Renaud Chaput

I would encourage every Fediverse software project to implement a “dead-man switch" on registrations: if nobody with moderator permissions has been active in the last week, then disable new account creation.

The Fediverse has a significant number of abandoned instances that are used by bad actors to create accounts and send spam.

We implemented this in Mastodon (https://github.com/mastodon/mastodon/pull/29318) and it has been highly effective.

Automatically switch from open to approved registrations in absence of moderators by ClearlyClaire · Pull Request #29318 · mastodon/mastodon

This is not meant to replace #29280, but supplement it to avoid unmonitored servers keeping open registrations indefinitely. Automatically switch away from open registrations if no user with the pe...

GitHub
Oct 17, 2024 at 8:44pmWeb
Show threadRenaud ChaputOct 18, 2024

Another consideration: new installations should not allow open registrations by default. This should be a setting that the administrator needs to opt into, and this is a good place to inform them that open registration instances require moderation resources.

In Mastodon, we display a warning when the admin chooses this option. Mastodon also support requiring moderator/admin approval for new sign ups, which helps a lot in preventing automated registrations.

Show threadDeadly HeadshotOct 21, 2024
@renchap
Why does m.s do then?
Show threadStrypeyOct 23, 2024

@renchap
> new installations should not allow open registrations by default. This should be a setting that the administrator needs to opt into, and this is a good place to inform them that open registration instances require moderation resources

I've been advocating for this for a while. Is invite-only registrations now the default in Mastodon? If so, this is great news.

(1/3)

Show threadStrypeyOct 23, 2024

The most organic way for the fediverse to grow IMHO is via FOAF. Experienced fedizens shepherding their colleagues/ organisations/ friends/ family into servers they know will give them a good experience. Ideally servers those groups set up and run themselves

We don't want to exclude people from real world social networks who don't yet have anyone active in the verse. So open registration servers remain useful as places for total newbies to wander in and check out the vibe.

#fediverse

(2/3)

Show threadStrypeyOct 23, 2024

But having fewer open registration servers in the network makes them even more useful, because it makes it easier to choose one. If the few open registration servers are well moderated, that's better both for the newbies who wander into them, and for the rest of us.

(3/3)

Show threadEmelia 👸🏻Oct 17, 2024
@renchap unfortunately that's not merged yet, is it?
Show threadEmelia 👸🏻Oct 17, 2024
@renchap actually, I was thinking of this one: https://github.com/mastodon/mastodon/pull/25032
Add support for server-specific emergency rules by ClearlyClaire · Pull Request #25032 · mastodon/mastodon

Supersedes #24986 Provides an (eventually) admin-editable set of rules made of triggers and actions. The goal is not to triage spammers and abusers from legitimate users, but to provide a stop-gap ...

GitHub
Show threadRenaud ChaputOct 17, 2024
@thisismissem It has been merged and quickly backported into a 4.2 patch version
Show threadaliceif Oct 17, 2024
@renchap Misskey shipped it this month, too:
https://misskey-hub.net/en/docs/releases/#_2024101
Show threadScandinavian ⁂ ArchitectOct 17, 2024
@renchap abandoned instances are, well, abandoned, so there’s a big chance they won’t be updated, isn’t it?
Show threadEndlessMasonOct 17, 2024

It's just a matter of waiting for somebody to find a decent vuln in old versions, and they'll kinda "take care of themselves"

@Seth @renchap

Show threadGunChleocOct 18, 2024

@EndlessMason @Seth @renchap It does help with instances that will be abandoned in the future.

We can't fix the past, so I have written a script to silence or block outdated software versions: https://codeberg.org/GunChleoc/mastodon-scripts/src/branch/main/blocklists

mastodon-scripts

Useful scripts for Mastodon moderation/administration

Codeberg.org
Show threadScandinavian ⁂ ArchitectOct 18, 2024

@gunchleoc oh, this is nice!

@EndlessMason @renchap

Show threadAndromeda YeltonOct 18, 2024
@Seth @renchap but not-yet-abandoned instances are not-yet-abandoned
Show threadScandinavian ⁂ ArchitectOct 18, 2024

@thatandromeda @renchap sure.

Anyway I don’t understand how people can “forget” they have an instance. If I were paying for a server and domain name I wasn’t using I’d totally delete it. Or at least give the keys to the room to someone else.

Show threadThéotimeOct 18, 2024
@thatandromeda @renchap @[email protected] I can imagine someone having a server with a Fedi instance + something else they use more
Show threadfox (witch (prey) )Oct 18, 2024

@Seth @thatandromeda @renchap

There's forgetting sure, but maybe more likely I'll health being taken away, a crisis that means they can't focus on their instance. Or just getting bogged down with all the bullshit around moderating an instance and taking an unplanned mh break that goes on too long... I can see a lot of reasons someone wouldn't be available.

