Author: Aaron P. MacSween
Published: 2025-12-03
tl;dr
There is a seemingly new project known as "Readily.news" (and alternately as "open.news") which is actively scraping content from the Fediverse, among other sources.
Their promise is that if you give them complete access to your Mastodon account then they will send you a daily digest of the latest news from the Fediverse.
Their service connects to your Mastodon instance in the same way that a mobile client would and has all the same rights. Presumably they could use this to read your DMs, modify your profile, post from your account, send follow requests, or view followers-only posts from anyone your account follows.
At present I do not believe there is any simple method to detect which accounts they might have compromised, to identify what content they might have already scraped, or to block their ongoing access to the non-public content of accounts belonging to people that did not consent to their collection.
The rest of this post will summarize what I know about their operation and propose next steps towards limiting its potential harms.
Background and timeline
Initial discovery
I first observed evidence of Readily.news on November 20th via some strange activity recorded in the HTTP logs of one of my servers. I have some monitoring scripts in place that alert me to weird behaviour, and they drew my attention to a several requests for malformed URLs that resulted in 404 responses. The earlieset of these was a request for "/blog/diversifying-your-search-engine-portfolio/tl;dr" on this blog, which was almost the right URL for one of my previous articles, but with the text "tl;dr" tacked on at the end. That reminded me of something I’d posted, and I tracked it back to the text of this post from my Mastodon account:
This could have been explained by somebody trying to copy and paste the URL and grabbing some adjacent text, but the requests in question came with a User-Agent string of "open.news", and the rest of the HTTP headers very clearly indicated that it was not a normal browser. Some scraper was trying to parse URLs out of my posts, and doing a very poor job of it. Tracking down bots and understanding their behaviour has become a bit of a hobby for me (I’ve written three blog posts about it recently: 1, 2, 3) so I started digging into it.
Their user-agent looked like a URL on its own, but I began with a general web search for "open.news" to see if there was any mention of it from other sysadmins. There are a variety of sites that aggregate comments on traffic from different user-agent to help sysadmins determine the nature of their behaviour, and these are often a good place to start looking. This didn’t turn up anything useful this time, so I checked out open.news directly. At the time it hosted a proper website, and I wish I had taken a snapshot of it with archive.org because the content it displayed at the time is no longer available, and what’s available now seems broken. At least this time I remembered to take an archive.org snapshot.
Anyway, I posted on the Fediverse at the time asking whether anyone knew anything about them, and I quoted some sections of their copy-text, so some of their branding is preserved even if it’s not terribly authoritative as evidence:
does anyone know who’s behind "open.news"?
Open.News is the command center for the decentralized newsverse.
Looks like they’re ingesting people’s fediverse feeds into LLMs and feeding slop to people. I only noticed because it was mostly visiting non-existent or malformed URLs.
We index live conversations across RSS, Bluesky, and Mastodon so you never miss the story behind the story. FeedBrainer’s conversational AI transforms the firehose into a calm, contextual briefing tailored to you.
My Mastodon instance captured the page’s title and description metadata to display in that post’s preview card:
Open.News × FeedBrainer
Open.News is the decentralized social news index powered by FeedBrainer AI.
I didn’t find much about the FeedBrainer that they mentioned, but I did find feedbrain.ai. Archive.org failed to preserve a working snapshot (see this broken snapshot if you like), but there is a somewhat more useful version on archive.ph.
Feedbrain – AI-Powered News, Made Simple
Browse, filter and tag cybersecurity news, politics, financial markets, technology, and more in a sleek, modern interface — powered by automatic summaries, real-time fact-checking, and smart classification.
Feedbrain’s terms of service (archive) and privacy policy (archive) indicate that they are based in Dubai, and operated by Feedbrain FZ-LLC.
Open.news and Feedbrain obviously shared the same theme of "AI-powered news", and the reference to "FeedBrainer’s Conversational AI" suggested a relationship between the two orgs, but I couldn’t find any more obvious leads at the time aside from these superficial links. From what I recall I hadn’t finished drinking my first coffee of the day yet, and I hadn’t planned to spend any time that day going off on this weird tangent, so I abandoned the investigation at the time.
