> where I had an agent karma Was this a browser using agent? What did you use?

carlgreene · 2026-05-07T20:04:25 1778184265

It used the browser agent to grab user cookies after signing in, then made API calls iirc.

Using just a browser is way too token intensive and slow. It would look for 401 errors then run the browser automation to login with the credentials and grab the token.

echelon · 2026-05-07T20:26:46 1778185606

I'm surprised these platforms don't have advanced heuristics to detect API calls and inauthentic traffic.

Did you clone the Reddit API from browser traffic and then turn it into a 100% API driven thing?

I'd imagine they'd be sniffing browser agents, plugins, cookies, etc. to fingerprint. Using JavaScript scroll position, browsing rate and patterns, etc.

Maybe their protections just aren't that sophisticated.

tardedmeme · 2026-05-07T20:51:28 1778187088

Reddit is known to fingerprint TLS and quickly shadowban accounts that don't have the fingerprints of browsers.

echelon · 2026-05-07T21:15:14 1778188514

TLS fingerprinting and Cloudflare are easy to bypass. There are lots of libraries that do so.

The application-layer stuff is harder. Each application can develop its own heuristics, and that's difficult to automate in a cross-cutting fashion.

Reddit doesn't do anything about that? That seems stupid.

81AB24FB · 2026-05-08T18:34:22 1778265262

> TLS fingerprinting and Cloudflare are easy to bypass. There are lots of libraries that do so.

Easy for you does not mean easy for everyone. My experience is that TLS fingerprinting paired with blocking specific user agents gets a variety of majority of bot traffic.

It's the same a basic online security: You can protect against script kiddies with basic hygiene. If the threat analysis is Mossad, then yeah, you're fucked.