Josh Austin
Eugen RochkoThere is an ongoing spam attack on the fediverse for the last couple of days. It's more widespread than before, as attackers are targeting smaller servers to create accounts. Before, usually only mastodon.social was targeted and our team could take care of it. For server administrators out there: If you don't need open registrations, switch over to approval mode. If you do, blocking disposable e-mail providers is a massive stopgap to the problem. Mastodon also supports hCaptcha.
Emma (IPG)@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?
✨Soff✨ Mawr 
hexaheximal@Jain made a feature request for MRF: https://github.com/mastodon/mastodon/issues/29252
AndreasRenaud Chaput (@[email protected])
@[email protected] here are my plans to tackle this, hopefully we will be able to start on it soon: https://renchap.com/blog/post/evolving_mastodon_trust_and_safety/
Joe Brockmeier (@jzb)@Gargron any idea where it’s coming from, or why now?
Jamoteusz
Michael@Gargron You must be doing a great job on .social, because I've not noticed a damn thing this time around. Glad to see there's help out there for the smaller instances, too.
artisanroxyou know you're on to the right ideas when jerks try to ruin it.
jz.tuskYup. I feel sorry for (and greatly appreciate) all the admins who have to spend their time fighting this, but trolls and spam are a sign that what you've created is becoming important.
i'm on Bluesky a lot lately and they like to fart on Fedi a lot but each one has its own charm. I very much like both for different reasons but I'd choose decentralized format any day. Individuals/businesses/techbros/billionaires especially in the US are totally untrustworthy handling any public service.
hdante@Gargron can the behavior of spammers be detected when sending the spam messages ?
Grey Goo
🇳𝗮ꜟ𝖼𝘩@greygoo @Gargron
Nope, that was someone doing testing and it escaping into the wild. https://ani.work/@hanbitgaram/111952020910684705
Nope, that was someone doing testing and it escaping into the wild. https://ani.work/@hanbitgaram/111952020910684705
HanbitGaram (@[email protected])
@[email protected] Hello, I was creating an activity pub implementation and misdistributed it outside. Sorry for causing a stir.
Pieselpriemel
4censord 
@greygoo @Gargron nop, not really. That is single server that had create 30 million actors (users) for test purposes, but they didn't actually do anything. It wasn't supposed to federate, but was an accident.
If that was the source of the spam, one could just have blocked this single server.
The spam wave is some script kiddy going around and searching for servers with open registrations, and registering accounts there using disposable emails. These accounts then start tagging people with spam.
GunChleoc 
@Gargron See also this thread for mitigations: https://mastodon.de/@ErikUden/111940301222380638
Erik Uden 🦣🍑:coffefied: (@[email protected])
# To all Fedi Admins Currently Being hit with a Spam Wave: I've just released **v2.2.8 of The Mute List!** I'd be very happy about [a small donation](https://mastodon.de/@MastodonDE/110808633497349326) because I have very little time and I cannot really justify working on this list with my current schedule :mycomputer: There is a new type of spam, the same instances are affected as before. Those responsible in Japan are said to have been arrested. Without further ado... ***Limit these instances:*** [[Full List of Affected Instances Here](https://github.com/Mastodon-DE/blocklists/blob/main/spam/2024-02-15/2024-02-15-spam-mute-list.md)] Just get the list to download and import [here](https://github.com/Mastodon-DE/blocklists/blob/main/spam/2024-02-15/2024-02-15-spam-domain_mutes-erik-uden.csv). Simply import this list and you'll mute the 107 worst spam instances currently known to me! I've worked on it for multiple days, sometimes ~9 hours at a time verifying all lists sent to me manually. Limit first, defederate only in worst situations! **Reconsider re-federating with and un-silencing any of the mentioned instances once the spam is mitigated.