The most recent lead
I received an email from one of my monitoring scripts on December 1st about some more weird behaviour completely unrelated to open.news. A network of scrapers had taken interest in a "tarpit" that I had set up to dynamically serve pages of random links to mwre such pages, ad nauseum. I thought it was kind of funny, so I posted about it:
There’s a web crawler operating out of a Huawei-owned network in Singapore which has been caught in a very basic tarpit I set up in the last few weeks.
They’re trying really hard to be sneaky, waiting ten seconds between requests, setting a new User-Agent practically every time, and rotating through around 1100 IP addresses - most of which have only been used once so far.
Unfortunately for them the resource they’re trying to crawl is made up of randomly generated links created on demand. They’re the only ones that have found it so far, making it trivial to filter out their traffic from everything else.
Big Elmer Fudd vibes.
I let their crawler keep running because I thought its behaviour was interesting, and I was curious about their method of User-Agent generation and about how many IP addresses they had at their disposal. Even so, I figured others might be interested in blocking them, so I ran a command to gather and sort all their unique IPs and write it to a txt file, which I shared via a followers-only post.
Shortly after sharing that list at a moment when I happened to be actively watching my logs as they streamed by, I noticed a weird request for "/assets/tarpit-ips.txtBasically". I immediately recognized the same pattern as before, with a URL from one of my posts having an adjacent word appended for no discernable reason. Sure enough, the user agent was open.news.
This immediately set off some alarms because I had intentionally shared that link exclusively with my followers, so this whatever this crawler was they evidently had access to privileged information. I figured that the leak could most likely be blamed either on one of my followers directly, or on an instance hosting at least one of those followers with some custom modifications to scrape data exposed to them.
Anyone who is somewhat familiar with the culture on the Fediverse ought to know that scrapers that behave like this aren’t particularly welcome. @s0@cathode.church even maintains a page chronicling the history of fedi scrapers with a prominent counter indicating how long it’s been since someone had been caught running one. It currently displays the text:
It Has Been 123 Days Since a Techbro Asshole Made a Fedi Scraper/Indexer.
Seriously. Stop fucking doing it.
...but I guess that will get reset to zero soon.
Reinvestigating
Being significantly more caffeinated than the last time I’d looked into open.news, and having just published a blog post in which I wrote about validating bots’ identities with rDNS lookups, I decided to see what that line of investigation would turn up. I started with open.news itself:
$ host open.news
open.news has address 164.90.132.64
open.news mail is handled by 1 aspmx.l.google.com.
open.news mail is handled by 5 alt1.aspmx.l.google.com.
$ host 164.90.132.64
Host 64.132.90.164.in-addr.arpa. not found: 3(NXDOMAIN)
Their mail is handled by Google, they have no PTR record set, and according to IPinfo.io this IP belongs to the DigitalOcean datacenter in Clifton, New Jersey, USA.
Meanwhile, all those malformed requests I was receiving originated from 178.128.149.93.
$ host 178.128.149.93
93.149.128.178.in-addr.arpa domain name pointer readily.news.
$ host readily.news
readily.news has address 178.128.149.93
readily.news mail is handled by 5 alt1.aspmx.l.google.com.
readily.news mail is handled by 10 alt4.aspmx.l.google.com.
readily.news mail is handled by 5 alt2.aspmx.l.google.com.
readily.news mail is handled by 10 alt3.aspmx.l.google.com.
readily.news mail is handled by 1 aspmx.l.google.com.
That IP had a pointer record for readily.news, which was new to me at the time. I tried loading the domain in my browser and found that they indeed had a readily.news website (archived in case this one disappears too). Its mail was also handled by google, and IPinfo.io indicated it too was hosted by DigitalOcean. The website was different than what I remembered of the other one (which was down by this point), but the overall vibe was clearly the same.
What about Feedbrain.ai?
$ host feedbrain.ai
feedbrain.ai has address 91.134.94.110
feedbrain.ai mail is handled by 1 mx1.mail.ovh.net.
feedbrain.ai mail is handled by 100 mx3.mail.ovh.net.
feedbrain.ai mail is handled by 5 mx2.mail.ovh.net.
