Mastodawn

PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read!

https://lemm.ee/post/177673

PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read! - lemm.ee

Today, a bunch of new instances appeared in the top of the user count list [https://lemmy.fediverse.observer/list]. It appears that these instances are all being bombarded by bot sign-ups. For now, it seems that the bots are especially targeting instances that have: * Open sign-ups * No captcha * No e-mail verification I have put together a spreadsheet of some of the most suspicious cases here [https://docs.google.com/spreadsheets/d/e/2PACX-1vRthB7RtY4Rr0t5fhVKaliJnwSmptMc5oJi7uha_OBcF4wpu4eElxAxNzaCqjlq6NsOE9GpgSnMzZ2x/pubhtml]. If this is affecting you, I would highly recommend considering one of the following options: 1) Close sign-ups entirely 2) Only allow sign-ups with applications 3) Enable e-mail verification + captcha for sign-ups Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam! Please comment below if you have any questions or anything useful to add. ----- ## Update: on lemm.ee [http://lemm.ee], I have defederated the most suspicious spambot-infested instances. To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well. It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715 [https://lemm.ee/post/197715] If you’re an admin of an instance that’s defederated from lemm.ee [http://lemm.ee] but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

poVoq Jun 20, 2023

This should be probably pinned.

zShxck Jun 20, 2023

Agree

db0 Jun 20, 2023

Yep, I noticed that as well: https://lemmy.dbzer0.com/post/87761

lixus98 Jun 20, 2023

Are you already defederating from suspicious instances? If not, What are you planning to do?

db0 Jun 20, 2023

I am and I've already started work on https://github.com/db0/lemmy-overseer

SysAdmin Jun 21, 2023

FYI, startrek.website has purged the bot accounts and enabled CAPTCHA. Just letting you know because they were showing up on your list.

db0 Jun 21, 2023

Good to hear. once fediverse observer updates your usercount, this should clear itself out. Let me know if this is not the case soon

Wander Jun 20, 2023

99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.

db0 Jun 20, 2023

We're trying to capture the reddit refugees as well. It's a fine-line to walk.

ඞmir Jun 20, 2023

Email + Captcha should be doable right?

db0 Jun 20, 2023

yes, that's the bare minimum until we get better toolset

badbrainstorm Jun 20, 2023

I'm noobish, but could they be defederated until they get their act together before they spam everybody?

sunaurus Jun 20, 2023

Yes, and I believe some instances are already doing this

Lvxferre Jun 20, 2023

This might be related but I've noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.

Galloog1 Jun 20, 2023

Karma may mean nothing but the information space is a strategic domain.

bread Jun 20, 2023

Maybe this is what's implied or I'm just being silly; What is to stop a bad actor spinning up a Lemmy instance, creating a bunch of bot accounts with no restrictions, and spamming other instances? Would the only route of action be for the non spam instances to individually defederate the spam ones? Seems like that would be a bit of a cat and mouse situation. I'm not too familiar with the inner workings and tools that Lemmy has that would be useful in this situation

PriorProject Jun 20, 2023

They can do this, and it is cat and mouse. But...

It generally costs money to stand up an instance. It often requires a credit-card, which reduces anonymity. This will dissuade many folks.

A malicious instance can be defederated, so it might not be all that useful.

People can contact the security team at the host providing infra/internet to the spammer. Reputable hosts will kill the account of a spammer, which again is harder to duplicate if the host requires payment and identity info.

Malicious hosts that fail to address repeated abuse reports can be ip-blocked.

Eventually Lemmy features can be built to protect against this kind of thing by delaying federation, requiring admin approval, or shadow -banning them during a trial period.

Email has shown us that there's a playbook that kind of works here, but it's not easy or pleasant.

katie Jun 21, 2023

I've been thinking about this as well. As a user of a private instance, I would be absolutely fine with a "federation application" much like user registration is currently.

rm_dash_r_star Jun 21, 2023

Eventually Lemmy features can be built to protect against this kind of thing by delaying federation, requiring admin approval, or shadow -banning them during a trial period.

That sounds like the best way to handle it.

xavier666 Jun 20, 2023

CAPTCHA is the bare minimum. Who the hell turns it off?

sunaurus Jun 20, 2023

There is an argument to be made that captchas can be automatically bypassed with some effort.

OTOH, the current wave of bots is quite clearly favoring instances with captcha disabled, so clearly it's acting as at least a small deterrent.

getBoolean Jun 20, 2023

captchas block script kiddies at the very least

noodlejetski Jun 20, 2023

there's a browser addon that lets you solve Recaptcha with one click:
https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/

it automatically switches to the alternative accessibility option, which is based on typing in words that you hear, and uses speech recognition software to solve it. I'm fairly sure it could be automated quite easily.

