Masto.hostFeb 21, 2024

Since the beginning of the recent spam attack https://mastodon.social/@Gargron/111953045633249137, I have been monitoring Masto.host and, when possible, taking action to mitigate the effects of this attack.

All actions I made should have minimal impact. Still, in cases where that was not so I have communicated those actions to the admins. So, if you have not received my email, no action was taken on your server.

1/3

Show threadMasto.hostFeb 21, 2024

Today, I noticed that some accounts started to send spam even on instances that changed the registration mode to require manual validation. This was because the accounts were created when registrations were open but never sent a message, so they were not identified as problematic.

2/3

Show threadMasto.hostFeb 21, 2024

To find all accounts that may still exist in a similar situation, I will run a script on all instances that should suspend accounts from this attack even if they have not sent any message. This script was tested on several cases, thousands of accounts, and no false positives were found. Once that is done, you can check the moderation action log to see if any accounts on your server were suspended.

To do so a restart be required that will cause around 30 seconds of downtime.

3/3

Show threadFribygdas Natteravn Feb 21, 2024
@mastohost Wait, isn't this a huge breach of trust to suspend accounts on servers without the consent of admins?
Show threadBryce šŸ³ļøā€šŸŒˆšŸ‘ØšŸ»ā€šŸ’»
@fribygda @mastohost In the context of the perceived threat, and with the proactive communication to affected instances, and the changes being tested on the scale of thousands of accounts and with the ability to quickly revert the suspensions - no, I think it would be difficult to interpret these actions as a breach of trust. If there had been any issues, Iā€™m sure that assistance would be provided to any admins who needed to revert the change en masse for their instance.
Feb 21, 2024 at 10:15pmWeb
Show threadMasto.hostFeb 21, 2024

@cybrex yep, reverting the steps if necessary is very simple and can be done in minutes if anyone asks.

@fribygda

Show threadFribygdas Natteravn Feb 21, 2024

@mastohost @cybrex

But those admins chose to subject themselves to the threat. They did not choose for Masto.host to run this dangerous script on their servers which can affect real people. It doesn't matter that they didn't find an issue with the script, we should still be the ones to decide if it runs.

When Masto.host makes themselves into a policeman who can just barge in like this and take over our servers without consent - how can we feel safe that our servers are being respected?

Show threadFribygdas Natteravn Feb 21, 2024

@mastohost @cybrex

This all feels extremely uncomfortable from my point of view. My trust has certainly been shaken by the fact that Masto.host won't ask for my consent before they do such a thing to my server.

To me, it's a pandoras box, opening the question of when and will they decide to run other such severe scripts on my server completely without asking if it's okay?

Show threadMasto.hostFeb 21, 2024

@fribygda Fair. I don't believe there is something I can say that will make you feel different.

I have people complaining that I don't do enough to stop the spam or that I should do way more:

https://nrw.social/@Boerps/111971482353143316

https://mastodon.tails.ch/@shanie/111953006849671214

https://hachyderm.io/@thisismissem/111949649246300862

https://mastodon.social/@bgme/111951675660371816

What can I say...

But thanks for sharing your concerns.

@cybrex

Boerps ā˜‘ļø (@[email protected])

@[email protected] Today? It's a week now. Where are you living? Look at the admin-list and GitHub.

NRW.social