:18 [Preview] No. 4453 del
I dunno, what is it telling you?

Anonymous 06/30/2016 (Thu) 22:39:14 [Preview] No. 4713 del
this is the best workaround at this point. thanks!

Anonymous 10/06/2016 (Thu) 14:54:52 [Preview] No. 5044 del
Can't you just ban all the IPs in the /24 individually?

Anonymous 12/02/2016 (Fri) 22:19:29 [Preview] No. 5417 del
Please help, /librejp/ is getting wiped.

odilitime Board owner 12/06/2016 (Tue) 01:31:07 [Preview] No. 5427 del
globals can only help delete spam. It's really up to your BO manage the settings and choose what risks he wants to accept. We recommend using higher (less risky) settings when under attack, such as CAPTCHAs. But all boards should have a thread creation limit.

Maybe someone can type up a guide to the settings better than:

Anonymous 01/21/2017 (Sat) 13:35:37 [Preview] No. 5615 del
I can't post anywhere without javascript, no matter how many times I filled the captcha.
http://endchan5doxvprs5.onion/blockBypass.js says 'You have a valid block bypass.' but Trying to post without js opens http://endchan5doxvprs5.onion/replyThread.js which 302 redirects to http://endchan5doxvprs5.onion/login.html Please fix it!

Anonymous 01/21/2017 (Sat) 17:47:45 [Preview] No. 5616 del

can confirm this.

I'm using Tor browser with js disabled and after filling in CAPTCHA I'm not redirected to my post (actually my post does not get posted either).

Workaround for now is to fill in the CAPTCHA, redirect to board manually and then write a post, which is kind of annoying.

Can you look into it somehow?

Anonymous 01/21/2017 (Sat) 18:04:22 [Preview] No. 5617 del
3rd to confirm this. I brought this up on tech and while I am grateful for the tor support. After the block bypass was implemented I have not been able to post without enabling some sort of cookies or javascript. It may have to do with the redirection. You can not post in a lightweight browser or a heavily about:configured firefox fork without being redirected to the login page.

odilitime Board owner 01/22/2017 (Sun) 23:04:08 [Preview] No. 5619 del
I can't reproduce. I'm logged out, go to /test/ (Tor Browser, JS off, cookies on), create post, either takes to the block bypass page if I don't have one, or just creates the post.

>I have not been able to post without enabling some sort of cookies or javascript
Cookies have to be enabled

I can post fine with torbrowser with JS off and cookies on. And I can't fix anything I can't reproduce since I can't dig into to get the details. So anything more you can provide would be really helpful, settings, version numbers (OS, browser), net capture, etc.

Anonymous 01/23/2017 (Mon) 04:01:41 [Preview] No. 5620 del
Alright. Lets use the links2 modified for tor use with the settings in /os/. That is one example of this. I do not know why it does this in firefox so maybe that can help deduce the issue.

Anonymous 01/23/2017 (Mon) 08:31:11 [Preview] No. 5622 del


Are you sure redirection happens automatically after typing CAPTCHA in block bypass page?

I'm using Tor browser in gentoo 64bit multilib with js disabled (cookies on) but I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.

Can you show us your about:config?

Anonymous 01/23/2017 (Mon) 11:53:50 [Preview] No. 5623 del
>I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.
That is the expected behaviour.
What is not expected behaviour is being directed to the login page and not being able to post.

Anonymous 01/23/2017 (Mon) 22:28:52 [Preview] No. 5630 del
I found the problem, it requires sending HTTP-referers ('network.http.sendRefererHeader' value at least 1). 8chan has this sh*t too. Referers are the 2nd worst privacy invaders after third-party cookies. I don't understand why should we need it. It has 0 benefits. I don't want to copy every outside url manually to open them.

odilitime 01/23/2017 (Mon) 22:46:23 [Preview] No. 5631 del
Good research. Yes, that's an antispam measure, so it has benefits.

