this post was submitted on 07 Jul 2025

570 points (98.3% liked)

Open Source

38724 readers

527 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Posts must be relevant to the open source ideology
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago

MODERATORS

[email protected]

570

The Open-Source Software Saving the Internet From AI Bot Scrapers (www.404media.co)

submitted 1 day ago by [email protected] to c/[email protected]

106 comments fedilink hide all child comments

(page 2) 50 comments

sorted by: hot top controversial new old

[–] [email protected] 18 points 1 day ago* (last edited 1 day ago) (4 children)

I don't understand how/why this got so popular out of nowhere... the same solution has already existed for years in the form of haproxy-protection and a couple others... but nobody seems to care about those.

load more comments (4 replies)

[–] [email protected] 37 points 1 day ago

Everytime I see anubis I get happy because I know the website has some quality information.

[–] [email protected] 2 points 1 day ago

it wont protect more then one subdomain i think

[–] [email protected] 120 points 1 day ago* (last edited 1 day ago) (3 children)

Non paywalled link https://archive.is/VcoE1

It basically boils down to making the browser do some cpu heavy calculations before allowing access. This is no problem for a single user, but for a bot farm this would increase the amount of compute power they need 100x or more.

[–] [email protected] 7 points 1 day ago

Thank you for the link. Good read

[–] [email protected] 71 points 1 day ago (6 children)

Exactly. It's called proof-of-work and was originally invented to reduce spam emails but was later used by Bitcoin to control its growth speed

load more comments (6 replies)

load more comments (1 replies)

[–] [email protected] 48 points 1 day ago

My archive's server uses Anubis and after initial configuration it's been pain-free. Also, I'm no longer getting multiple automated emails a day about how the server's timing out. It's great.

We went from about 3000 unique "pinky swear I'm not a bot" visitors per (iirc) half a day to 20 such visitors. Twenty is much more in-line with expectations.

[–] [email protected] 12 points 1 day ago (1 children)

Just recently there was a guy on the NANOG List ranting about Anubis being the wrong approach and people should just cache properly then their servers would handle thousands of users and the bots wouldn't matter. Anyone who puts git online has no-one to blame but themselves, e-commerce should just be made cacheable etc. Seemed a bit idealistic, a bit detached from the current reality.

Ah found it, here

[–] [email protected] 14 points 1 day ago (3 children)

Someone making an argument like that clearly does not understand the situation. Just 4 years ago, a robots.txt was enough to keep most bots away, and hosting personal git on the web required very little resources. With AI companies actively profiting off stealing everything, a robots.txt doesn't mean anything. Now, even a relatively small git web host takes an insane amount of resources. I'd know - I host a Forgejo instance. Caching doesn't matter, because diffs berween two random commits are likely unique. Ratelimiting doesn't matter, they will use different IP (ranges) and user agents. It would also heavily impact actual users "because the site is busy".

A proof-of-work solution like Anubis is the best we have currently. The least possible impact to end users, while keeping most (if not all) AI scrapers off the site.

load more comments (3 replies)

[–] [email protected] 27 points 1 day ago (9 children)

Ooh can this work with Lemmy without affecting federation?

[–] [email protected] 10 points 1 day ago (1 children)

"Yes", for any bits the user sees. The frontend UI can be behind Anubis without issues. The API, including both user and federation, cannot. We expect "bots" to use an API, so you can't put human verification in front of it. These "bots* also include applications that aren't aware of Anubis, or unable to pass it, like all third party Lemmy apps.

That does stop almost all generic AI scraping, though it does not prevent targeted abuse.

load more comments (1 replies)

[–] [email protected] 29 points 1 day ago (1 children)

Yes.

Source: I use it on my instance and federation works fine

[–] [email protected] 15 points 1 day ago (1 children)

Thanks. Anything special configuring it?

[–] [email protected] 18 points 1 day ago* (last edited 1 day ago)

I keep my server config in a public git repo, but I don't think you have to do anything really special to make it work with lemmy. Since I use Traefik I followed the guide for setting up Anubis with Traefik.

I don't expect to run into issues as Anubis specifically looks for user-agent strings that appear like human users (i.e. they contain the word "Mozilla" as most graphical web browsers do) any request clearly coming from a bot that identifies itself is left alone, and lemmy identifies itself as "Lemmy/{version} +{hostname}" in requests.

[–] [email protected] 4 points 1 day ago

As long as its not configured improperly. When forgejo devs added it it broke downloading images with Kubernetes for a moment. Basically would need to make sure user agent header for federation is allowed.

[–] [email protected] 5 points 1 day ago

Yeah, it's already deployed on slrpnk.net. I see it momentarily every time I load the site.

load more comments (5 replies)

[–] [email protected] 21 points 1 day ago (7 children)

What advantage does this software provide over simply banning bots via robots.txt?

[–] [email protected] 28 points 1 day ago

TL;DR: You should have both due to the explicit breaking of the robots.txt contract by AI companies.

AI generally doesn't obey robots.txt. That file is just notifying scrapers what they shouldn't scrape, but relies on good faith of the scrapers. Many AI companies have explicitly chosen not no to comply with robots.txt, thus breaking the contract, so this is a system that causes those scrapers that are not willing to comply to get stuck in a black hole of junk and waste their time. This is a countermeasure, but not a solution. It's just way less complex than other options that just block these connections, but then make you get pounded with retries. This way the scraper bot gets stuck for a while and doesn't waste as many of your resources blocking them over and over again.

[–] [email protected] 14 points 1 day ago

The difference is:

robots.txt is a promise without a door
Anubis is a physical closed door, that opens up after some time

[–] [email protected] -5 points 1 day ago

I mean, you could have read the article before asking, it's literally in there...

[–] [email protected] 45 points 1 day ago

Well, now that y'all put it that way, I think it was pretty naive from me to think that these companies, whose business model is basically theft, would honour a lousy robots.txt file...

[–] [email protected] 8 points 1 day ago

The problem is Ai doesn't follow robots.txt,so Cloudflare are Anubis developed a solution.

[–] [email protected] 84 points 1 day ago

Robots.txt expects that the client is respecting the rules, for instance, marking that they are a scraper.

AI scrapers don't respect this trust, and thus robots.txt is meaningless.

[–] [email protected] 32 points 1 day ago

the scrapers ignore robots.txt. It doesn't really ban them - it just asks them not to access things, but they are programmed by assholes.

load more comments