I deal with this a lot since I do most of my browsing through a VPN.

As great as VPNs are, there probably are a lot of bad actors using them and sometimes I’m the next person using that IP.

Especially when it’s a website that requires an account but they want to use SMS-based or Google Authenticator style 2FA in 2025. “Magic links” are stupid as hell too if you’re not a moron and use a decent password manager — I have no clue what random email address I generated for you since I can’t trust any company not to sell off my PII.

How hard is it to implement FIDO2 then let valid users make requests from whatever IP address they want? IP-based blocking is pretty fucking stupid if you’re already doing secure account-based authorization.

Saying all this as a heavily privacy-conscious web developer. All my traffic looks “suspicious” because how dare I not want your shit hole website to put its grubby little hands all over my IP address.

With browser extensions and other programs becoming tunnels for AI scrapers, consumer IPs are becoming less and less trustworthy. I receive bots from just about every Brazilian consumer ISP. All it takes is one person on your network with a shitty app/extension installed and your home becomes indistinguishable from a bot farm. It’s extra bad if you’re behind CGNAT so you can’t even influence your IP’s reputation.

Nobody wants these CAPTCHAs, but they’re still pretty effective, even with AI image interpretation. Plus, it still beats remote attestation in terms of Linux friendliness, and that’s the inevitable next step in the war against scrapers.

Considering the amount of traffic from LLM bots nowadays, everything human/“natural” traffic seems to be abnormal as it doesn’t behave like the majority of requests