I've found the section in the lynxchan code that causes this. Maybe we can find compromise but StephenLynx needs to explain the anti-spam side better.

exports.checkReferer = function(req) {

if (!req.headers.referer) {
return false;

var parsedReferer = url.parse(req.headers.referer);

var finalReferer = parsedReferer.hostname;
finalReferer += (parsedReferer.port ? ':' + parsedReferer.port : '');

return finalReferer === req.headers.host;


exports.getAuthenticatedPost = function(req, res, getParameters, callback,
optionalAuth, exceptionalMimes) {

if (!exports.checkReferer(req)) {

if (getParameters) {

exports.getPostData(req, res, function(auth, parameters) {

accountOps.validate(auth, function validated(error, newAuth, userData) {
if (error && !optionalAuth) {
} else {
callback(newAuth, userData, parameters);

}, exceptionalMimes);
} else {

accountOps.validate(exports.getCookies(req), function validated(error,
newAuth, userData) {

if (error && !optionalAuth) {
} else {
callback(newAuth, userData);


Anonymous 01/23/2017 (Mon) 23:55:23 [Preview] No. 5632 del

The issue was that I forgot to include the check for the authentication being optional when it failed the check for the referrer.

So when your authentication failed due to your referrer mismatch, it sent you to the login screen, even though you didn't had to authenticate to begin with.

With this fix your referrer won't impact anything at all when you post, unless you expect to post using role signatures.

Anonymous 01/24/2017 (Tue) 00:00:33 [Preview] No. 5633 del
As to why the referrer is required:
It is only required when you are not using js and you are authenticating your request, as logged in.

The issue is that if someone puts a form to any other site, your browser will still perform whatever the form does using the cookies the destination site set on your browser.

But if I require these requests to come from the same site that is being requested, this is nullified.

tl,dr; its a CSRF protection that is used minimally.

Anonymous 01/24/2017 (Tue) 00:35:45 [Preview] No. 5634 del
Still not working for me in links2 browser. You can modify how you receive and send headers and referrers though so I am willing to change some settings to get it working.

odilitime 01/24/2017 (Tue) 00:50:27 [Preview] No. 5635 del
I haven't applied the fix to EndChan yet

Anonymous 01/24/2017 (Tue) 00:53:45 [Preview] No. 5636 del
I figured it was the same error that you get on 8ch when it says "invalid referrer". Thanks for looking into it though this is wonderful.

Anonymous 01/25/2017 (Wed) 18:12:29 [Preview] No. 5642 del
>I don't want to copy every outside url manually to open them.
The latest Tor browser update is for you:
>Tor Browser 6.5 -- January 24 2017
> * Bug 17334: Spoof referrer when leaving a .onion domain
Allowing referrers on per-site basis is a bit harder to do. You still need to use about:config and manually set it, post somewhere and set it back when you are done.

>Yes, that's an antispam measure, so it has benefits.
Well, it worth just as much as relying on the browser's user-agent for anti-spam. Nothing. Even the most simple spambots include referrer spoofing. And when referrers are used for "security purpose" (like at Webfaction), I become so confused: I don't know whether I should cry or laugh.

odilitime 01/28/2017 (Sat) 02:02:48 [Preview] No. 5643 del
fix has been applied

>it worth just as much as relying on the browser's user-agent
it's more like, if it stops one piece of spam, it's worth implementing

Czwarty 02/21/2017 (Tue) 19:34:56 [Preview] No. 5713 del
there's more spam incoming lately. I don't know if it's just some bored scamdude (only one post appearing in latest thread on my board in random time with big intervals) or shitty spambot. Leaving the post for you and the link he gave (added xxx among numbers there, if you remove it you will get actual link) - don't know if it will be of any use for you but whatever


odilitime Board volunteer 05/02/2017 (Tue) 04:23:46 [Preview] No. 6242 del
#1 we don't use them
#2 I don't see any problem

>8leaks must feel retarded by now

Anonymous 05/02/2017 (Tue) 06:14:38 [Preview] No. 6243 del
>#1 we don't use them
Stop bullshitting me: https://gitgud.io/search?utf8=%E2%9C%93&search=TorIps&group_id=&project_id=660&search_code=true&repository_ref=master
>#2 I don't see any problem
replied to you the exact problem on overchan: tl;dr why record at all?
Read the first thread >>>/8leaks/1

odilitime 05/03/2017 (Wed) 00:35:34 [Preview] No. 6244 del
>Stop bullshitting me
Well, you see that's called the "Master" branch, it contains the latest source code for LynxChan (1.8/1.9?). We don't use vanilla LynxChan, we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".

