starred/ntfy
1
0
Fork 0
mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 08:26:00 +02:00
Code Issues 368 Projects Packages Wiki Activity

[GH-ISSUE #1711] Invisble ratelimit leakage #1190

New issue
Open
opened 2026-05-07 00:30:57 +02:00 by BreizhHardware · 1 comment
BreizhHardware commented 2026-05-07 00:30:57 +02:00
Owner
Copy link

Originally created by @mpeter50 on GitHub (Apr 20, 2026).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1711

🐞 Describe the bug

For the past few weeks I was experiencing notification delivery issues. It turned out the reason is that my IP address regularly reaches its message sending quota of 250 messages a day. It surprised me, because I receive far less messages, and I dont use Ntfy notifications for much things.
Perhaps I forgot about a poor project of mine? Maybe, but its not likely.

I have tried to diagnose the issue on my network, but I did not find the cause of the usage increasing.

💻 Components impacted

ntfy server

🔮 Additional context

I have installed blocking firewall rules on my routers, which verifyably block access to ntfy.sh, and yet the usage counter is still increasing.

iptables -I FORWARD -d 159.203.148.75/32 -j DROP

while true; do curl -s https://ntfy.sh/v1/account | jq --compact-output "$JQ_SCRIPT"; sleep 60; done

{"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:13:34Z","date_unix":1776716014}
{"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:14:35Z","date_unix":1776716075}
{"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:15:35Z","date_unix":1776716135}
{"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:16:36Z","date_unix":1776716196}
{"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:17:37Z","date_unix":1776716257}
{"messages_sent":"056","messages_remaining":"194","date":"2026-04-20T20:18:37Z","date_unix":1776716317}
{"messages_sent":"056","messages_remaining":"194","date":"2026-04-20T20:19:38Z","date_unix":1776716378}
{"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:20:38Z","date_unix":1776716438}
{"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:21:39Z","date_unix":1776716499}
{"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:22:39Z","date_unix":1776716559}
{"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:23:40Z","date_unix":1776716620}
{"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:24:40Z","date_unix":1776716680}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:25:41Z","date_unix":1776716741}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:26:41Z","date_unix":1776716801}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:27:42Z","date_unix":1776716862}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:28:43Z","date_unix":1776716923}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:29:43Z","date_unix":1776716983}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:30:44Z","date_unix":1776717044}
{"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:31:44Z","date_unix":1776717104}

I blocked it only on the FORWARD chain so that I could still query the statistics. To verify that no other traffic is going to ntfy, e.g. from the router itself, I ran tcpdump, and I was seeing that traffic was only exchanged with the ntfy server when the stat query was running:

tcpdump -n -i eth0 vlan 2 and host 159.203.148.75

https://gist.github.com/mpeter50/718c654a15bb19a5cd8e049a14a58ef3

Originally created by @mpeter50 on GitHub (Apr 20, 2026). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1711 :lady_beetle: **Describe the bug** <!-- A clear and concise description of the problem. --> For the past few weeks I was experiencing notification delivery issues. It turned out the reason is that my IP address regularly reaches its message sending quota of 250 messages a day. It surprised me, because I _receive_ far less messages, and I dont use Ntfy notifications for much things. Perhaps I forgot about a poor project of mine? Maybe, but its not likely. I have tried to diagnose the issue on my network, but I did not find the cause of the usage increasing. :computer: **Components impacted** <!-- ntfy server, Android app, iOS app, web app --> ntfy server :crystal_ball: **Additional context** <!-- Add any other context about the problem here. --> I have installed blocking firewall rules on my routers, which verifyably block access to ntfy.sh, and yet the usage counter is still increasing. ``` iptables -I FORWARD -d 159.203.148.75/32 -j DROP ``` ``` while true; do curl -s https://ntfy.sh/v1/account | jq --compact-output "$JQ_SCRIPT"; sleep 60; done ``` ```json {"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:13:34Z","date_unix":1776716014} {"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:14:35Z","date_unix":1776716075} {"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:15:35Z","date_unix":1776716135} {"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:16:36Z","date_unix":1776716196} {"messages_sent":"048","messages_remaining":"202","date":"2026-04-20T20:17:37Z","date_unix":1776716257} {"messages_sent":"056","messages_remaining":"194","date":"2026-04-20T20:18:37Z","date_unix":1776716317} {"messages_sent":"056","messages_remaining":"194","date":"2026-04-20T20:19:38Z","date_unix":1776716378} {"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:20:38Z","date_unix":1776716438} {"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:21:39Z","date_unix":1776716499} {"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:22:39Z","date_unix":1776716559} {"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:23:40Z","date_unix":1776716620} {"messages_sent":"060","messages_remaining":"190","date":"2026-04-20T20:24:40Z","date_unix":1776716680} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:25:41Z","date_unix":1776716741} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:26:41Z","date_unix":1776716801} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:27:42Z","date_unix":1776716862} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:28:43Z","date_unix":1776716923} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:29:43Z","date_unix":1776716983} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:30:44Z","date_unix":1776717044} {"messages_sent":"064","messages_remaining":"186","date":"2026-04-20T20:31:44Z","date_unix":1776717104} ``` I blocked it only on the FORWARD chain so that I could still query the statistics. To verify that no other traffic is going to ntfy, e.g. from the router itself, I ran tcpdump, and I was seeing that traffic was only exchanged with the ntfy server when the stat query was running: ``` tcpdump -n -i eth0 vlan 2 and host 159.203.148.75 ``` https://gist.github.com/mpeter50/718c654a15bb19a5cd8e049a14a58ef3
BreizhHardware commented 2026-05-07 01:00:44 +02:00
Author
Owner
Copy link

