unmask

Shared feed

Community-sourced bot reports — CAPTCHA-only enforcement, opt-in everywhere.

unmask installs can opt in to share their BAN button decisions with the community feed. Other installs can opt in to pull the feed and force CAPTCHA on matching IP / JA4 / IP+JA4 pairs. Nothing is ever blocked outright — the worst that happens is a human gets a CAPTCHA.

📤 Submit (opt-in per BAN)

In admin → settings → Shared feed, agree to the terms once. The BAN button on the hunt page then includes a Share checkbox and a 280-char comment field.

Submissions are authenticated with an anonymous token. No PII is collected. You can revoke consent any time, and entries rotate out of the public feed on a relevance-driven window (see the privacy policy).

📥 Subscribe (no consent needed)

Flip subscribe_enabled ON and unmask pulls the feed every hour. Matches force CAPTCHA — search bots and bypass IPs are still always exempt.

Browse what you’re currently pulling at /admin/shared-feed/.

How a report becomes a feed entry

  1. An admin presses BAN on the hunt page with Share checked.
  2. The IP / JA4 / reason / comment travel to the hub over TLS.
  3. The hub aggregates by (IP, JA4) and runs heuristic + (planned) AI judgment.
  4. If enough independent installs report the same target, the hub publishes a feed entry with one of three match kinds — ip_ja4, ja4_only, or ip_only.
  5. Subscriber installs see it next pull cycle and force CAPTCHA on hits.
Why CAPTCHA-only? Because a community feed will inevitably get false positives — a shared IP, a hosting provider, your friend on a VPN. Blocking with 403 would punish real humans for someone else’s report. CAPTCHA lets humans through with one click, while keeping the cost high enough that crawlers move on.
No private feeds yet. There is currently a single public hub at unmask.sh. Self-hosted hubs are planned but not shipped — if you need a private feed, point your install at your own mirror and run unmask feed-build on a cron.