Mastodon.social StaffPlease report any account that claims that you need to verify your #Mastodon account to continue using it. It is a scam. Don't click the links. Real staff accounts either have a special role badge on their profile or are verified through the joinmastodon.org domain.
We're as frustrated as everyone else with these phishing attacks. mastodon.social had new sign-ups in approval mode this week to limit the impact, but offenders targeted other instances and compromised existing accounts. We take the problem very seriously; we're suspending and blocking as quickly as possible, as well as actively working on countermeasures.
Martin Dougiamas@staff Some general support for opt-in blocklisting (where servers and individuals can subscribe to sources they they trust for blocking rules) would be invaluable for Mastodon in general.
Emelia 👸🏻@martin @staff that wouldn't really help in this case because spammers don't tend to slow-feed misuse/abuse, instead they flood, so by the time the account ends up on a blocklist it's either already suspended by origin server, or the attackers have moved on to other accounts after encountering rate limits.
@thisismissem @staff Assuming the admin of that server is vigilant (but I don’t think that’s always the case). There could also be regexp rules for the text as well (which would catch any account it came from) etc
@martin so the spam waves we're seeing are quite advanced and adaptive, it's not like the script kiddie spam from last year.
With this spam wave, I'm still analyzing the data, but:
- we've seen at least 13 different domains used for the phishing site
- we've seen them using CWs when spamming publicly
- we've seen them use multiple different scripts (what's written), including multiple languages
Regexp and publicly available lists of data are not something that would particularly help, as as soon as you publish & block keywords or domains, the attack changes.
If a server admin is not vigilant, then they should not have open registration (ex. Mastodon.social), but there's servers out there that are several versions out of date, so they don't get any of the new mitigation features or warnings (there's a big warning about open registration in the admin panel since 4.3.x)
ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIESwould limiting rate of posts for new accounts help?
so you make a new account, you only get 3 posts on your first day for example
but... they'll just register and go dormant for a period of time
no, you could still do it:
rate limit number of first few posts, no matter account age
so... they post innocuous garbage to get past that hurdle
but that's still useful
put up these kinds of barriers to make spamming hard, while not interfering with regular users
@benroyce @martin @staff there's various approaches being explored, but as the code is all opensource, sufficiently advanced attackers can reverse engineer to circumvent any policy put in place in code.
I was looking a posting frequency deviation with a minimum, since that's my adaptive as someone starts using the service