ha, nice, the agent even picked out the nice common "three strikes" rule automatically even though i didn't specify it.
Discussion
it didn't think to extend it to the websocket message reader tho. this means the socket would remain open and they would be able to keep doing it without having to go through the websocket upgrade process.
adding this now so that the websocket protocol immediately drops the connection of an IP that has 3 times attempted event publish without authing when required.
for the HTTP API it will not block requests because they are one at a time, read events will not be blocked, only writing events for the 10 minute
processing events costs compute and database queries. this reduces that load, for auth disrespectoors.
because fuck them. they are braindead jerkwads.
i loved how quickly i was able to implement that. was driving me nuts looking at this shit.
i figured that probably underlying libraries being used by these jerks probably even recognise when the peer keeps dropping connections that they back off.
the log shows that this worked.
it is now deployed and the latest tag on https://orly.dev now has this functionality.
was driving me nuts for the last few weeks watching blastr type servers keep on doing it.
i'm gonna get the agent to escalate the ban time by double every time also.
that is now done, so the more insistent and persistent the pest is, the more vigorous the response.
note that this also will mean that users using clients that don't do auth with outbox will effectively be permabanned until they use a client that doesn't.
and so it should be.
i pay for my relay to run. i'm paying for their stupidity. not anymore.