$ host 91.134.94.110
110.94.134.91.in-addr.arpa domain name pointer ns3234298.ip-91-134-94.eu.
Mail handled by OVH.net, Server also hosted by OVH (in Lille, Hauts-de-France, France according to IPinfo). DNS PTR record seemingly just the default set by OVH as well.
At this point I guessed that FeedBrain was not actually affiliated with open.news, though readily.news was pretty clearly operated by the same people. It seems like these Fediverse-specific summaries might just leverage their model via an API.
Signing up
I was running out of other leads, so I decided to try their sign-up button to see how things worked. Clicking the button on their home page:
...took me to a very simple form prompting me for my "full Mastodon identifier":
I entered gargron@mastodon.social, which caused me to be redirected to the login page on mastodon.social:
Going further than that required an account, so I set up a "burner" there, then cleared my cookies for the site, and restarted from the beginning of the workflow. Finally, I got this screen prompting me to give Readily full read and write access to my Mastodon account, as well as read and write access to Follows, Mutes, and Blocks.
So now I at least had a general idea of how they were getting their information. At least one of my followers must have authorized this access, allowing Readily to view my followers-only post. I assume they only provide summaries of your particular timeline in the daily newsletters they send out, however, through the various accounts they’ve effectively compromised they must have access to a great deal of information which they could explore in aggregate at their discretion.
Who runs Readily.news?
Archive.org has numerous snapshots of the open.news site, though apparently none of these include the version which I originally saw. The earliest version dates back to August 9th, 2018. It’s a simple page which describes the site as:
An independent, free and open CDN for distributed content
Just below that, the page’s footer has some information about the operator:
Launched by Matt Terenzio during the blizzard of 2016. Contact me at matt@journalab.com.
I had already done a web search for "readily.news" which had turned up Matt Terenzio’s mastodon.social profile (@librenews@mastodon.social):
That profile includes several links. First there is feeds.social:
IP address: 104.200.22.214
Hosted in Richardson, Texas, US according to IPinfo
Mentions geo.feeds.social, which is hosted by DigitalOcean in New Jersey, which fits the general pattern of both open.news and readily.news in terms of hosting, in addition to its apparent purpose of aggregating geographically local posts.
Then there’s a mention of readily.news, albeit with no mention of him as its operator. Then a mention of his role at a news-adjacent org called subtext:
Director of Engineering at Subtext. I’ve been a CMS developer for over twenty years, mostly for newsrooms
I mentioned this account in a post on the Fediverse last night to get confirmation of Matt’s involvement:
Hi @librenews
I see a link to https://readily.news in your bio. Are you affiliated with the project?
...but I haven’t yet heard anything back. That said, there certainly seem to be a lot of evidence to suggest that he’s the operator of the scraper I’ve been chasing. He’s much more active on Bluesky where he posts about a number of topics adjacent to news and AI:
...and this post apparently defending vibe-coding?
His name also appeared in this page of a Fediforum session from March 2023 on the topic of Discovery and the Fediverse (algos, curation, interfaces). I get bad vibes from some of the discussion there, but I’ll let readers make of it what they will.
I also stumbled across this somewhat outdated version of open.news on archive.org which shows the current version of readily.news, in case there weren’t enough hints of these projects being affiliated.
Then there’s Matt Terenzio’s open-news repo on GitHub which he describes as a an advanced social news aggregation platform built on top of Bluesky. There’s no mention of the Fediverse, but it does mention that it features:
AI-Powered Facts: Extracts facts from articles with OpenAI embeddings
If he’s using the same back-end to ingest Fediverse content then I suppose my followers-only posts might have been handed over to OpenAI.
Personally I think this is enough information to go off of, but I’d still like to hear back from Matt regarding whether he really is behind the project and what could have possibly led him to think this was socially acceptable.
