Replace RDAP/ipwhois signup-IP classifier with ipapi.is
Flags datacenter, vpn, proxy, tor, and independently-scored abuser signals instead of regex-matching RDAP org names; anonymous tier covers 1000 req/day, well above signup volume.
This commit is contained in:
+9
-11
@@ -80,11 +80,16 @@ ABUSE_USER_DM=Hi @{acct} — your yttrx account has been temporarily limited whi
|
||||
|
||||
# --- IP-based signup scrutiny -----------------------------------------------
|
||||
# Classifies each new signup's IP (Admin::Account.ip, delivered free on the
|
||||
# account.created webhook) via RDAP org lookup, and treats non-residential/
|
||||
# non-mobile ("datacenter"/hosting/VPN) signups with more scrutiny. Master
|
||||
# switch:
|
||||
# account.created webhook) via ipapi.is, and flags it if ipapi.is reports it
|
||||
# as any of datacenter, vpn, proxy, tor, or an independently-scored abuser.
|
||||
# Master switch:
|
||||
IP_SCRUTINY_ENABLED=true
|
||||
|
||||
# Optional ipapi.is API key for higher rate limits. Anonymous (blank) is
|
||||
# capped at 1,000 req/day, which comfortably covers yttrx's signup volume;
|
||||
# get a key at https://ipapi.is/ only if you expect to exceed that.
|
||||
IP_SCRUTINY_IPAPI_KEY=
|
||||
|
||||
# Rollout safety: when true, classify + DM a moderator but take NO action
|
||||
# (no held welcome, no ip_blocks write). Recommended for the first days in
|
||||
# production; flip to false once you've reviewed the false-positive rate.
|
||||
@@ -97,7 +102,7 @@ IP_SCRUTINY_HOLD_WELCOME=true
|
||||
|
||||
# Distinct-reporter threshold used instead of the tier's usual
|
||||
# ABUSE_SOURCES_* threshold (whichever is lower) when the reported account's
|
||||
# signup IP was flagged as datacenter/hosting.
|
||||
# signup IP was flagged.
|
||||
IP_SCRUTINY_ABUSE_THRESHOLD=1
|
||||
|
||||
# Auto-register a flagged IP into Mastodon's native Admin::IpBlock. Requires
|
||||
@@ -111,13 +116,6 @@ IP_SCRUTINY_AUTO_IPBLOCK=true
|
||||
# or no_access (blocks all access, not just signups).
|
||||
IP_SCRUTINY_IPBLOCK_SEVERITY=sign_up_requires_approval
|
||||
|
||||
# Case-insensitive regexes matched against the RDAP org/ASN description.
|
||||
# Anything matching neither is treated as "residential" (never flagged).
|
||||
# Only IP_SCRUTINY_HOSTING_RE matches are flagged; IP_SCRUTINY_MOBILE_RE is
|
||||
# informational only (mobile carriers are never scrutinized).
|
||||
IP_SCRUTINY_HOSTING_RE=amazon|aws|google|microsoft|azure|digitalocean|ovh|hetzner|linode|vultr|contabo|choopa|m247|scaleway|leaseweb|hostinger|namecheap|godaddy|cloudflare|oracle|alibaba|tencent|akamai|fastly|packet|vpn|proxy|hosting|datacenter|data center|colo(?:cation)?|server
|
||||
IP_SCRUTINY_MOBILE_RE=mobile|wireless|cellular|verizon|t-mobile|tmobile|at&t|att mobility|vodafone|telstra|sprint|three\b|orange mobile|deutsche telekom|o2\b
|
||||
|
||||
# check-mail.org disposable/high-risk email domain scrutiny (roadmap item B,
|
||||
# anti-abuse.md). Domain-only query (never the full email) against
|
||||
# POST https://api.check-mail.org/v2/, Authorization: Bearer <key>.
|
||||
|
||||
Reference in New Issue
Block a user