Mastodon.social StaffPlease report any account that claims that you need to verify your #Mastodon account to continue using it. It is a scam. Don't click the links. Real staff accounts either have a special role badge on their profile or are verified through the joinmastodon.org domain.
Kelli RiffleWe're as frustrated as everyone else with these phishing attacks. mastodon.social had new sign-ups in approval mode this week to limit the impact, but offenders targeted other instances and compromised existing accounts. We take the problem very seriously; we're suspending and blocking as quickly as possible, as well as actively working on countermeasures.
Stefan@staff I wish you could force new accounts in limited mode. So folks could sign up but would signups need approval to start messaging others.
Just Bob
stux⚡️
Sebastian Zdrojewski
DJGummikuh@staff honest thanks from me for your tireless work!
@staff thanks for all your hard work!
Martin Dougiamas@staff Some general support for opt-in blocklisting (where servers and individuals can subscribe to sources they they trust for blocking rules) would be invaluable for Mastodon in general.
Emelia 👸🏻@martin @staff that wouldn't really help in this case because spammers don't tend to slow-feed misuse/abuse, instead they flood, so by the time the account ends up on a blocklist it's either already suspended by origin server, or the attackers have moved on to other accounts after encountering rate limits.
@thisismissem @staff Assuming the admin of that server is vigilant (but I don’t think that’s always the case). There could also be regexp rules for the text as well (which would catch any account it came from) etc
@martin so the spam waves we're seeing are quite advanced and adaptive, it's not like the script kiddie spam from last year.
With this spam wave, I'm still analyzing the data, but:
- we've seen at least 13 different domains used for the phishing site
- we've seen them using CWs when spamming publicly
- we've seen them use multiple different scripts (what's written), including multiple languages
Regexp and publicly available lists of data are not something that would particularly help, as as soon as you publish & block keywords or domains, the attack changes.
If a server admin is not vigilant, then they should not have open registration (ex. Mastodon.social), but there's servers out there that are several versions out of date, so they don't get any of the new mitigation features or warnings (there's a big warning about open registration in the admin panel since 4.3.x)
ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIESwould limiting rate of posts for new accounts help?
so you make a new account, you only get 3 posts on your first day for example
but... they'll just register and go dormant for a period of time
no, you could still do it:
rate limit number of first few posts, no matter account age
so... they post innocuous garbage to get past that hurdle
but that's still useful
put up these kinds of barriers to make spamming hard, while not interfering with regular users
@benroyce @martin @staff there's various approaches being explored, but as the code is all opensource, sufficiently advanced attackers can reverse engineer to circumvent any policy put in place in code.
I was looking a posting frequency deviation with a minimum, since that's my adaptive as someone starts using the service
Tomáš Znamenáček@staff I understand this must be difficult and it may take a while to clear all the mess. But let’s appreciate the main point here – that people care about preventing spam and fraud on Mastodon, that there is honest effort instead of just putting up appearances and rejecting obviously legitimate flags like on some corporate networks. Thank you for your service! This is technology as it should be.
Michael Salbeck@staff
The last few weeks our server we got several requests for new accounts from IPs from India. The text in the requests was presumably AI generated.
So, we rejected all such account requests.
The last few weeks our server we got several requests for new accounts from IPs from India. The text in the requests was presumably AI generated.
So, we rejected all such account requests.
Chris Pitts@staff Thanks for your efforts. They’re appreciated. As a small server admin, I feel your pain.
haui ☭
🇵🇸@staff
You're being attacked most likely by political actors due to allowing criticism of certain regimes.
I suggest you communicate where those attacks are coming from as an effective method to stop them.
Otherwise, good luck and thank you for your service. :)
RDRush@staff Good hunting!
Stay vigilant -- win!
Stay vigilant -- win!
Pam C@staff Maybe time to remove bot accounts, at least temporarily.
Jochem@staff Just a big thank you. Much appreciated!
Will Phoenix@staff You're in open sign up mode. Anyone can see you're still listened on Joinmastodon as number one and see the api readout
registrations
enabled true
approval_required false
@Whiskeyomega You are correct, this was not an effective solution.
Alison Meeks@staff I’m not sure if you able to view profile pictures but any accounts flying the Mastodon or Mastodon service icon is straight up suspicious. Similarly with username.
staringatclouds@staff Thank you for all the hard work
Gnosyz 🖖
@staff IMHO if many other instances had a pre-registration check (closed/pre-moderated registration) this wouldn't be a problem. And I do understand that a lot of servers don't have people resources/time/or a completely abandoned by their creators. Ans some also don't want to limit or constrain their user's freedoms by the rules and "unnecessary" registration procedures. This is exact reason why spam spreads in Mastodon so easily. It is all understandable. But, until, main Mastodon development team will not provide a solid tool to fight spam and bots, I am 100% that closed registration is the only way to cut spammers for your instances.
nimi
Matt Noyes@staff Hi friends, if you had all new sign-ups in approval mode, and kept them that way, this problem could be alleviated going forward.
@Matt_Noyes This is unfortunately not true. In most cases, closing our signups has merely moved attacks to other servers. In this case, it's mostly moved it to compromised accounts. And even in approval mode, spammers get through!
Combating spam is a constantly moving target, each change you make causes the approach to shift. We have some new tools in the latest builds, and hopefully we'll have even more options in the future with FASPs.
teamjybyky@staff I can't access the account, and it's been taken over by someone else. I've complained to the service, but I haven't received a response.
https://mastodon.social/@jybyky
The account was taken over by an irresponsible party.
I can't access the account, and it's been taken over by someone else. I've complained to the service, but I haven't received a response.