The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.
They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.
To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.
There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.
IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.
Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.
Here are my personal thoughts about how we could handle Trust & Safety features in Mastodon software. This is based on my own experience in the field, my current knowledge of the source code and architecture, as well as my experience managing infrastructure for mastodon.social & mastodon.online since December 2022. Context Managing a Mastodon instance is hard work, with the most effort going to moderation and abuse, and not technical operations as one might expect. This includes:
The pluggable/modular idea is a very nice design, that will be quite helpful.
However please whatever you do, include an account reputation/lifecycle part in the telemetry. Long-term nothing else will work: ip/email even phonenr are too low level and easily obtainable by bad actors
Kevin Beaumont
Renaud Chaput
Stefan Eissing
Bálint Szilakszi