Buster: Captcha Solver for Humans – Get this Extension for 🦊 Firefox (en-US)

Download Buster: Captcha Solver for Humans for Firefox. Save time by asking Buster to solve CAPTCHAs for you.

etrotta Jun 20, 2023

Still way better than nothing at all

PaintedSnail Jun 20, 2023

Sometimes, security just means not being the low-hanging fruit.

d4rknusw1ld Jun 20, 2023

Sounds like a spez sponsored attack on Lemmy.

YMS Jun 20, 2023

Or just the unavoidable spam bot accounts coming as long as it's easy and the instance operators being still unprepared.

couragethebravedog Jun 20, 2023

I highly doubt spez did this. Reddit is currently doing fine. Even if it all goes away he's sitting on over a decade of genuine human conversations he can sell to AI companies and make millions. He isn't worried.

TWeaK Jun 20, 2023

Steve Huffman doesn't do anything, he's a greedy little pigboy who profits off of the creation of his dead "friend". He claims ownership of your ideas, for reddit's exclusive profit, at no benefit (if anything, at penalty) to yourself.

However it would be naive to assume that he hasn't directed at least some shade towards reddit. Almost as naive as to think that Google doesn't create bots to target websites that don't use their own captcha services.

PSA: When "proving you're human", always try to poison the data. They're using your input to train visual AI, without paying you for your efforts. With Google, they will typically put the training up front - there will be one or two images that a bot isn't sure about. If you give the unexpected response, the next test will be one that the machine knows, to check that you're a human who knows what they're talking about. With hcaptcha or some others, they might put the obvious one first, then check your guesses are human after.

The services will determine that you're human by other means anyway (eg mouse movements) and eventually let you through, but by giving them the wrong answer when they don't know but the right answer when they do, you can make their AI less effective.

They should be paying you for your input into their commercial enterprise, so fuck them.

db0 Jun 20, 2023

Here we go: https://overseer.dbzer0.com/

API doc: https://overseer.dbzer0.com/api/

curl -X 'GET' \
  'https://overseer.dbzer0.com/api/v1/instances' \
  -H 'accept: application/json'

Will spit out suspicious instances based on fediverse.observer . You can adjust the threshold to your own preference.

sunaurus Jun 20, 2023

Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.

db0 Jun 20, 2023

Tell me how to fetch them and it will. ;)

sunaurus Jun 20, 2023

I think the easiest option is to just iterate through the list of suspicious instances, and then check {instance_url}/api/v3/site for each of them. Relevant keys of the response json are site_view.local_site.captcha_enabled, site_view.local_site.registration_mode, and site_view.local_site.require_email_verification.

Since it's a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.

db0 Jun 20, 2023

It occurs to me that this kind of thing is better left to observer, as it's set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well

ikiru Jun 20, 2023

I'm sure it's different per instance, but is there any discussion on what is being done with the collected emails?

I understand the need to fight bots and spam, but there are also those of us who don't want to associate emails with accounts so some privacy-related way of handling this would be appreciated.

db0 Jun 20, 2023

there's plenty of services that provide one-use emails or disposable ones

ikiru Jun 20, 2023

True, I use one myself.

That's a cool instance you're running over there, by the way! I appreciate it.

Zamboniman Jun 20, 2023

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

Yup, I noticed this as well.

Hopefully the mods of the instances will notice this and remove these accounts quickly! Despite this, I think the mods of all instances, and of all communities, had better brace themselves for incoming spam and hate speech.

rm_dash_r_star Jun 20, 2023

I know from talking to admins when pbpBB was really popular that fighting spammers and unsavory bots was the big workload in running a forum. I'd expect the same for Fediverse instances. I hope a system can be worked out to make it manageable.

As a user I don't have a big problem with mechanisms like applications for the sake of spam control. It's hugely more convenient when an account can be created instantaneously, but I understand the need.

I do wonder how the fediverse is going to deal with self-hosting bad actors. I would think some kind of vetting process for federation would need to exist. I suppose you could rely on each admin to deal with that locally, but that does not sound like an efficient or particularly effective solution.

freeskier Jun 20, 2023

Looks like my instance got hit with a bot. I had email verification enabled but had missed turning on captcha. The bot used fake emails so none of the accounts are verified, but still goes towards account numbers. Is there really any good way to clean this up? Need a way to purge unverified accounts or something.

sunaurus Jun 21, 2023

How comfortable are you with SQL? You can see all unused verifications in the email_verification table. You should be able to just delete those users from local_user, and then update your user count with the new count of the local_user table in site_aggregates.user (where site_id = 1)

TWeaK Jun 20, 2023

Every time I see that moustache I know to pay attention!

db0 Jun 21, 2023

First Anti-spam service ready: https://lemmy.dbzer0.com/post/95652

Fredselfish Jun 21, 2023

One thing I like about lemmy was having to put in an application and waiting for approval. I knew I was vetted and others here were too.

Figure that alone could keep out most of the trolls and definitely the bots.

SysAdmin Jun 21, 2023

Thanks for the heads up, StarTrek.website has enabled CAPTCHA and purged the bots from our database.

SpaceCowboy Jun 25, 2023

Starfleet takes changeling infiltrations seriously :P