Shared feed
Community-sourced bot reports — CAPTCHA-only enforcement, opt-in everywhere.
unmask installs can opt in to share their BAN button decisions with the community feed. Other installs can opt in to pull the feed and force CAPTCHA on matching IP / JA4 / IP+JA4 pairs. Nothing is ever blocked outright — the worst that happens is a human gets a CAPTCHA.
📤 Submit (opt-in per BAN)
In admin → settings → Shared feed, agree to the terms once.
The BAN button on the hunt page then includes a Share checkbox
and a 280-char comment field.
Submissions are authenticated with an anonymous token. No PII is collected. You can revoke consent any time, and entries rotate out of the public feed on a relevance-driven window (see the privacy policy).
📥 Subscribe (no consent needed)
Flip subscribe_enabled ON and unmask pulls the feed every hour.
Matches force CAPTCHA — search bots and bypass IPs are still always exempt.
Browse what you’re currently pulling at /admin/shared-feed/.
How a report becomes a feed entry
- An admin presses BAN on the hunt page with
Sharechecked. - The IP / JA4 / reason / comment travel to the hub over TLS.
- The hub aggregates by (IP, JA4) and runs heuristic + (planned) AI judgment.
- If enough independent installs report the same target, the hub publishes a feed entry with one of three match kinds —
ip_ja4,ja4_only, orip_only. - Subscriber installs see it next pull cycle and force CAPTCHA on hits.
unmask.sh. Self-hosted hubs are planned but not shipped — if you
need a private feed, point your install at your own mirror and run
unmask feed-build on a cron.
Raw feed JSON: https://unmask.sh/api/feed/list.json
(= all aggregated entries, including reports-only rows; 30s cache).
Subscribers pick the score threshold locally via AutoBanMinScore.