What we can do
When I posted about this, a few people asked if there was anything that could be done to block this crawler. Unfortunately, because they are accessing content on the Fediverse using Mastodon’s client protocol rather than through the ActivityPub itself, the normal methods of blocking Federation via a local instance’s admin panel won’t work. I don’t expect IP-blocking methods will make any difference either, though you could probably block some of those follow-up requests for malformed URL that I was seeing.
Instances that are currently hosting a compromised account might be able to gain direct evidence of what Readily.news does with its access to the accounts they host. It might be possible to run some database query which checks the apps to which their users delegated permissions, blocking those which identify themselves as Readily.
Remote instances like mine which have had their data scraped have very little recourse, because as far as they are concerned they only handed data over to the servers hosting their followers. They have no visibility into what happens with that data once those servers have it, and it’s at that point where Readily would access it.
Readily frames this as a positive feature on their home page:
Instance friendly
We don’t crawl instances, but rely on authenticated user timelines to get relevant news
I find this particular spin on things pretty interesting. Many people who object to scraping do so on the basis that they want control over who has access to particular content that they publish. The way they present it seems to focus on the mechanism of how it was collected, as though it’s fine to repurpose content without permission as long as they don’t make a direct HTTP request. Effectively parasitizing another instance which hosts a follower’s account somehow makes it fine? It’s certainly a very creative interpretation of how consent might work.
Oh, and concerning those requests that did go directly to my server, the open.news agent never once requested my server’s robots.txt file.
Why don’t we evaluate some of their other claims while we’re at it:
Daily News Digest - Sign on with your Mastodon account, and we’ll start gathering your news and deliver it in a daily newsletter.
In my opinion it says a lot that they’ve omitted any mention of FeedBrain or AI at all, this time. They don’t explicitly mention how they gather news for you, so I suppose they just expect people to infer that they’re using their accounts to do so.
I can definitely see how non-technical users might look at this website and think that it would be fine. Maybe they sign up for newsletters all the time, and this might seem like another which just happens to integrate with the Fediverse somehow. It definitely feels like it’s capitalizing on people’s limited understanding of how federation works.
Privacy friendly - No tracking, selling or sharing of your email or data!
This seems particularly misleading. First, the service gains complete access to your Fediverse account. That would seem to include direct messsages. Then it’s taking that data and maybe handing it over to OpenAI through one of their APIs? Or if not them then presumably some other LLM API provider?
The site doesn’t present a privacy policy anywhere, nor does it even mention who operates it.
Actually signing up for readily.news
In the end I gave readily permission to access that throwaway account I’d made on mastodon.social. I was curious how it would work, and if I’d learn anything more about the service by going further in the signup process.
I was prompted to provide an email address:
After which I received an email with a link to verify myself.
...but clicking that link just took me back to the same page which asked me to verify my email. Honestly, that’s about what I’d expect from a platform made by someone who actively defends vibe-coding.
I haven’t yet received any other mails. I don’t know if that’s because the verification link never actually worked, or because the mastodon account with which I authenticated doesn’t actually follow anyone. In any case, that email came with a valid DKIM signature from readily-news.20230601.gappssmtp.com, in case anyone sees some value in digging into their email setup.
What to do about all this?
Again, unless you operate an instance which could possibly host one of accounts that have been compromised by a platform that could arguably be labeled as malware, there is not much to do. If you have a Mastodon account and want to double-check whether you signed up for readily.news and forgot about it, you can do so through your mastodon settings, under the account heading, then under Authorized apps.
I definitely recommend revoking any that explicitly mention Readily, but it’s not a bad idea to disable any others that you don’t recognize. Mastodon should say when each application was authorized, as well as when it was last active.
Conclusion
The information presented above is nearly everything I know about the matter. I’ve omitted some other details about Matt Terenzio’s other social accounts which I found, but those should be relatively easy to find if anyone else wants to try reaching him about this. If it turns out I’m wrong about his involvement I’ll update this article to indicate as much, but what I’ve seen has left me with little doubt.
I hope the service gets deactivated as a result of this becoming more widely acknowledged, but I don’t imagine this will be the last such Fediverse scraper. We can only hope that the next interval of relative peace is longer than 123 days.