Show threadSchwarzeLockeOct 19, 2024
@Seth back in the day I had a TeamSpeak server running on my web server. I used it less and less and at some point completely forgot about it. A year or two later, when I was preparing a hardware change, I noticed it was still running and it was in use as a primary server of a clan I never heard of.
Show threadScandinavian ⁂ ArchitectOct 20, 2024

@SchwarzeLocke oh yeah someone also mentioned this situation when you have a service installed on a server you still use for something else. Didn’t think of that when I posted my previous post !

Everyone’s on Discord now, but I miss Mumble ^^ (even lighter than teamspeak if I recall correctly)

Show threadMichał "rysiek" Woźniak · 🇺🇦Oct 17, 2024
@renchap oh this is very good!
Show threadMyke-moved-to-a-new-instance. Link in Bio.Oct 17, 2024
@renchap tagging @dansup
Show threadFediThing Oct 17, 2024

@renchap

Great idea! 👏

Show threadLemonheep (Medicine user) Oct 17, 2024
@renchap Huh, was this why the recent enspammification a few days ago didn't turn out so effectively?

Aside from that, though, promising work! It's encouraging to see our devs not just be better than Twitter, but build up moderation tools to keep up with the growing userbase (and thus pool of bad actors).
Show threadGunChleocOct 18, 2024
@radmin @renchap It was a combination of this and of notifying vulnerable servers during the previous spam wave. Many admins took action on the open signups back then.
Show threadJustin ⏚Oct 17, 2024

@renchap New accounts can't "push" anything until they're followed on another instance, correct?

Not that the idea of a dead-mans switch is a bad one! I would like to see other dead-man switches too such as warning existing users that their accounts could disappear when an admin goes awol.

Show threadJupiter RowlandOct 17, 2024
@⁂ Justin (StayGrounded.online) @Renaud Chaput Also, if you want to protect your instance from being overrun by spammers, there should be more that you can do than close registrations.

How about manual approval by an admin? Does Mastodon have this feature? Because Hubzilla, (streams) and Forte do.

#FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Fediverse #Spam #Mastodon #Hubzilla #Streams #(streams) #Forte
Netzgemeinde/Hubzilla

Show threadRenaud ChaputOct 18, 2024
@jupiter_rowland yes, Mastodon supports requiring approval for accounts
Show threadCassandrichOct 18, 2024
@JustinH @renchap They can @ anyone.
Show threadAmber Oct 18, 2024
@dalias @JustinH @renchap They can also upload attachments. Not to mention, if your instance is part of a relay and they’re posting public that post goes into the relay, populating global/firehose timeline along with hashtags.
Show thread🐧DaveNull🐧 ☣️pResident Evil☣Oct 18, 2024

@JustinH No, it get pushed if they're followed OR they mention people from other instances. Bad actors mass-mention people randonly se their shit get pushed.

You can't programmatically block all posts with "many mentions", there is plenty of legitimate group discussions. So it's not that easy to handle it…

Reporting and block tsunamis of spams is inefficient and time-consumpting… Badly designed. You have to report and block (user) or verify and block spam (admin) accounts one by one…

@renchap

Show threadrimuOct 17, 2024
@renchap Will do, thanks
Show threadWulfy—Speaker to the machinesOct 18, 2024

@renchap

The agents came back with good news.
There were ten, maybe 12 Mastodont instances still up in the silicon layer.

The difficulty of accessing the silicon layer was increasing too. The deterministic net was just so much faster, hardly anyone went down there.
It was mainly archives and the pre-contact bedrock "net". Pre-Multi mode, pre-quantum. The informatics equivalent of the human stone age settlement reconstruction or the Denovisian lava tube settlements. Tourist attraction.

Still, it was worthwhile to explore the ancestors "social" networks. If only to remind ourselves, just how far sapients have advanced.

Us was intrigued just how did these stax survive. Before demonetisation, all the services required resource transfers. So it was common for instances to disappear once the "owner" (there is another quaint pre-demonetisation concept) died.

The instances that remained were usually stax with accounts, usually on the blockchain that kept being "paid-for" long after their utility and "owner" expired.

Us asked the Majordomo for a brief summary, and soon, the holo-like structures appeared in our visual cortex.

Not surprisingly, the stax were rolled into Qbes. When the silicon layer was first archived, the Qbes were only archiving the important stuff. But later, after contact, Qbes became a commodity item so there were archives within archives within archives.

Technically, I did not have permission to send my agents there, but no one cared about 300 year old nets, not when the Domain deterministic net went back across 200,000 years and 60 species.
This was akin to treading into an overgrown garden hardly anyone explored anymore.

A graveyard.

There were even signs of primitive life.
Early, pre cognition bots were still figuring a war of words no one cared for anymore. Taxation, Ideologies...migrants.
Us smirked, looking out the portfield.
There was a triad of Denovisians sunbaking in the sunward lea.
No one cared about "migration" anymore, not when most humans were so far far from home.

Us had work to do, rolling up these binary artifacts into pedestal sets, with description tags in full spectrum, so the few tourists could truly enjoy these rarities. Extinct for centuries, like their namesake. Brought back into EM receptors of the folks of today.

