The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.
They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.
To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.
There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.
IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.
Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.
Now, it does become a bigger problem if the current spammers publish their source code and more join in.
There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.
The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.
Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).
Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.
For context on the spam problem, hundreds of Mastodon servers are chucking out thousands of spam messages.
One example instance: https://opensimsocial.com/public/local
It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code. (And yes, they’re really just trolling a Discord server, lolol).
An update on the Fediverse spam issue:
- It’s not just Mastodon.
- Most of the targets receiving the spam use Misskey, and are in Japan.
- Most Mastodon users aren’t being targeted, so aren’t seeing it.
- It is a dispute between two people over a social issue, after asking them about it.
- It is fully automated.
- The spam continues to be sent and probably won’t stop any time soon, these guys need to star in a BL drama and make up.
If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.
I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers. The show went on for an hour of me just saying ‘yo the net sucks’.
Mastodon change coming where new servers have open registration disabled by default: https://github.com/mastodon/mastodon/pull/29280
Mastodon team have been all over behind the scenes btw.
Existing servers which have never changed from the defaults will have closed registrations on update. This also adds a short notice instructing admins to set up a moderation team before opening reg...
This is not meant to replace #29280, but supplement it to avoid unmonitored servers keeping open registrations indefinitely. Automatically switch away from open registrations if no user with the pe...
@GossiTheDog nice, that makes a lot of sense!
(though I bet many of those 'asleep at the wheel' instances will probably also be slow to update...)
I thought most of the servers of the current spam wave run outdated software (since they are mostly unmoderated and partly unmaintained), so updates will not hit these servers any time soon or at all.
@GossiTheDog can’t come soon enough!
they should push that out as security fix and back port it. Though I appreciate that that might be a bit unusual…
@GossiTheDog Eeyupp...
Never underestimate the destructive power a bunch of minors with more time and skills than sense have...
They literally topple regimes "for teh lulz"...
@fencepost @GossiTheDog *nodds in agreement*
Most can barely read a manpage and #Skiddie their way through shite...
@GossiTheDog had a recent small scale issue just like that, two teens had a falling out and one of them just started spamming almost all internet connected minecraft servers with fake login/ error messages over Christmas.
Went on for a couple of days!
Similar to the current Mastodon Spam issue (just with Server logs and annoyed Server admins)
@GossiTheDog @ifixcoinops I am minded of our days as a modestly popular linux shell provider back when everyone used IRC.
We’d get DDoSed over nicknames and channels where customers were connected to networks without channel and nick services.
We’d get hit with about 10x what was required to obliterate not just our shell box, but the entire presence of our rather large pan-European ISP colo-host in that datacentre, just to steal a name on a chat for a few days.
@GossiTheDog I consider that to be the ideal sort of attack from a blue team perspective. It shines a light on areas that need to be fixed, while avoiding real catastrophic damage.
A wake-up call, if you like.
@GossiTheDog On my account I get almost no spam at all. I blocked some clown yesterday, but that wasn't a spam Spammer.
Concerned more on registrations. It does seem like real registrations have slowed to a crawl. Can't believe we still aren't at 15 million.
When Threads debuted, everyone suggested it would take traffic from Twitter. I wondered if it would also harm smaller alternatives like Mastodon. With no particular evidence, I think we aren't getting the same share of refugees any more.
@marksquires It's a bad analogy.
Some people do better once they know better. But I can't make you.
@bright_helpings some people think they know better, but that doesn't mean that they do.
It's common phrasing and a common analogy. If you don't like it, it's a free country. Have whatever opinion you want. As will I. This is a diversion of the thread and an unnecessary lecture. Bye
@marksquires @GossiTheDog
I think a lot of people feel more comfortable app like Bluesky. I got to admit it’s aesthetically ok.
I just don’t think most want to mess with customizations and ways you can make mastodon work for you. I also don’t feel the same need to be on mastodon to keep up.
It’s a lot more chill and I think that’s healthy.
It has the diversity of a big world, but a community feel like a small town. Reminds me of the internet before social media. I use Ivory Client.
@GossiTheDog I'm about to release a tool to make it much, *much* easier to suspend spam accounts on your server :)
Attached: 1 image Here's how fast it is suspending all the spam accounts on my server with my tool. Each account I suspend sends a report to the server the account is from, resolves the report on my server, and then suspends the account. #MastoAdmin #FediBlock
Not going to doxx anyone, but this just came down my Home timeline:
"My instance also got a lot of those spam account requests. But guess what, I didn't approve any of them. It's not the purpose of a #Mastodon instance to grow as large as possible, it is to keep it in the manageable scale.
I will give some time to the instances sending spam to get it under control before I start suspending whole instances for negligence."
So, yeah
"suspending whole instances for negligence"
Collateral damage, eh?
Easy to bake up conspiracies, but what might be a potential motivation beyond being mere shit-posting edge lord script kiddies?
cc @renchap
Kevin Beaumont
raboof
Børge
propapanda 
Thibaultmol 🌈
stux⚡️
Michael
Jonly
Max Resing
David Penfold 
ErosBlog Bacchus has moved!
Kevin Karhan 
Alan Miller 
🇺🇦
Euph0r14
Skylar Caulfield 
katrintheresa
neopolitan
Gabriel Pettier
alex
Interpipes 💙
The cat who walks thru walls
Mike Spooner
Kristin Davidson {kxd}
Jerry 🦙💝🦙
maswan
Simon Bisson
Tryst 🏴 🇮🇪 
cybik 
Nogweii
spv
Xe 
Ariadne Conill 🐰
Gabriele Svelto [moved]
lori
John Francis
Chris. R. 🎧🎼☕🍍
Michael Weiss
Sofie 🏳️🌈
Mark Squires 
Moon joy
Everyday.Human Derek
Sam 
Renaud Chaput
Word of Mouth 🍄 
FinchHaven sfba