** The admins of some of these may have just been asleep when this all started. <br/> <br/> ## Ban Spam Accounts via their E-Mail Domain **Block the following E-Mail Domain** and whatever temp Mail provider it resolves to: `chitthi.in` Just to be safe, block these ones too (*same provider*) - `mailto.plus` - `fexpost.com` - `fexbox.org` - `mailbox.in.ua` - `any.pink` All our spam accounts came from these E-mails. Since you probably have some of these accounts sleeping: `https://[your-instance.tld]/admin/accounts?email=%25%40chitthi.in` there just select all and press “Ban”. ## Find Remaining Spammers I've seen instances that fixed the spam issue but began being hit later again. The spammers might use new E-Mails, so here is a way to find and block them anyway: https://mamot.fr/@vincib/111946701929274350 <br/> <br/> ## IP Bans and TOR These spammers seem to be using the **TOR Network** as all of their IPs are TOR Exit Node IPs, hence an idea (*with some collateral damage if executed*) would be to ban all TOR exit node IPs for sign ups. I am personally against this idea as you'd also prevent users who simply wish to stay anonymous online (*political refugees, leakers of important documents, etc.*) from using your platform. For now, simply banning every user using a particular Spammer IP will not help and will merely ban users that try to stay anonymous! Not necessarily the spammers. <br/> <br/> ## How To Block All Temp E-Mails in the Future *If you want to prevent this from ever happening again, you should block E-Mails from Temporary Mail providers all together:* - **[Here is the list of all Temp email providers](https://github.com/disposable-email-domains/disposable-email-domains/)** (*there are both blocklist and allowlist*) - **[Here how to install it in Mastodon](https://codeberg.org/stvo/mastodon-ansible-nodocker#disposable-mail-blocking)** - **[The script that automatically pulls the list via Cronjob and imports it into Mastodon](https://codeberg.org/stvo/mastodon-ansible-nodocker/src/branch/main/playbooks/no_disposable_mail.yml)** - **[Script template](https://codeberg.org/stvo/mastodon-ansible-nodocker/src/branch/main/playbooks/templates/home/mastodon/addmaildomains.sh.j2)** Because of this, [hessen.social, for example, was not affected by the spam attack](https://darmstadt.social/@stvo/111940755074991980)! They had already banned the email domain the spammers used ages ago. In future updates on Mastodon, maybe Admins can simply click a button that says “Ban Temp E-Mail Providers” Automagically from the E-Mail Menu? There could be E-Mail categories that can be banned, such as temporary mails. <br/> <br/> ## Why did this happen? The real reason hundreds of us spent hours of our days during the spam on mitigating it is the following: [Cyberbullying Gone Global: Fediverse Spam and Operation Beleaguer](https://fedi.fyralabs.com/notes/9q0ouuuw3p) This is the full exposé @[email protected] has been working on regarding the February 15th Spam Attacks! Thank you @[email protected] for [mentioning this post in a video](https://mastodon.de/@ErikUden/111979657514522171)! **Good luck, everyone!** Thanks for participating in the Fediverse Experiment! #FediBlock #FediAdmin
Joe Kikta@Gargron I get the issue, but I hate Captcha…
TisTree@joekikta
Agreed. Captcha is the worst. Why hasn’t it been improved upon in the 20 years it’s been around?
Agreed. Captcha is the worst. Why hasn’t it been improved upon in the 20 years it’s been around?
Distante@Gargron This is to be expected. The next attacks will probably be even bigger. I hope there are enough tools to neutralise spam in Mastodon
vascorsd@Gargron where's the AI to save us when we need it to? 🫣
Sylvia Wright
Callalily@Gargron I've been getting a lot of spam since Thursday or Friday. I keep reporting & blocking.
Jeri Dansky@Callalily Have you tried this (a suggestion from the admins on my site):
You may want to consider temporarily blocking direct messages from people you don’t follow. To do that, go to Preferences ➡️ Notifications ➡️ Block direct messages.
You may want to consider temporarily blocking direct messages from people you don’t follow. To do that, go to Preferences ➡️ Notifications ➡️ Block direct messages.
@jeridansky
I'm on my phone & that's not an option in my preferences or notifications. I was able to change in to only my followers.
I'm on my phone & that's not an option in my preferences or notifications. I was able to change in to only my followers.
Eric Lathrop@Gargron Defaults matter. Mastodon should default to screened signups and present a warning about open signups. Also the blocked email domains should default to include disposable email domains.