Us sent a blip to the higher consciousness governor. They will be pleased with this haul. I might even get a Qfield boost for this job!

#microfiction #scifi #cyberpunk

Show threadTimOct 18, 2024
@renchap If someone needs a timer sample, I hsve one at tecreations.ca/ca/tecreations/dms/ and they can get the code via tecreations.ca/ca/tecreations/ca/tecreations/ViewFile.php
Show threadChris A MoodyOct 18, 2024
@renchap this would mean no one could sign up for their own instance wouldn't it?
Show threadJoanna HolmanOct 18, 2024
@renchap @stib I’m surprised this is not standard. Even if it’s just that the administrator didn’t get round to making good plans before they went on holiday it would be wise to automatically put safeguards in place
Show threadCondalmo.Oct 18, 2024
@renchap @stux
Show threadqbiOct 18, 2024
@renchap Can you tell how many instances have switched over time?
Show threadGunChleocOct 18, 2024
@qbi @renchap This was introduced with version 4.2.8. You can do the math from there: https://fedidb.org/software/mastodon/versions roughly 80% of Mastodon servers are already running this patch.
FediDB, Fediverse Network Statistics

FediDB is a cutting-edge service providing detailed statistics and insights into the Fediverse network.

Show threadqbiOct 18, 2024
@gunchleoc @renchap Thanks, but I guess my question was a bit to unspecific.
I wanted to know how many servers had registrations open and then were switched off. Can this be seen from some statistics?
Show threadRenaud ChaputOct 18, 2024
@qbi @gunchleoc Nothing is visible from the outside when this happens, so I am not sure how it could be tracked. Maybe one of the website collecting data about fediverse servers is tracking if registrations are open, but we (Mastodon) do not. And if thats the case, you would not be able to know if an admin closed the registrations, or if it came from this automation.
Show threadGunChleocOct 18, 2024
@renchap @qbi You can see which servers currently have closed registrations via instances.social if the server is signed up there, but there is no historical data.
Show threadArneBabOct 18, 2024

@renchap That is awesome!

Thank you for creating such friendly protection measures!

Show threadLevkaOct 18, 2024

@renchap

A week!?! That's more than enough time for any competent scammer to not only pour out a *lot* of spam but to also create a slew of new instances.

Show threadsplaOct 18, 2024
@renchap really great idea. Too much not moderated servers out there.
Show threadRobots can be gay deal with itOct 18, 2024

@renchap I can imagine a secret server roll, that you don't know you have until your server hits this point could allow the roll holder to kick/suspend anyone who has joined since the admin last logged in.

Maybe also let them approve user transfers, if it's possible the server has been abandoned.

Show thread🤯Matera the Mad🤯Oct 18, 2024
@renchap
💯
Show threadRickyxOct 18, 2024
@renchap should be implemented also in Wordpress!
Show threadBart Champagne ON6BC Oct 19, 2024

@rickyx @renchap
Good idea !
Also reminds me that I should update my Wordpress servers and plugins again.

*awkwardly looks around*

Show threadLisPiOct 19, 2024
@renchap @deepbluev7 > The Fediverse has a significant number of abandoned instances

How does that even happen? One would expect that as payments for the domain lapses they would become unreachable
Show threadLukas 🥔Oct 19, 2024
@renchap That's innovation!
Show thread Tournesol 🌻🥞Oct 19, 2024
@renchap thank god, this will be so useful !!
Show threadBart Champagne ON6BC Oct 19, 2024

@renchap
And yet there are too many instances with an active admin but still running outdated (and vulnerable) software 😞

Is there a built-in safety switch that instances that go unpatched for too long go in locked down and/or defederated mode if the active admin fails to update/patch them ?

Show threadJulien Deswaef Oct 19, 2024
@renchap Hi Renaud. I'm curious how you measured the effectiveness of that feature. Do you have more detail about your methodology. Great feature btw, I'm convinced it helps. Just curious how you've seen its impact. Thx.
Show threadRenaud ChaputOct 19, 2024
@judeswae by checking the software and version for instances used in the recent spam waves. There are no recent Mastodon versions there, which was not the case in previous ones
Show threadchikorita157 🐰Oct 20, 2024

@renchap It seems that Misskey have implemented this feature in the recent release of Misskey (2024.10.1)

This is translated from their release notes

As an anti-spam measure, moderators are now automatically switched to invite-only (Control Panel -> Moderation >-> “Allow anyone to register” turned off) if they have not seen any activity for more than 7 days. ( #13437 )
Moderators will be notified when the switch is made. If you want to keep registration open, please set it up again in the control panel.

https://misskey-hub.net/en/docs/releases/

Show threadkepstinApr 25, 2025
@renchap not just ActivityPub fediverse - there's also been a spam wave on Matrix recently where most of the posts have been from open-reg servers, and a similar mechanism would probably help there too.