Free · Local · No tracking

Clean DMs on X.
Without blocking real people.

OnlyFans bots have taken over the Message Requests folder. OF Block blurs them in place — keeping the few real DMs that mattered visible. Everything runs in your browser.

Download for Chrome See how it works ↓

Loads unpacked · ~21 KB zipped · Open source · No tracking

x.com / messages / requests

How it spots a bot

A handful of signals catches almost everything. No ML model, no third-party API.

1

Numeric handle suffix

Real users almost never keep the auto-generated digits. Bots almost always do.

@MJoy90602786
2

Display name ↔ handle mismatch

Recycled accounts: the operator changes the avatar and display name but can't change the @handle.

Julia 🍓 → @OwenMorris74275
3

Templated openers

"Are you alone right now?", "wanna go on a date?", "I'm lying in bed bored…" — pulled directly from observed bot scripts.

"Want more personal photos?"
4

Placeholder leaks instant flag

When the bot forgets to substitute its template variable, it's a dead giveaway.

"Hey, [Name], wanna go on a date? 😭"
5

Bio + link inspection

For borderline cases, OF Block checks the sender's bio and URL — looking for onlyfans / fansly / linktr.ee / beacons. Cached for 7 days.

linktr.ee / fansly.com / onlyfans.com

Mutuals override

"Followed by … you follow" always wins. Real connections are never filtered.

Followed by adah, Maisha, and 16 others

What permissions does it ask for?

The shortest possible list. Here's everything, and why.

storage

So it remembers your settings (toggle, sensitivity, allowlist) and caches the bot-detection result for each sender — no need to re-check the same person on every page load.

Stays on your device. Syncs only across your own signed-in Chrome profiles.

webRequest

Read-only access to the auth headers your X tab is already sending, so the extension can use your existing X session to peek at sender bios for borderline cases.

Does not intercept, redirect, or block any request. Headers are stored in session-only storage and cleared when you close the browser.

x.com / twitter.com only

Runs only on X. The extension cannot read or modify any other website you visit — Chrome enforces this, not us.

Active only on /messages/* routes; everywhere else on X, the script returns immediately.

What it does not have access to

  • Your other browser tabs (no tabs permission)
  • Bookmarks, history, downloads
  • Cookies on any site other than x.com
  • Clipboard, geolocation, mic, camera
  • Any third-party server (no telemetry, no analytics)
  • Your DM contents — only the row metadata visible in the inbox list
Audit it yourself. ~21 KB zipped, ~2,900 lines of plain JavaScript. No build step, no minification, no obfuscation. Every file is readable as-is.
View source on GitHub →

Install in 30 seconds

It's not on the Chrome Web Store yet. Load it as an unpacked extension — same way developer tools are.

  1. 1

    Download the zip

    ~12 KB. No bundler, no dependencies — just plain JS.

    ⬇ of-block.zip
  2. 2

    Unzip it

    Double-click the file. You'll get an of-block folder.

  3. 3

    Open chrome://extensions

    Paste that into your address bar. Toggle Developer mode on (top right).

  4. 4

    Click "Load unpacked"

    Select the of-block folder you just unzipped.

  5. 5

    Open Message Requests

    Visit x.com/messages/requests. Bot rows blur instantly.

FAQ

Will it block real people?

Probably not. The default sensitivity (3/10) is conservative — most legit DMs hit zero or one signals. If something does get filtered, click Always show this sender on the blur overlay to add them to your allowlist permanently.

Does it send my data anywhere?

No. All scoring is local. The only network calls go to x.com's own GraphQL — the same calls your X tab already makes — using your existing session cookies. There is no third-party server, no analytics, no telemetry.

Why does Chrome warn "Read and change all your data on x.com"?

That's Chrome's standard wording for any extension allowed to run on a site — dark-mode toggles, password managers, grammar checkers, all of them get the same dialog. OF Block only modifies DM list rows on /messages/*; it doesn't read your tweets, send messages, or do anything outside that page. The source is public — every file is plain JavaScript and the manifest declares exactly what's requested.

Why isn't this on the Chrome Web Store?

Listing fee + review queue. The unpacked install works exactly the same and updates whenever you replace the folder. If demand picks up I'll publish it.

What does it do to the rows it filters?

They stay in your inbox — just blurred and collapsed to ~64 px with a Show button. Nothing is deleted, marked read, or reported. You can reveal anything anytime.

What if X changes their layout?

The popup will show a "couldn't detect any DM rows" banner. The extension is designed so the row selectors live in one file (content/constants.js) — usually a one-line fix.

Does it work on twitter.com / Brave / Edge?

Yes. twitter.com redirects to x.com but the extension matches both. Any Chromium-based browser with unpacked extension support works (Chrome, Brave, Edge, Arc, Opera).

Take your DMs back.

Download for Chrome