Erik Uden 🚩@Gargron More methods to stop the ongoing attack:
Erik Uden 🦣🍑:coffefied: (@[email protected])
# To all Fedi Admins Currently Being hit with a Spam Wave: I've just released **v2.2.8 of The Mute List!** I'd be very happy about [a small donation](https://mastodon.de/@MastodonDE/110808633497349326) because I have very little time and I cannot really justify working on this list with my current schedule :mycomputer: There is a new type of spam, the same instances are affected as before. Those responsible in Japan are said to have been arrested. Without further ado... ***Limit these instances:*** [[Full List of Affected Instances Here](https://github.com/Mastodon-DE/blocklists/blob/main/spam/2024-02-15/2024-02-15-spam-mute-list.md)] Just get the list to download and import [here](https://github.com/Mastodon-DE/blocklists/blob/main/spam/2024-02-15/2024-02-15-spam-domain_mutes-erik-uden.csv). Simply import this list and you'll mute the 107 worst spam instances currently known to me! I've worked on it for multiple days, sometimes ~9 hours at a time verifying all lists sent to me manually. Limit first, defederate only in worst situations! **Reconsider re-federating with and un-silencing any of the mentioned instances once the spam is mitigated.** The admins of some of these may have just been asleep when this all started. <br/> <br/> ## Ban Spam Accounts via their E-Mail Domain **Block the following E-Mail Domain** and whatever temp Mail provider it resolves to: `chitthi.in` Just to be safe, block these ones too (*same provider*) - `mailto.plus` - `fexpost.com` - `fexbox.org` - `mailbox.in.ua` - `any.pink` All our spam accounts came from these E-mails. Since you probably have some of these accounts sleeping: `https://[your-instance.tld]/admin/accounts?email=%25%40chitthi.in` there just select all and press “Ban”. ## Find Remaining Spammers I've seen instances that fixed the spam issue but began being hit later again. The spammers might use new E-Mails, so here is a way to find and block them anyway: https://mamot.fr/@vincib/111946701929274350 <br/> <br/> ## IP Bans and TOR These spammers seem to be using the **TOR Network** as all of their IPs are TOR Exit Node IPs, hence an idea (*with some collateral damage if executed*) would be to ban all TOR exit node IPs for sign ups. I am personally against this idea as you'd also prevent users who simply wish to stay anonymous online (*political refugees, leakers of important documents, etc.*) from using your platform. For now, simply banning every user using a particular Spammer IP will not help and will merely ban users that try to stay anonymous! Not necessarily the spammers. <br/> <br/> ## How To Block All Temp E-Mails in the Future *If you want to prevent this from ever happening again, you should block E-Mails from Temporary Mail providers all together:* - **[Here is the list of all Temp email providers](https://github.com/disposable-email-domains/disposable-email-domains/)** (*there are both blocklist and allowlist*) - **[Here how to install it in Mastodon](https://codeberg.org/stvo/mastodon-ansible-nodocker#disposable-mail-blocking)** - **[The script that automatically pulls the list via Cronjob and imports it into Mastodon](https://codeberg.org/stvo/mastodon-ansible-nodocker/src/branch/main/playbooks/no_disposable_mail.yml)** - **[Script template](https://codeberg.org/stvo/mastodon-ansible-nodocker/src/branch/main/playbooks/templates/home/mastodon/addmaildomains.sh.j2)** Because of this, [hessen.social, for example, was not affected by the spam attack](https://darmstadt.social/@stvo/111940755074991980)! They had already banned the email domain the spammers used ages ago. In future updates on Mastodon, maybe Admins can simply click a button that says “Ban Temp E-Mail Providers” Automagically from the E-Mail Menu? There could be E-Mail categories that can be banned, such as temporary mails. <br/> <br/> ## Why did this happen? The real reason hundreds of us spent hours of our days during the spam on mitigating it is the following: [Cyberbullying Gone Global: Fediverse Spam and Operation Beleaguer](https://fedi.fyralabs.com/notes/9q0ouuuw3p) This is the full exposé @[email protected] has been working on regarding the February 15th Spam Attacks! Thank you @[email protected] for [mentioning this post in a video](https://mastodon.de/@ErikUden/111979657514522171)! **Good luck, everyone!** Thanks for participating in the Fediverse Experiment! #FediBlock #FediAdmin
Alex@Gargron Does duckduckgo email masking count as disposable email?
irelephant
lampsofgold@Gargron @GottaLaff thanks, it hit my server, setting signups to approval seems to have fixed it for now, I had two accounts up for about 12 hours and got a dozen reports in that time, thanks everyone for reporting!
