Fresh profiles, manually started, still being blocked.
But here’s the Paul Harvey. Even after getting blocked, other machines in the same LAN do not appear to suffer. Yet, the blocked machine, with either the same, or a different profile, cannot connect to the target site, and the only difference is that the blocked machine may have recently and quite legitimately employed automation on some site (perhaps not even the target one).
One such is with our VoIP provider (not your customer so no turnstile ever appears there), from whom we download some 60 CSV’s every day. No way that’s going to happen by hand.
This means simply that your fingerprinting is, to be charitable, a tad overzealous. Putting aside your flagging a machine that has at some time in the near past used automation, a fresh, new profile, pristine and empty, manually connecting to the target site as its very first action without any form of automation employed, should not be able to trigger the endless turnstile; or, even if the captcha checkbox does come up, clicking it should allow connection to the target site.
Yet once blocked, it’s endless turnstile, until eventually we just don’t try to open the target site for awhile and whatever data you’re persisting on your side (a combination of UA strings, LAN IP’s, timestamps, whatever) goes stale, allowing us to connect again. Haven’t nailed down the timeframe, but it seems to be a day or so.
Not that it’s any of your business, but the target site - our ERP - became your customer about a year ago after they were hacked. We routinely download reports to sync data entered by staff via the ERP’s website to our local database. Customer, vendor, product updates, etc. Thanks to your apparent “all automation is evil” approach, these tasks have grown more difficult.
(That approach is of course just as naive as saying all guns are evil. The tool cannot “decide” to be evil. It’s always the user.)
We understand that since they’re your customer, and we aren’t, us asking for you to knock it off won’t be effective.
Having them get you to force allow one machine is also not the answer; we haven’t done anything wrong. It’s our data, and we shouldn’t need special permission to access it.
Another wrong answer would be to waste manpower and invite the certainty of error by having staff manually click on all the myriad checkboxes and datepickers it would take to get the various reports (some multiple times as they have to be run per physical location).
We also understand your company provides a great service in helping keep businesses safe from nefarious actors. Alas, in your zeal to keep out the bad guys, you’re discriminating against legitimate use of automation.
If there was some way to get vetted and set a cookie or whatever prior to connecting, maybe set you up in our 2FA site and pass along a token, that’d be fine. But this whack-a-mole with the endless turnstile when we haven’t done anything wrong is growing tiresome.