The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.

They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.

To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.

There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.

IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.

Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.

Now, it does become a bigger problem if the current spammers publish their source code and more join in.

There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.

The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.

Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).

Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.

For context on the spam problem, hundreds of Mastodon servers are chucking out thousands of spam messages.

One example instance: https://opensimsocial.com/public/local

It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code. (And yes, they’re really just trolling a Discord server, lolol).

An update on the Fediverse spam issue:

- It’s not just Mastodon.

- Most of the targets receiving the spam use Misskey, and are in Japan.

- Most Mastodon users aren’t being targeted, so aren’t seeing it.

- It is a dispute between two people over a social issue, after asking them about it.

- It is fully automated.

- The spam continues to be sent and probably won’t stop any time soon, these guys need to star in a BL drama and make up.

If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.

I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers. The show went on for an hour of me just saying ‘yo the net sucks’.

Mastodon change coming where new servers have open registration disabled by default: https://github.com/mastodon/mastodon/pull/29280

Mastodon team have been all over behind the scenes btw.