@Gargron Oh Yeah..
If they are attacking surely there's some good going on here.
If they are attacking surely there's some good going on here.
john lehet
Retro Librarian@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮💨
David Tanner 🏴@LibrarianRA @Gargron It’s bizarre as I haven’t seen a single spam. I assume @jaz is working overtime keeping toot.wales spam free 🤷♂️
OctoFloofy
jaz 
@DavidTanner @LibrarianRA it's all our fantastic @teamtoot staff and a lot of experience managing a busy service. Please do (if using Mastodon) go to your notifications preferences eg https://toot.wales/settings/preferences/notifications and review "Other Notification Settings" to minimise spam notifications and messages.
Donald Ham 
@LibrarianRA @Gargron
Please don't leave! Mastodon needs you.
The problem is temporary, let's make sure the Fediverse is not!
jensitus@Gargron
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!
Kevin Marks@Gargron given that the spam is mainly the same images, could you hash them and use that as a rejection filter?
@KevinMarks @Gargron Assuming they use the exact same image, possibly. But if they even so much as slightly change the image (e.g., convert to another format, change some colour mapping etc) then it won't work with traditional hashing.
There exist hashing methods that work on visual similarity, but those are more complicated, and significantly harder to get right.
Also, more vulnerable to false positives, and worse catch rate.
There exist hashing methods that work on visual similarity, but those are more complicated, and significantly harder to get right.
Also, more vulnerable to false positives, and worse catch rate.
Braw ☕🏳️🌈@4censord the images are indeed always different in hash because each instance also has its own image quality settings, as far as I understand. however the images that I have tested have about 99.9% visual match, so would easily be qualified as the same, and thus as spam
fuomag9@KevinMarks @Gargron almost useless, just a single pixel can be changed and the hash will have a different value
Sam 
@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??
Michael Downey 
@sam To be fair there are like 5+ years of ignored admin/moderation improvement requests in the queue 😅
always tired (moved to chaos)@Gargron Captchas are still an accessibility nightmare. I'll die on this hill.
Mathias Wolfbrok on FGC Network
Free Soft&Hardware Enthusiast@Gargron targeted email blocking can be just as bad as targeted IP blocking it should not be assumed that every disposable email = spam, or every user connecting from an IP that spams also uses the connection to spam. I think having the ability to create fake accounts should be part of fediverse freedom. Performing some content checking to determine if it is a bot and limiting rate of spam postings on the content side might be an alternative.
Oliver 👔@Gargron "disposable e-mail providers"
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.
Mike Johnston@Gargron it needs to be easier for moderators to find report and suspend accounts or instances that are compromised. It's hours of clicking to do it "properly" right now and I don't have a full time staff - it's just me doing clean up 🥲
Michael Bishop ☕I haven't received any yet. 🤞
bikejourno@Gargron Take care of this bastard @kazbo, please. Whatever it takes, take him out.
joene 🏴@Gargron Still the problem is Mastodon. See https://github.com/mastodon/mastodon/discussions/29267.
Please see these issues (two of them are created by me and are related) as well:
*Require blocking of disposable email providers and/or require a captcha provider when registrations are open*
https://github.com/mastodon/mastodon/issues/29270
*Set new registrations on new servers to manual approval by default*
https://github.com/mastodon/mastodon/issues/29269
*Ability to greylist new servers*
https://github.com/mastodon/mastodon/issues/29266
*Ability to use heuristic spam filtering tools*
https://github.com/mastodon/mastodon/issues/29265
*Instance-wide filtering*
https://github.com/mastodon/mastodon/issues/29256
cc @renchap
糟糕鳥@Gargron but attackers can setup mastodon with different domains to go on spam the fediverse