OP
Welcome back, Operator
Loading…
–
Active Tokens
–
Sessions
–
Emails Sent
–
Gate Visits
–
Human Visits
–
Bots Blocked
–
Gates / Cloakers
Recent Captures
Loading captures…
Active Campaign
No active jobs running
Antibot Gates
Loading…
Tokens
| ★ | ID | Account & Roles | Captured | Expiry | Ref | State | Actions | 📝 |
|---|
—
Page 1
Device Code Sessions
Filter:
| # | Session | Status | Code | Authorized as | Token | Time left | Source | Proxy | Started |
|---|
—
Page 1
Graph operations
Load a folder to view messages
Select a message to read it
Landing pages & templates
Deploy & host
Profile
—
Change password
Updates the password required for this console. It is stored encrypted in the lab database when changed (overrides DASHBOARD_PASS from .env).
Two-factor authentication
Google Authenticator (TOTP): scan the QR code, then enter a 6-digit code to confirm. When enabled, you sign in with username, password, and a code; API access uses a session token instead of raw Basic auth.
Microsoft OAuth (device code)
Proxy Manager (Device Code API)
Telegram alerts (new tokens)
Cloudflare Worker (workers.dev)
Published Worker URL
—
ip-api.com Pro Key (Cloaker IP detection)
Google Safe Browsing API Key
Developer / Debug Mode
Mail Sweep
Deep keyword search across all captured mailboxes — click any result to preview
Presets:
Filters
| # | Mailbox | From | Subject / Preview | Date | 📎 |
|---|
Loading email…
Updates & Changelog
All changes made to your system — most recent first. Re-deploy PHP cloakers after any cloaker-related update.
⬇
System Update
Click "Check for Updates" to compare your version with the latest release.
14
Features
15
Bug Fixes
6
Security
8
Performance
43
Total Changes
No updates match this filter.
Apr 12 2026 — Today
Updates & Changelog page (this page)
Feature
UX
- New Updates section under Config in the sidebar — tracks all system changes in one place
- Filterable by category: Feature, Fix, Security, Performance, UX
- Summary stats, date grouping, and re-deploy indicators
Cloaker PHP — per-cloaker High-traffic mode (ip-api.com Pro)
Feature
Perf
⚠ Re-deploy PHP
- New High-traffic mode toggle in editor Protection tab — switches IP reputation checks to ip-api.com Pro endpoint (unlimited) for mass campaigns
- Free tier (off) stays at 45 req/min — fine for campaigns up to ~2k unique recipients/day
- ip-api.com Pro API key field added to Settings page (one-time setup)
- Newly deployed PHP automatically uses Pro endpoint when the toggle is ON and key is saved
Cloaker PHP — APCu + file caching for IP reputation & status checks
Perf
⚠ Re-deploy PHP
- IP reputation cached per unique IP for 30 minutes — cuts ip-api.com calls from 1/visitor to 1/unique-IP/30min
- Backend status check (active/inactive) cached for 30 seconds — 10k simultaneous visitors now generate ~2 backend calls/min instead of 10k
- Uses APCu shared memory when available; file-based cache in
/tmpas fallback — works on all cPanel setups - Effective capacity raised from ~500 visits/day to 10k–30k visits/day on shared cPanel hosting
Cloaker PHP — visit recording reliability (
Fix
Perf
⚠ Re-deploy PHP
fastcgi_finish_request)- Page now sent to visitor's browser first —
fire_visitwebhook runs entirely in the background with zero impact on load time - Webhook timeout raised from 200ms → 3 seconds — prevents dropped visits on cross-continental hosting pairs
- Bot redirect fix: bots receive their 302 instantly before the webhook fires (was blocked for up to 3 seconds)
- Root cause of visit under-counting on remote server pairs
Cloaker PHP —
Fix
⚠ Re-deploy PHP
got npm library added to bot UA blocklistgot/,got (,superagent,undici,request/patterns added to PHP — were already in CF Worker but missing from PHP- URL scanners triggered when sharing campaign links (Slack, email clients, browser sync) now correctly show as Bot instead of Human
Cloaker — FP cookie salt persisted across server restarts (visit counting fix)
Fix
- FP HMAC salt now saved to the database on first boot and reloaded on every restart — no re-deploy needed
- Previously every restart invalidated all visitor FP cookies → challenge page re-served → challenge loads are not counted as visits, causing severe under-counting
- Visitors who already passed the challenge keep their cookie valid indefinitely across restarts
Cloaker visits analytics — Block IP button
Feature
- Each row in the visits analytics drawer now has a ✕ Block button
- One click → confirmation → IP added to global hard-block list across all cloakers immediately (no re-deploy)
Cloaker — Active toggle in Actions column
Feature
- Visual toggle switch added directly to the Actions column in the cloaker table
