Dear Nostr client developers, relay automation software developers, protocol extension software developers, please add proper User-Agent headers to your HTTP clients and WebSocket clients, and if necessary declare the client's characteristics and IP range in both directions.
Last night, I blocked some massive resource abusers for my community relay. They all had one thing in common: without a User-Agent, I had no way of knowing who was behind the IP. I recommend that all client developers include the full and correct User-Agent header for both HTTP clients and WebSocket clients, especially for unsolicited messages, and preferably with contact information. I realize that this header can be easily tampered with, but as long as the administrator of a particular dedicated facility declares the IP range and User-Agent characteristics of their client in both directions, this is still valid, as is the case with Googlebot crawlers.
Since I had no way of knowing who was who, I made the mistake of blocking the bot used by Mostr.pub to check the validity of NIP-05 identity in user profiles for a few days, which led to a few minor problems. It was only after a targeted check of the server logs that I realized it was hiding in a visitor with the User-Agent "Deno". cc: Alex Gleason (npub1q3s…d26p)
CXPLAY
npub1gd…ch58h
2025-05-10 05:24:36
Author Public Key
npub1gd8e0xfkylc7v8c5a6hkpj4gelwwcy99jt90lqjseqjj2t253s2s6ch58hPublished at
2025-05-10 05:24:36Event JSON
{
"id": "d3fd5e0f5aaa70f620eee6ecd14b2d0e40593b45a8c4338bbd058f4260988cfd",
"pubkey": "434f97993627f1e61f14eeaf60caa8cfdcec10a592caff8250c825252d548c15",
"created_at": 1746854676,
"kind": 1,
"tags": [
[
"p",
"0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd"
],
[
"client",
"Nostr.moe",
"31990:266815e0c9210dfa324c6cba3573b14bee49da4209a9456f9484e5106cd408a5:1743748820"
]
],
"content": "Dear Nostr client developers, relay automation software developers, protocol extension software developers, please add proper User-Agent headers to your HTTP clients and WebSocket clients, and if necessary declare the client's characteristics and IP range in both directions.\n\nLast night, I blocked some massive resource abusers for my community relay. They all had one thing in common: without a User-Agent, I had no way of knowing who was behind the IP. I recommend that all client developers include the full and correct User-Agent header for both HTTP clients and WebSocket clients, especially for unsolicited messages, and preferably with contact information. I realize that this header can be easily tampered with, but as long as the administrator of a particular dedicated facility declares the IP range and User-Agent characteristics of their client in both directions, this is still valid, as is the case with Googlebot crawlers.\n\nSince I had no way of knowing who was who, I made the mistake of blocking the bot used by Mostr.pub to check the validity of NIP-05 identity in user profiles for a few days, which led to a few minor problems. It was only after a targeted check of the server logs that I realized it was hiding in a visitor with the User-Agent \"Deno\". cc: nostr:npub1q3sle0kvfsehgsuexttt3ugjd8xdklxfwwkh559wxckmzddywnws6cd26p",
"sig": "e566aac0b576f972a19e9cadd3a794a59a9eedcb8a0a8de4e09eb7dd9a0b3a8b1257caf4c5ef0e1a339a924c404a70955990841e3746f272e5b87a8a805792b3"
}