The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.
They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.
To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.
There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.
IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.
Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.
Now, it does become a bigger problem if the current spammers publish their source code and more join in.
There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.
The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.
Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).
Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.
For context on the spam problem, hundreds of Mastodon servers are chucking out thousands of spam messages.
One example instance: https://opensimsocial.com/public/local
It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code. (And yes, they’re really just trolling a Discord server, lolol).
An update on the Fediverse spam issue:
- It’s not just Mastodon.
- Most of the targets receiving the spam use Misskey, and are in Japan.
- Most Mastodon users aren’t being targeted, so aren’t seeing it.
- It is a dispute between two people over a social issue, after asking them about it.
- It is fully automated.
- The spam continues to be sent and probably won’t stop any time soon, these guys need to star in a BL drama and make up.
If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.
I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers. The show went on for an hour of me just saying ‘yo the net sucks’.
@GossiTheDog Eeyupp...
Never underestimate the destructive power a bunch of minors with more time and skills than sense have...
They literally topple regimes "for teh lulz"...
@fencepost @GossiTheDog *nodds in agreement*
Most can barely read a manpage and #Skiddie their way through shite...
@GossiTheDog had a recent small scale issue just like that, two teens had a falling out and one of them just started spamming almost all internet connected minecraft servers with fake login/ error messages over Christmas.
Went on for a couple of days!
Similar to the current Mastodon Spam issue (just with Server logs and annoyed Server admins)
@GossiTheDog @ifixcoinops I am minded of our days as a modestly popular linux shell provider back when everyone used IRC.
We’d get DDoSed over nicknames and channels where customers were connected to networks without channel and nick services.
We’d get hit with about 10x what was required to obliterate not just our shell box, but the entire presence of our rather large pan-European ISP colo-host in that datacentre, just to steal a name on a chat for a few days.
@GossiTheDog I consider that to be the ideal sort of attack from a blue team perspective. It shines a light on areas that need to be fixed, while avoiding real catastrophic damage.
A wake-up call, if you like.
@GossiTheDog On my account I get almost no spam at all. I blocked some clown yesterday, but that wasn't a spam Spammer.
Concerned more on registrations. It does seem like real registrations have slowed to a crawl. Can't believe we still aren't at 15 million.
When Threads debuted, everyone suggested it would take traffic from Twitter. I wondered if it would also harm smaller alternatives like Mastodon. With no particular evidence, I think we aren't getting the same share of refugees any more.
@marksquires It's a bad analogy.
Some people do better once they know better. But I can't make you.
@bright_helpings some people think they know better, but that doesn't mean that they do.
It's common phrasing and a common analogy. If you don't like it, it's a free country. Have whatever opinion you want. As will I. This is a diversion of the thread and an unnecessary lecture. Bye
@marksquires @GossiTheDog
I think a lot of people feel more comfortable app like Bluesky. I got to admit it’s aesthetically ok.
I just don’t think most want to mess with customizations and ways you can make mastodon work for you. I also don’t feel the same need to be on mastodon to keep up.
It’s a lot more chill and I think that’s healthy.
It has the diversity of a big world, but a community feel like a small town. Reminds me of the internet before social media. I use Ivory Client.
@GossiTheDog I'm about to release a tool to make it much, *much* easier to suspend spam accounts on your server :)
Attached: 1 image Here's how fast it is suspending all the spam accounts on my server with my tool. Each account I suspend sends a report to the server the account is from, resolves the report on my server, and then suspends the account. #MastoAdmin #FediBlock
Not going to doxx anyone, but this just came down my Home timeline:
"My instance also got a lot of those spam account requests. But guess what, I didn't approve any of them. It's not the purpose of a #Mastodon instance to grow as large as possible, it is to keep it in the manageable scale.
I will give some time to the instances sending spam to get it under control before I start suspending whole instances for negligence."
So, yeah
"suspending whole instances for negligence"
Collateral damage, eh?
Easy to bake up conspiracies, but what might be a potential motivation beyond being mere shit-posting edge lord script kiddies?
cc @renchap
@GossiTheDog "the elephant in the room is that anybody can flip the table at present"
it's called a mastodon
🏃♂️
@robert
Message signing and server identification is already there, that's what the high severity update was about this week - a way to bypass that and impersonate senders for posts.
The spam wave is (in part) about onboarding friction being low to encourage adoption, but being so low that it is easily scriptable by spammers, together with not having good enough tooling to limit the impact reasobably.
@GossiTheDog
@robert @GossiTheDog nah the fediverse doesn’t need any of that since it already is equipped with it
the spam is like spam from gmail or hotmail, correctly signed and all
Here are my personal thoughts about how we could handle Trust & Safety features in Mastodon software. This is based on my own experience in the field, my current knowledge of the source code and architecture, as well as my experience managing infrastructure for mastodon.social & mastodon.online since December 2022. Context Managing a Mastodon instance is hard work, with the most effort going to moderation and abuse, and not technical operations as one might expect. This includes:
The pluggable/modular idea is a very nice design, that will be quite helpful.
However please whatever you do, include an account reputation/lifecycle part in the telemetry. Long-term nothing else will work: ip/email even phonenr are too low level and easily obtainable by bad actors
Seas 
Kevin Beaumont
ErosBlog Bacchus has moved!
Kevin Karhan 
Alan Miller 
🇺🇦
Euph0r14
Skylar Caulfield 
katrintheresa
neopolitan
Gabriel Pettier
alex
Interpipes 💙
The cat who walks thru walls
Mike Spooner
Kristin Davidson {kxd}
Jerry 🦙💝🦙
maswan
Simon Bisson
Tryst 🏴 🇮🇪 
cybik 
Nogweii
spv
Xe 
Ariadne Conill 🐰
Gabriele Svelto [moved]
lori
John Francis
Chris. R. 🎧🎼☕🍍
Michael Weiss
Sofie 🏳️🌈
Mark Squires 
Moon joy
Everyday.Human Derek
Sam 
Renaud Chaput
Word of Mouth 🍄 
FinchHaven sfba
ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIES
Robert A. Hill
Irve
Charlotte 
/Cinny 
Stefan Eissing
Bálint Szilakszi