- Toggle pauses/resumes any cloaker in one click without opening the editor
- Status column already had a text button — this adds a proper toggle UI alongside Edit/Deploy/Delete
Cloaker — Inactive Redirect URL
Feature
⚠ Re-deploy PHP
- New field in editor Protection tab — when the cloaker is disabled, visitors get a 302 redirect to your decoy URL instead of a bare 404
- PHP/CF Worker deployed cloakers check backend status in real time (cached 30s) — disabling from the dashboard takes effect within 30 seconds without re-deploying
- Real-time status endpoint
/api/cloaker/{id}/statusadded to backend
Apr 11 2026
Security — Sub-operator TOTP bypass fixed
Security
- When admin had 2FA enabled, sub-operators could log in with only a password — TOTP was never checked in their auth path
- Sub-operators now go through the same TOTP validation as the admin account
Security — Cloaker bot_score was fully client-controlled
Security
- Anyone could POST
bot_score=100directly to/checkand receive a valid human cookie — bypassing the fingerprint challenge entirely - Server now generates a signed HMAC challenge nonce embedded in the challenge page — the POST is rejected without it
Security — DOM XSS fixed in cloaker.html
Security
- Toast function used
innerHTMLwith unescaped message — replaced withtextContent - Cloudflare deploy URL was injected into
<a href>without escaping — now runs throughescHtml()
Security — postMessage origin not checked in debounce.html & listener.html
Security
- Any opener window or iframe could overwrite
localStorageauth credentials by sending adevice_code_lab_authmessage - Added
if (e.origin !== location.origin) return;check — mirrors the correct pattern already in mailbox.html
Sender — shared counter race conditions with asyncio.Lock
Fix
- When
thread_count > 1, multiple coroutines mutatedsender_idx, subject/letter/QR rotation indices concurrently without locks - Wrapped the index read+pick+increment block in
asyncio.Lock()— round-robin is now atomic
Performance — Session GC, DB index, httpx pooling, N+1 listener query
Perf
Fix
- Session GC moved from every authenticated request to a 5-minute background task
- Missing DB index added:
antibot_sessions(gate_id)— was a full table scan on every gate page load - Shared
httpx.AsyncClientin antibot_routes — was creating a new TCP connection per visitor for IP/captcha checks - Listener list replaced 10,000-row-per-listener fetch with a single SQL
GROUP BYaggregate
Cloaker — FP cookie check moved before rate limit
Fix
- Returning humans with a valid FP cookie were still blocked by the 8 req/60s rate limit
- Cookie check now runs before rate limit — valid cookie bypasses it entirely
- Cookie
secureflag set toTrue(wasFalse)
Various minor fixes — VPN/Tor flags, MS device URL dedup, CSV injection, ip-api HTTPS, async deprecations
Fix
- VPN and Tor block flags were coupled — enabling only
block_toralso activated VPN blocking - Duplicate Microsoft device auth URL in sender removed
- CSV export in debounce.html protected against Excel formula injection (
=,+,@prefixes) - ip-api.com switched from
http://tohttps://in antibot_routes asyncio.get_event_loop()→get_running_loop()in debounce MX resolver- Shutdown hook added for listener poller + session GC background tasks
- Duplicate
result_map/code_mapin debounce_routes consolidated
Debounce — stream always emits
Fix
done event on early exit- Three early-return paths (missing API key, missing backend URL) yielded an
errorevent then returned without emittingdone - Frontend waiting for
doneto finalize would hang indefinitely — all paths now emitdone
Apr 10 2026
Debounce.io — Bulk API for 50k+ email validation
Feature
Perf
- Lists > 500 emails auto-route to debounce.io's bulk API — 10–20 min for 50k emails vs 2.7 hours with single-email API
- Progress bar shows debounce.io's server-side processing % in real time during the bulk job
- Results stream in individually once the CSV is downloaded and parsed
- New
bulk_progressevent type in the streaming protocol - Max list size raised from 5,000 → 50,000 emails; requires
PUBLIC_BACKEND_URLin.env
Debounce — Separate ↓ Risky download button
Feature
UX
- Added standalone ↓ Risky export button to the done banner (amber colour)
- ↓ Invalid now exports strictly-invalid only — previously bundled risky + invalid together
Cloaker — Redirect mode toggle (proxy vs 302)
Feature
- New Redirect mode toggle in editor Protection tab
- OFF (default): proxy mode — visitor stays on cloaker domain, cloak URL content served inline
- ON: 302 redirect — visitor's browser navigates directly to the cloak URL domain
- Applies to both normal human flow and FP cookie fast-path