MichaelMay 17, 2023

PSA: It looks like mastodon.social has implemented hCAPTCHA on their signups yesterday.

So, if you have limited / suspended mastodon.social because of the spam issue, you may wish to reconsider this.

This will also likely mean that spammers will move to different instances (already seeing them targeting mastodon.world).

You may wish to consider implementing hCAPTCHA yourself to protect your own instance, and here is the relevant PR:

https://github.com/mastodon/mastodon/pull/25019

The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.

But do note this comment on the PR:

“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”

#MastoAdmin #FediAdmin #fediblock

Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.

Please have a look at this excellent reply for more details:

https://dragonscave.space/@Mayana/110383119877022255

Add optional hCaptcha support by ClearlyClaire · Pull Request #25019 · mastodon/mastodon

Add optional hCaptcha support based on glitch-soc#1665 and glitch-soc#1667, largely rewriting prior work at glitch-soc#1323 Whenever the environment variables HCAPTCHA_SECRET_KEY and HCAPTCHA_SITE_...

GitHub
Show threadMayanaMay 17, 2023
@michael "You may wish to consider implementing hCAPTCHA yourself to protect your own instance,"
Please note that if you do this, it will prevent many blind people from signing up onto your instance. hCAPTCHA does not have an audio version; instead, if you cannot complete the visual version for whatever reason, you have to give them your email (!), so they can send you a link to a site for setting an accessibility cookie.
This cookie frequently does not work at all. It has a time limit before you can set it again, so if it fails to set, or if you close the browser and have automatic deletion of cookies enabled, as you should, you'll just have to wait. And of course, it only works within browsers, not applications; Discord is an excelent example of a non-passable captcha.
Enabling application signups is a much more accessible way of avoiding spam. If this is something the admin team cannot handle, it is time for going invite-only.
Show threadMichael
@Mayana Yes, these are very important points.
I hate all captchas anyway, but they are even worse for blind people, or those with other disabilities.
May 17, 2023 at 8:41amWeb
Show threadMike [SEC=OFFICIAL]May 17, 2023
@michael @Mayana it'd be nice if there was a registration flow that allowed both approval-based signup or a captcha granting immediate approval as equal alternatives available to the user.
Show threadMayanaMay 17, 2023
@mike @michael Application signups often do much more than just screen for bots. They are a good way of checking if the member would fit within your community. For a while, we even included a password on the about page that anyone applying had to include (though that worked out less than 50% of the time, because it turns out people do not read the rules at all).
Having to write a reason for joining would definitely be much better for those that cannot complete visual captchas than having to give their email to a not-too-trusty company. But I feel like an unfair imbalance is still there. Disabled people have to stand out, have to wait in the queue (likely for longer, because most people won't apply and thus the admins will forget to check) and besides, the other pros of the application signup basically won't be there at all.