Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://poa.st/objects/3779a0df-93e1-4ddb-a5b6-213334c8e8c1">anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 06-Dec-2023 20:10:26 JST</a><a href="https://poa.st/users/graf" title="graf@poa.st"><img src="https://gnusocial.jp/avatar/990-48-20220724152015.webp" width="48" height="48" alt="anime graf mays ?️?" style="position: absolute; left: 0; top: 0;">anime graf mays ?️?</a><div><ul><li><li><a href="https://gnusocial.jp/user/143897" title="drand@techhub.social">Dave Rand</a></li></ul></div></section><article>sharing this in the event some of you instance admins haven't seen it. i checked ours, he's using the user agent string "unshortenit 0.4.0" and has been hammering at the rate of 5r/s since 01/Dec/2023:00 :28:46 +0000<br><br>ive blocked the user agent string and blackholed the ip. apparently this guy <a href="https://techhub.social/@Drand">@Drand</a> was given grant money to do this and is conducting himself in a malicious manner. perhaps some of that grant money should be given to instance operators<br><br>RT: <a href="https://nya.social/notes/818c3d1bdb3e20788eb08e25">https://nya.social/notes/818c3d1bdb3e20788eb08e25</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2419956#notice-4783113">In conversation</a><time datetime="2023-12-06T20:10:26+09:00" title="Wednesday, 06-Dec-2023 20:10:26 JST">Wednesday, 06-Dec-2023 20:10:26 JST</time> <span>from <span><a href="https://poa.st/objects/3779a0df-93e1-4ddb-a5b6-213334c8e8c1" rel="external" title="Sent from poa.st via ActivityPub">poa.st</a></span></span><a href="https://poa.st/objects/3779a0df-93e1-4ddb-a5b6-213334c8e8c1">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: nya.social</div><h5><a href="https://nya.social/notes/818c3d1bdb3e20788eb08e25">anatil e\x9f\xf0\xbc\xa5n lu\x00l (@natalie)</a></h5><div></div></header><div>there is currently a bot inside MIT IP space, address `18[.]4[.]38[.]176`, scanning fedi at large. i have confirmed this with 5+ unrelated instance admins, large and small instances, across mastodon/misskey/pleroma/akkoma.the bot is poorly behaved. i have observed it making repeated requests, multiple times per second, for the exact same paths (the paths being, generally: user profiles, specific posts, and sometimes following links in posts). returning 403s does not stop this activity. one of my domains received hundreds of additional requests despite replying with 403 to all of them. i have also seen it make requests for paths containing html tags - seems like a badly written parser. the purpose of these requests and what data is being gathered is unclear.PTR on the ip returns `sts-drand03.mit.edu`. a quick web search for "mit drand" brings back https://mitsloan.mit.edu/faculty/directory/david-g-rand and his personal website: https://davidrand-cooperation.com/ (note: other IPs in the /24 also have names in the PTR which match up with names of MIT faculty, but only the .176 IP appears to be involved in this activity).
seems he's doing research into "misinformation" and "fake news" on social media. he also appears to be on fedi! so @Drand@techhub.social, given this activity is sourced from an IP with your name on it, could you share the purpose of this traffic? what data is being collected and how is it being used? do you plan to respect robots.txt or identify yourself in your useragent? is there a process for instance admins to opt out of this activity other than blocking the source IP?</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
anime graf mays ?️? (graf@poa.st)'s status on Wednesday, 06-Dec-2023 20:10:26 JSTanime graf mays ?️?
- นาตาลี :bellsystem:
- Dave Rand
sharing this in the event some of you instance admins haven't seen it. i checked ours, he's using the user agent string "unshortenit 0.4.0" and has been hammering at the rate of 5r/s since 01/Dec/2023:00 :28:46 +0000

ive blocked the user agent string and blackholed the ip. apparently this guy @Drand was given grant money to do this and is conducting himself in a malicious manner. perhaps some of that grant money should be given to instance operators

RT: https://nya.social/notes/818c3d1bdb3e20788eb08e25
In conversationWednesday, 06-Dec-2023 20:10:26 JST from poa.stpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: nya.social
  anatil e\x9f\xf0\xbc\xa5n lu\x00l (@natalie)
  there is currently a bot inside MIT IP space, address `18[.]4[.]38[.]176`, scanning fedi at large. i have confirmed this with 5+ unrelated instance admins, large and small instances, across mastodon/misskey/pleroma/akkoma. the bot is poorly behaved. i have observed it making repeated requests, multiple times per second, for the exact same paths (the paths being, generally: user profiles, specific posts, and sometimes following links in posts). returning 403s does not stop this activity. one of my domains received hundreds of additional requests despite replying with 403 to all of them. i have also seen it make requests for paths containing html tags - seems like a badly written parser. the purpose of these requests and what data is being gathered is unclear. PTR on the ip returns `sts-drand03.mit.edu`. a quick web search for "mit drand" brings back https://mitsloan.mit.edu/faculty/directory/david-g-rand and his personal website: https://davidrand-cooperation.com/ (note: other IPs in the /24 also have names in the PTR which match up with names of MIT faculty, but only the .176 IP appears to be involved in this activity). seems he's doing research into "misinformation" and "fake news" on social media. he also appears to be on fedi! so @Drand@techhub.social, given this activity is sourced from an IP with your name on it, could you share the purpose of this traffic? what data is being collected and how is it being used? do you plan to respect robots.txt or identify yourself in your useragent? is there a process for instance admins to opt out of this activity other than blocking the source IP?

Public

Embed Notice

HTML Code

Corresponding Notice