>replied to you the exact problem on overchan: tl;dr why record at all?
It's to make sure BOs don't ban tor exit nodes. And again we're not recording, we're download the publicly disclosed database from the tor site to speed the software up and reduce the load on the tor project's website.

Anonymous 05/03/2017 (Wed) 01:44:44 [Preview] No. 6245 del
>Showing 1 - 19 of 19 blobs for "TorIps" in project InfinityNow / LynxChan
>we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".

>to speed the software up and reduce the load on the tor project's website.
tis fine.

Anonymous 05/05/2017 (Fri) 00:06:05 [Preview] No. 6251 del
since this is about tor I wont make another thread

here's my experience of the endchan.onion links
>wake up monday morning
>go to the endchan.onion links
>1 open in each tab
>make coffee
>make breakfast
>go to work
>come back
>wednesday evening the tabs are fully loaded
>try to post
>takes about 2-3 days for the block bypass to load
>a few weeks later finally the pages loaded and I can post
>refresh the page, go to catalog, go to new threads, block bypass expires
>I die of old age

odilitime Board volunteer 05/05/2017 (Fri) 22:04:08 [Preview] No. 6253 del
if I know how to make the onion not shit, I would. I'm told restarting it too often isn't good either. There's not much I can do

Anonymous 06/07/2017 (Wed) 02:23:57 [Preview] No. 6406 del
The block bypass is incredibly annoying for certain vpns I just wanted to bitch about that. Also storing cookies pisses me off. K done bitching.

Anonymous 06/13/2017 (Tue) 08:29:16 [Preview] No. 6439 del
then come up with a better way to stop tor flooding

Anonymous 06/13/2017 (Tue) 20:09:19 [Preview] No. 6448 del

Anonymous 07/14/2017 (Fri) 03:11:19 [Preview] No. 6768 del
captcha every 5 posts

Anonymous 07/14/2017 (Fri) 03:13:28 [Preview] No. 6769 del
Oh, and just recount the bumps when a post is deleted. So let's say your threads were layed out like so:

Thread 1.
Thread 2.
Thread 3.
Thread 4.
Thread 5.

Thread 5 is bumped and is now Thread 1. The post that bumped Thread 5 is deleted. Thread 1 returns to Thread 5. This is basically "reverse bumping"

Make it an opt-out feature. It should be the default to prevent spam, imo.

To OdiliTime: Thoughts?

odilitime Board volunteer 08/12/2017 (Sat) 21:58:05 [Preview] No. 6919 del
Wouldn't do anything for spam. I'll bring it up to StephenLynx see if he can put it in 1.9

Anonymous 08/14/2017 (Mon) 19:18:52 [Preview] No. 6920 del
I've just gotten a block bypass on my VPN for the first time, does this affect all IPs or just some?

Anonymous 08/23/2017 (Wed) 01:52:01 [Preview] No. 6975 del
It's not to prevent spam itself, but moreso to prevent the damage caused by the spam.

odilitime Board volunteer 08/23/2017 (Wed) 23:15:02 [Preview] No. 7000 del
only IPs on the stopspam blocklist.

Anonymous 08/27/2017 (Sun) 01:31:52 [Preview] No. 7005 del
Post linking seems broken and there's a redirect every time I post. Also, no captcha's showing up as it was before, so I have to click on the 'No cookies?'. (Didn't think this needed a separate thread)

Anonymous 08/27/2017 (Sun) 03:51:03 [Preview] No. 7006 del
Hey odil /sp/ is getting hit with spam right now, probly enough to effect the site

Anonymous 01/10/2018 (Wed) 18:53:12 [Preview] No.8094 del
/sp/ is always loaded with spam

Anonymous 02/02/2018 (Fri) 02:43:18 [Preview] No.8168 del
it was like thousand post botspam
not gud 'spam'

Anonymous 06/26/2018 (Tue) 01:51:17 [Preview] No.9411 del
why do some boards how more expansive block bypass than others?

