Earlier this week I released nobot, my detection system for low-effort bots:
nobot has been running on this site for a few months, so, if you are a human visitor reading this post, thank you! You help make nobot better by being an unwitting tester for false positives. (Sorry!)
A few things to know about nobot, to help you understand if it could be for you:
- nobot is original work based on original research
- nobot is open-source, released under the CC BY-SA 4.0 license
- nobot is for the Apache HTTP Server (tested on v2.4.65 and v2.4.66)
- nobot does not block or allow based on the User-Agent string alone
- nobot does not block or allow based on an allowlist
- nobot tries to be efficient:
- Even though it recognizes thousands of User-Agent strings that belong to web browsers, and also has over 300 detection rules in all its modules combined, it only needs to evaluate 10 to 20 regular expressions for a typical request by a modern browser used by a real human.
- nobot is fully modular: You can use as much or as little of it as you want
- nobot has opinions but its opinionated modules are clearly marked as such
- nobot has been very effective for my low-traffic personal sites
- nobot has limits to what it can do: Read about them in the README
- nobot will likely block you if you spoof your User-Agent string!
If any of that sounds interesting to you, please have a look at the repo!
If you have comments or questions, mention me on Bluesky, @op111.net, or send a message using the contact form.
Thank you for reading!
— Demetris, 2026-02-15