@mpeter50 commented on GitHub (Apr 20, 2026):

For clarification, I suspect there is a rate accounting bug in Ntfy, but primarily I am here to request some form of assistance, because I am out of ideas. On my side, it seems I am not actually sending notifications when the accounting increases.

wunter8 said in the Matrix room that debugging this might be problematic because there is not much logging on the ntfy.sh instance, but if you have a dev instance, and it would help, I could override the DNS results for my network to redirect traffic to it. But thats probably not too useful because of TLS certs.

<!-- gh-comment-id:4284388781 --> @mpeter50 commented on GitHub (Apr 20, 2026): For clarification, I suspect there is a rate accounting bug in Ntfy, but primarily I am here to request some form of assistance, because I am out of ideas. On my side, it _seems_ I am not actually sending notifications when the accounting increases. wunter8 said in the Matrix room that debugging this might be problematic because there is not much logging on the ntfy.sh instance, but if you have a dev instance, and it would help, I could override the DNS results for my network to redirect traffic to it. But thats probably not too useful because of TLS certs.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/npm_and_yarn/web/fast-uri-3.1.2
email-verification
attachment-no-http2
attachment-fixes
attachment-s3
config-generator
postgres-replica
dockers-v2
postgres-support
postgres-webpush+user+message
postgres-webpush+user
postgres-webpush
1364-copy-action
crashfix
user-header
scalar-api-docs
cancel-scheduled
update-available
windows-server
303-update-notifications
postgres
admin-ui
require-login
http-clipboard
message-cache-lock
debian-stripe
predefined-users
busy-timeout
template-dir
ipv6
client-ip-header
apns-fix
feat_optional_require_login
security-updates
pg-message-cache
templating-disallow
templating-3
templating-2
message-size-limit+delay-limit
remove-rate-topics
html-emails
cf-priority
acl-underscores
auth-user-header
markdown
img-attach
web-improvements
utf8-headers
matrix-507-reject
http-response-writer
new-homepage-design
e2e
canary
windows
electron
update-messages
webhook-templating
v2.22.0
v2.21.0
v2.20.1
v2.20.0
v2.19.2
v2.19.1
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.14.0
v2.13.0
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v1.31.0
v1.30.1
v1.29.1
v1.29.0
v1.28.0
v1.27.2
v1.27.1
v1.26.0
v1.25.2
v1.25.1
v1.25.0
v1.24.0
v1.23.0
v1.22.0
v1.21.2
v1.21.1
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.1
v1.17.0
v1.16.0
v1.15.0
v1.14.1
v1.14.0
v1.13.0
v1.12.1
v1.12.0
v1.11.1
v1.11.2
v1.11.0
v1.10.0
v1.9.0
v1.8.0
v1.7.0
v1.6.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.2
v1.3.3
v1.3.1
v1.3.0
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
ai-generated

   
android-app

   
android-app

   
android-app

   
🪲 bug

   
build

   
build

   
dependencies

   
docs

   
enhancement

   
enhancement

   
🔥 HOT

   
in-progress 🏃

   
ios

   
prio:low

   
prio:low

   
pull-request
Mirrored from GitHub Pull Request

  
question

   
🔒 security

   
server

   
server

   
unified-push

   
web-app

   
website
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ntfy#1190
No description provided.