Discussion Regarding False Positives

[akh7177]

Owing to Comment Section being locked and limited to collaborators for Issue #2547 , I decided it would be a good idea to open up a discussion to exchange ideas as I could see multiple PR's flowing in trying to fix these issues.

Below are a few of my observations regarding the sites that were listed in the issue

• BoardGameGeek seems to get user info from the following API request . https://api.geekdo.com/api/users?username=**_username_** But the challenge is, it returns just [] for invalid usernames and for valid usernames, there might be some [] present in fields that are not entered by the user in their profile. So a simple sub string search will likely fail.

• Pepper IT shutdown in August 2025

• Reddit, Top Coder, Opennet and DeviantArt seem to be working on the expected lines without any inconsistency

• Spotify doesn’t use usernames as profile URLs anymore. Each account gets an internal opaque user ID and I'm not sure of how this mapping is exactly done

• Kaskus exposes user profile API at https://m.kaskus.co.id/api/users?username=**_username_** But when added to data.json the test seems to be inconsistent. When verified with --dump-response flag, I noticed that the response is not received at all many a times. But when accessed through browser, it seems to fetch the values consistently.

• svidbook seems to redirect /user/profile back to the homepage with status code 301 Moved Permanently (from disk cache)

• LessWrong, Weblate, YandexMusic, Gnome VCS have security layers like Vercel security layer and other Bot-Prevention mechanisms and we need to modify Sherlock such that it bypasses them

Any pointers/discussions on this would be greatly appreciated!

@BUZZ1592003 @dollaransh17 @shreyasNaik0101

[ppfeister]

BGG only returning an empty list at that endpoint might actually work...... will take a look at that one.

[akh7177]

Great! BGG seems to have been fixed in PR #2582

Any idea on how we can make sherlock bypass the anti bot checks?
Also, if time permits, please let me know if the sites I mentioned points 2 and 3 are on the expected lines.

Thanks!

[ppfeister]

Any idea on how we can make sherlock bypass the anti bot checks?

If time ever permits, I may refactor and build in some block page handling - but that would require a pretty large rewrite of some sections to do so. On radar, but not happening right this second

Also, if time permits, please let me know if the sites I mentioned points 2 and 3 are on the expected lines.

What do you mean by "if they are on the expected lines"?

[akh7177]

Any idea on how we can make sherlock bypass the anti bot checks?

If time ever permits, I may refactor and build in some block page handling - but that would require a pretty large rewrite of some sections to do so. On radar, but not happening right this second

Right, could you point where exactly in the repo the changes need to be made. I'll give it a try if time permits!

Also, if time permits, please let me know if the sites I mentioned points 2 and 3 are on the expected lines.

What do you mean by "if they are on the expected lines"?

I meant the validity of the 2nd and 3rd points. Certain sites , I feel seem to be working fine but still are mentioned as having F+.

[ppfeister]

Oh no, it would be part of a substantial rewrite - and it would probably coincide with a bump to 1.0.0 and proper adoption of semver. Not really a "rewrite this function" situation in my mind, unless we want to make the project harder to maintain. Once I have the bandwidth to to so, it'll likely be fast-tracked, but that'll be down the line a bit.

I'm following several projects that address this for use as possible dependencies, but even they have trouble keeping up sometimes.

As to the 2nd and 3rd points --- if a site is defunct, it can be removed. If a site is not returning F+s but is labeled as such, it's possible that we may need to tweak some testing methodology to improve consistency.

[akh7177]

Oh no, it would be part of a substantial rewrite - and it would probably coincide with a bump to 1.0.0 and proper adoption of semver. Not really a "rewrite this function" situation in my mind, unless we want to make the project harder to maintain. Once I have the bandwidth to to so, it'll likely be fast-tracked, but that'll be down the line a bit.

I'm following several projects that address this for use as possible dependencies, but even they have trouble keeping up sometimes.

Cool...sounds amazing 🤩 Then I'll look into some other issues in this repo that I can help with!

As to the 2nd and 3rd points --- if a site is defunct, it can be removed. If a site is not returning F+s but is labeled as such, it's possible that we may need to tweak some testing methodology to improve consistency.

Yes, we need to bring about some improvement in the F+ tests in GitHub Actions.

