I also pull-requested a user agent anonymisation setting (pleroma.http.user_agent) to make this better

I'm no longer on keybase, deleted it a few days ago - but I'm more than happy to share what I found if you want

pretty sure it's nothing groundbreaking though

other contact methods are listed on my profile

(edit: by OP I mean article author)

it's right at the end of the article - the attacker was abusing the "create a preview card of any posted URL" feature - he'd post a link, wait for pleroma to go and grab the url to preview it, then narrow down which one was mine based on user agent

i added an upstream proxy and anonymised the user agent, so even if he were to do that, the most he'd find was my proxy box

which is what led me to block all other IPs - it's not the hardest thing to just make an openssl req and get the common names of the certificate returned

especially if you know the hosting provider, which narrows down the ip space significantly

really... surprised it got submitted here

incidentally i'm running pleroma, not mastodon. minor detail but you know