Anti AI zip bomb with Caddy

Jorge Sanz | 2025-08-22 | 222 words | meta

Found this nice post[1] on how to publish a zip bomb[2] on my website as a honeypot for AI crawlers that don't respect the `robots.txt` directive. The idea is that I have a hidden link on all pages of my website that points to a URL that returns the bomb. You don't see it. Legit crawlers won't follow it. AI crawlers will do, and I hope they spend some CPU cycles trying to download it.

1: https://www.dustri.org/b/serving-a-gzip-bomb-with-caddy.html
2: https://en.wikipedia.org/wiki/Zip_bomb

I have no idea how fast AI crawlers detect and avoid these traps, but I change the name of the trap on every deployment to mess with them a bit more than the OP. I'm not following closely the logs of my web, and there's not much here published anyway, but any small effort seems worthwhile these days of so much AI annoyance.

What do you think?

Small update with details

I changed the bomb definition to this command that generates a very (very) long list of `<div>` elements

yes "
"|dd bs=1M count=10240 iflag=fullblock|gzip | pv > bomb.zip

On my website you can find a hidden link like this in a `footer` section of every page:


RSS

And then on my Caddy configuration a block like this:

    handle /trap-* {
    	file_server
    	try_files bomb.zip
    	header Content-Encoding gzip
    	header Content-Type text/html
    }

--=--=--

🗣 Reactions

Want to comment anything? Continue the discussion here[3] or contact me![4]

3: https://mapstodon.space/@jorgesanz/115071129646304423
4: /contact

Likes (7)

choan
Espacio de cordura
Karramarro
John-Mark Gurney
The Ghost of Toots Passed
Ian Turton
northcape

Reposts (3)

Abel V.M.
PerroVerd
Antonio

---

🏠 Home
📔 Gemlog
This capsule is in LEO
Next Page
Last Page
Random Page
This capsule is a part of the fediring
Previous
Next
Random