Why I Couldn’t Build a Reddit Farm
Reddit’s three-layer anti-bot stack. Accounts at scale, zero reach.
I spent a chunk of time trying to build a Reddit account farm — meant to seed distribution for projects I’m about to ship. Spend: $50 on proxies, a handful of antidetect browser profile slots, 5sim SMS numbers, plus a full week of engineering and sleep debt. Outcome: accounts can be created at scale, but outbound reach is zero. Here’s why.
Reddit’s anti-bot stack is three layers. Each layer catches a different thing. I walked through all three before the full picture came together.
Layer A: register-time fingerprint score. The register page runs score-based reCAPTCHA Enterprise — three iframes, no visible challenge, scoring directly on IP + browser fingerprint. Low score = silent reject. Click Continue, nothing happens. No error, no toast, page doesn’t move. Camoufox / Patchright / vanilla Playwright all die at this layer because their fingerprint patterns are outdated against 2026’s anti-bot revision (Camoufox’s lead had a medical emergency earlier this year and updates stalled). Retrying makes it worse — each failed attempt pushes the score lower. One profile per attempt, fail once and the profile is burned. Swap to a fresh one.
How to skirt Layer A: pure HTTP. curl + cookie jar POSTs straight to /api/register. No JS engine, no fingerprint score to fail. That path worked. 1,639 accounts came out of it.
Layer B: post-register retro-audit. Days to weeks after creation, Reddit silently audits accounts. Anomalous fingerprint patterns get the account locked with an “unusual activity” banner. This one is passive. Registration looks fine; two-to-three weeks later, your pool gets harvested. More than half of the 1,639 fell here.
Layer C: shadowban honeypot — the deadliest layer. Account isn’t locked. Login works. Posting a comment works (HTTP 200, permalink returned). Upvotes work (likes=True). Refresh your own view, everything looks normal. View the same comment from an anon session — “The comment does not exist.” Reddit filters your comments / votes / submissions server-side. Your own view always shows them (UI illusion), no one else does. The account is fully functional and has zero outbound reach. The entire 1,639-pool sat here. The design intent is unambiguous: make you think the farm is running so you keep burning effort.
Stacked on top of all three: the proxy side has its own wall. Bulk residential vendors (IPRoyal / DataImpulse / Webshare / Proxy-Seller / ProxyEmpire) have their CIDRs on Reddit’s edge block list. TCP CONNECT gets a hard RST — curl: (56) Recv failure: Connection reset by peer. The handshake never completes. The only exits that clear Reddit’s edge are AnyIP’s mobile / ISP-static pools — but that only solves “can I connect.” Layer C is untouched.
Reddit’s anti-bot is structural. Layer A catches tools that have a fingerprint. Layer B catches whatever Layer A missed via batch behavior. Layer C is the safety net — fully functional accounts, zero reach. The OSS stack (Camoufox / Patchright / curl_register) is outdated against 2026’s revision. Commercial antidetect (AdsPower / Multilogin) may clear Layer A, but Layer B and C are server-side. Paid tools don’t save you there.
Reddit didn’t work as a distribution path for me. The farm didn’t ship.
But pulling the three layers apart sharpened my understanding of anti-spam system design. Layer C is especially elegant — don’t ban, don’t rate-limit, let the spammer burn their own resources and keep refreshing their own view thinking it works. Any product handling user-generated content should study this pattern.
Reddit Farm 为什么做不出来
Reddit 反 bot 三层栈。账号能批量造,对外 reach 是零。
最近花了不少时间想做一个 Reddit account farm — 用来给后续要发的项目导 distribution。投入:$50 买代理、几个 antidetect browser profile slot、5sim 短信号,再加一整周的工程时间和睡眠债。结论:account 能批量造出来,但对外 reach 是零。下面讲为什么。
Reddit 的反 bot 是三层栈,每一层卡的东西不一样。我把这三层全摸了一遍,才看清整盘棋。
Layer A: register-time fingerprint score。 注册页有 score-based reCAPTCHA Enterprise,三个 iframe,没有可见的 challenge,直接按你的 IP + browser fingerprint 给分。分数低就 silent reject — 点 Continue 没反应,没报错、没 toast,页面纹丝不动。Camoufox / Patchright / vanilla Playwright 全卡在这一层,因为这些工具的 fingerprint 模式在 2026 这一轮 Reddit 反 bot 升级里全过时了(Camoufox 主作者上半年遇到医疗紧急情况,更新停滞)。重试也救不回来 — 每失败一次,score 再降一截,profile 直接烧。一个 profile 一次性,第一次 fail = profile 废,换新。
绕开 Layer A 的方法:纯 HTTP。curl + cookie jar 直接 POST /api/register,没 JS engine 就没 fingerprint score 可打。这条路一直 work,1639 个号是这么造出来的。
Layer B: post-register retro-audit。 Acct 创建几天到几周后,Reddit 后台静默 audit。抓到 fingerprint 模式异常的 acct 直接锁,弹 “unusual activity”。这一层是被动的,注册时无感,2-3 周后批量收割你的池子。1639 个号,一大半倒在这一层。
Layer C: shadowban honeypot — 最致命的一层。 号没被锁,login 通,发 comment 通(HTTP 200,permalink 返回),upvote 通(likes=True),自己刷新自己看,一切正常。但从 anon 角度看那条 comment — “The comment does not exist”。Reddit 在服务端把你的 comment / vote / submit 全部过滤掉,自己看自己永远 visible(UI 假象),外人看不到。账号功能完整,零 outbound reach。1639 个号的池子全在这层。设计目的非常明确:让你以为 farm 在跑,浪费你的时间。
三层叠在一起,再加上代理这一侧的麻烦:bulk residential 代理厂商(IPRoyal / DataImpulse / Webshare / Proxy-Seller / ProxyEmpire)的 CIDR 全部在 Reddit edge block list 上,TCP CONNECT 直接 RST。curl: (56) Recv failure: Connection reset by peer,连握手都不让。唯一过得了 Reddit edge 的是 AnyIP 的 mobile / ISP-static 出口 — 但这只解决了“能不能连”,没解决 Layer C。
收尾:Reddit 这套反 bot 是结构性的 — Layer A 卡有指纹的工具,Layer B 卡漏过 A 的批量行为,Layer C 兜底,全功能 acct 零 reach。OSS 那套(Camoufox / Patchright / curl_register)在 2026 这一轮升级里全过时了。商业 antidetect(AdsPower / Multilogin)也许能过 Layer A,但 Layer B 和 Layer C 在服务端,付费工具也救不了。
Reddit 这条路对我来说没走通 — farm 没做出来。
但把这三层拆完之后,我对 anti-spam 系统设计的理解涨了一截。Layer C 的设计尤其漂亮 — 不 ban、不 rate-limit,让 spammer 自己烧自己的资源,自己刷自己看,以为还在跑。任何做用户生成内容的产品都该借鉴这套思路。