odilitime#ZlQ6/c 06/27/2018 (Wed) 15:33:19 [Preview] No.9424 del
Diffrent boards use diffrent data mining to be more effective. I've been trying to work on neural links for all users so that all your thoughts can just be read. Its coming soon.

odilitime Board volunteer 07/02/2018 (Mon) 07:49:18 [Preview] No.9435 del
Board Operators have a lot of control and choice

Anonymous 07/02/2018 (Mon) 16:41:29 [Preview] No.9441 del
>when your attempt to imitate the site admin fails miserably

Anonymous 07/10/2018 (Tue) 01:10:52 [Preview] No.9460 del

Anonymous 07/27/2018 (Fri) 16:34:27 [Preview] No.9499 del
(389.48 KB 1160x743 Scripts Blocked.png)
I'll just post this here because I don't think this deserves its own thread: why are all these third party scripts trying to access my browser while on endchan? See pic. Are these datamining users?

Balrog Board owner 07/28/2018 (Sat) 00:18:47 [Preview] No.9501 del
Those are from your other browsing tabs. NoScript keeps a recent history of sites that it's blocked so you can unbreak the "dynamic" webshites that pull scripts in from approximately 2 gorillion third-party domains. We don't do any of that shit. The only third-party request you should see without clicking a YouTube embed link is a test file we try to pull in from https://end.chan/, an OpenNIC domain OdiliTime controls that shouldn't resolve to anything unless you get your DNS from an OpenNIC resolver. (Of course, if you do click on a YouTube embed, who knows what that fucker is going to pull in, so you do that at your own risk. That's why we cache the thumbnail from youtube.com and make the widget click-to-load, so you can choose whether or not to take that risk.)

Anonymous 07/28/2018 (Sat) 00:29:16 [Preview] No.9502 del
OK, thanks for the info. I do routinely wipe my browser cache/history, I guess I forgot to do that before I came back here. Likely could have been a news site or some video streaming site that had a bunch of scripts trying to follow me around.

Anonymous 07/29/2018 (Sun) 08:37:56 [Preview] No.9505 del
This is the 5th time I tried upload a huge ass file on TOR,
and the captcha expires before it can finish uploading.
Is there a fucking way it can verify the captcha first,
then attempt or fail&report to upload the file?!?
This isn't blockBypass.js cookie, this is board-post captcha.js/captchaImage.

This shouldn't even be a bloody problem: You want to upload a file?
First checkbox you want to upload a file,
write your message,
click take me to upload.js,
and copy and past this key.

If should instantly fail if it detects a banned file type by just the header,
e.g. .exe, .elf, .out, etc., and reply back such, and link you back to your
I prefer the open window/tab method.

Anonymous 07/29/2018 (Sun) 09:12:57 [Preview] No.9506 del
Just tried clearnet, same shit.

Anonymous 08/02/2018 (Thu) 18:33:07 [Preview] No.9516 del
They need to change the 30 second captcha refresh mandate to at least 2 or 3 minutes. I think this would help, usually when it starts uploading as long as its the same captcha it will successfully post. Sometimes big files take more than 30 seconds to begin uploading and thats when it refreshes and fucks up the post.

odilitime Board volunteer 08/06/2018 (Mon) 10:57:33 [Preview] No.9522 del
I'll talk to StephenLynx about this

StephenLynx 11/23/2018 (Fri) 16:02 [Preview] No.10092 del
1: the captcha expiration is configurable
2: the FE can pre-solve a captcha to make it last for one hour.
3: the FE can access the cookie that says when the captcha expires so users can have it to auto refresh or at least know when it expires.

Anonymous 12/21/2018 (Fri) 05:56 [Preview] No.10136 del
just use another file hosting service and post the link

Anonymous 02/18/2019 (Mon) 05:26 [Preview] No.10272 del
Can the block bypass link be added for each tor in the toolbar? It's getting annoying with the pop up windows not opening having to switch back and forth

Anonymous 03/02/2019 (Sat) 10:14 [Preview] No.10289 del
your capcha is more annoying than recapcha

Anonymous 05/20/2019 (Mon) 10:33 [Preview] No.10356 del
but not as annoying as on 8ch

Top | Catalog | Post a reply | Magrathea | Return