[BUZZ1592003]

Owing to Comment Section being locked and limited to collaborators for Issue #2547 , I decided it would be a good idea to open up a discussion to exchange ideas as I could see multiple PR's flowing in trying to fix these issues.

Below are a few of my observations regarding the sites that were listed in the issue

• BoardGameGeek seems to get user info from the following API request . https://api.geekdo.com/api/users?username=**_username_** But the challenge is, it returns just [] for invalid usernames and for valid usernames, there might be some [] present in fields that are not entered by the user in their profile. So a simple sub string search will likely fail.
• Pepper IT shutdown in August 2025
• Reddit and Top Coder seems to be working on the expected lines without any inconsistency
• Spotify doesn’t use usernames as profile URLs anymore. Each account gets an internal opaque user ID and I'm not sure of how this mapping is exactly done
• Kaskus exposes user profile API at https://m.kaskus.co.id/api/users?username=**_username_** But when added to data.json the test seems to be inconsistent. When verified with --dump-response flag, I noticed that the response is not received at all many a times. But when accessed through browser, it seems to fetch the values consistently.
• LessWrong, Weblate, YandexMusic have security layers like Vercel security layer and other Bot-Prevention mechanisms and we need to modify Sherlock such that it bypasses them

Any pointers/discussions on this would be greatly appreciated!

@BUZZ1592003 @dollaransh17 @shreyasNaik0101

Can confirm LessWrong empty responses and Coders Rank returning fake profiles with HTTP 200.

Happy to help test User-Agent rotation or other bypass methods!

[dollaransh17]

Could me mention me those 2 and 3 points

…

On Sun, 5 Oct, 2025, 10:07 pm Abhyuday K Hegde, ***@***.***> wrote: Great! BGG seems to have been fixed in PR #2582 <#2582> Any idea on how we can made sherlock bypass the anti bot checks? Also, if time permits, please let me know if the sites I mentioned points 2 and 3? Thanks! — Reply to this email directly, view it on GitHub <#2592 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BMO5JD7OHDOPZPU5JMHSMTL3WFCMDAVCNFSM6AAAAACIJIORPCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINJZG44TEMY> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[akh7177]

Sure, it's mentioned in the discussion above

• Pepper IT shutdown in August 2025

• Reddit, Top Coder, Opennet and DeviantArt seem to be working on the expected lines without any inconsistency

[dollaransh17]

Plz mention what exactly is the err and I will try from my side.

…

On Sun, 5 Oct, 2025, 10:30 pm Abhyuday K Hegde, ***@***.***> wrote: Sure, it's mentioned in the discussion above - Pepper IT shutdown in August 2025 - Reddit, Top Coder, Opennet and DeviantArt seem to be working on the expected lines without any inconsistency — Reply to this email directly, view it on GitHub <#2592 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BMO5JD22N7PS5XHANJLVINL3WFFCBAVCNFSM6AAAAACIJIORPCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINJZHAYDGNY> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[akh7177]

Reddit, Top Coder, Opennet and DeviantArt are suspected of returning False positives but as per my observation, it isn't returning any F+ or F-. It would be helpful if you can check the same

[ppfeister]

Just a thought --

If you're referring to the automatic exclusions list, it's very possible that these are being treated differently when pulled from non-residential IPs, as well. In which case the F+ may be very real for checks out of DCs (people running sherlock on a VPS, for instance). Worth some looking into at some point.

[akh7177]

Oh... Hadn't thought about it from that point of view 🤔. (More precisely, this was the file I was referring to false_positive_exclusions.txt)

[dollaransh17]

So I have tested on my local env , there all r working fine

…

On Sun, 5 Oct, 2025, 10:55 pm Abhyuday K Hegde, ***@***.***> wrote: Reddit, Top Coder, Opennet and DeviantArt are suspected of returning False positives but as per my observation, it isn't returning any F+ or F-. It would be helpful if you can check the same — Reply to this email directly, view it on GitHub <#2592 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BMO5JDY7TOSH2VZ7LHXOJL33WFIBRAVCNFSM6AAAAACIJIORPCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTINJZHAYTMMA> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[akh7177]

Thanks for the confirmation. On a side note, it would be helpful if you reply to the same message rather creating a new answer everytime. Helps the discussion remain clean :)