Isaac
Mastodon.social StaffPlease report any account that claims that you need to verify your #Mastodon account to continue using it. It is a scam. Don't click the links. Real staff accounts either have a special role badge on their profile or are verified through the joinmastodon.org domain.
We're as frustrated as everyone else with these phishing attacks. mastodon.social had new sign-ups in approval mode this week to limit the impact, but offenders targeted other instances and compromised existing accounts. We take the problem very seriously; we're suspending and blocking as quickly as possible, as well as actively working on countermeasures.
Stefan@staff I wish you could force new accounts in limited mode. So folks could sign up but would signups need approval to start messaging others.
Just Bob
stux⚡️
Sebastian Zdrojewski
DJGummikuh@staff honest thanks from me for your tireless work!
robwise@staff thanks for all your hard work!
Martin Dougiamas@staff Some general support for opt-in blocklisting (where servers and individuals can subscribe to sources they they trust for blocking rules) would be invaluable for Mastodon in general.
Emelia 👸🏻@martin @staff that wouldn't really help in this case because spammers don't tend to slow-feed misuse/abuse, instead they flood, so by the time the account ends up on a blocklist it's either already suspended by origin server, or the attackers have moved on to other accounts after encountering rate limits.
@thisismissem @staff Assuming the admin of that server is vigilant (but I don’t think that’s always the case). There could also be regexp rules for the text as well (which would catch any account it came from) etc
@martin so the spam waves we're seeing are quite advanced and adaptive, it's not like the script kiddie spam from last year.
With this spam wave, I'm still analyzing the data, but:
- we've seen at least 13 different domains used for the phishing site
- we've seen them using CWs when spamming publicly
- we've seen them use multiple different scripts (what's written), including multiple languages
Regexp and publicly available lists of data are not something that would particularly help, as as soon as you publish & block keywords or domains, the attack changes.
If a server admin is not vigilant, then they should not have open registration (ex. Mastodon.social), but there's servers out there that are several versions out of date, so they don't get any of the new mitigation features or warnings (there's a big warning about open registration in the admin panel since 4.3.x)
ᴮᵉⁿ ᴿᵒʸᶜᵉVOTE IN THE PRIMARIESwould limiting rate of posts for new accounts help?
so you make a new account, you only get 3 posts on your first day for example
but... they'll just register and go dormant for a period of time
no, you could still do it:
rate limit number of first few posts, no matter account age
so... they post innocuous garbage to get past that hurdle
but that's still useful
put up these kinds of barriers to make spamming hard, while not interfering with regular users
@benroyce @martin @staff there's various approaches being explored, but as the code is all opensource, sufficiently advanced attackers can reverse engineer to circumvent any policy put in place in code.
I was looking a posting frequency deviation with a minimum, since that's my adaptive as someone starts using the service
Tomáš Znamenáček@staff I understand this must be difficult and it may take a while to clear all the mess. But let’s appreciate the main point here – that people care about preventing spam and fraud on Mastodon, that there is honest effort instead of just putting up appearances and rejecting obviously legitimate flags like on some corporate networks. Thank you for your service! This is technology as it should be.
Michael Salbeck@staff
The last few weeks our server we got several requests for new accounts from IPs from India. The text in the requests was presumably AI generated.
So, we rejected all such account requests.
The last few weeks our server we got several requests for new accounts from IPs from India. The text in the requests was presumably AI generated.
So, we rejected all such account requests.
Chris Pitts@staff Thanks for your efforts. They’re appreciated. As a small server admin, I feel your pain.
haui ☭
🇵🇸@staff
You're being attacked most likely by political actors due to allowing criticism of certain regimes.
I suggest you communicate where those attacks are coming from as an effective method to stop them.
Otherwise, good luck and thank you for your service. :)
RDRush@staff Good hunting!
Stay vigilant -- win!
Stay vigilant -- win!
Pam C@staff Maybe time to remove bot accounts, at least temporarily.
Jochem@staff Just a big thank you. Much appreciated!
Will Phoenix@staff You're in open sign up mode. Anyone can see you're still listened on Joinmastodon as number one and see the api readout
registrations
enabled true
approval_required false
@Whiskeyomega You are correct, this was not an effective solution.
Alison Meeks@staff I’m not sure if you able to view profile pictures but any accounts flying the Mastodon or Mastodon service icon is straight up suspicious. Similarly with username.
staringatclouds@staff Thank you for all the hard work
Gnosyz 🖖
@staff IMHO if many other instances had a pre-registration check (closed/pre-moderated registration) this wouldn't be a problem. And I do understand that a lot of servers don't have people resources/time/or a completely abandoned by their creators. Ans some also don't want to limit or constrain their user's freedoms by the rules and "unnecessary" registration procedures. This is exact reason why spam spreads in Mastodon so easily. It is all understandable. But, until, main Mastodon development team will not provide a solid tool to fight spam and bots, I am 100% that closed registration is the only way to cut spammers for your instances.
nimi
Matt Noyes@staff Hi friends, if you had all new sign-ups in approval mode, and kept them that way, this problem could be alleviated going forward.
@Matt_Noyes This is unfortunately not true. In most cases, closing our signups has merely moved attacks to other servers. In this case, it's mostly moved it to compromised accounts. And even in approval mode, spammers get through!
Combating spam is a constantly moving target, each change you make causes the approach to shift. We have some new tools in the latest builds, and hopefully we'll have even more options in the future with FASPs.
teamjybyky@staff I can't access the account, and it's been taken over by someone else. I've complained to the service, but I haven't received a response.
https://mastodon.social/@jybyky
The account was taken over by an irresponsible party.
I can't access the account, and it's been taken over by someone else. I've complained to the service, but I haven't received a response.
🍥MEU REFÚGIO NERD🍥@staff fiz isso aqui na minha instância...são muitas contas sendo marcadas em toot suspeito. Parece que já foi bloqueada. Mas podem vir outras contas.
Gabriel H. Nunes@staff
Your account isn't yet verified in any way, though.
Cainmark Does Not Comply 🚲
Fedilab Apps
Alfonso Martínez de Lizarrondo
Nik@alfonsoml @cainmark @nunesgh Other apps can, if they support it. I just checked, https://pachli.app shows the badge.
@alfonsoml @cainmark @nunesgh @staff Although @MastodonEngineering makes this more difficult than it should be for apps (official or otherwise) by not documenting the necessary information.
Happy anniversary to https://github.com/mastodon/documentation/issues/1483
The `roles` attribute is missing from the `Account` entity · Issue #1483 · mastodon/documentation
The documentation does not list roles (plural) attribute in the Account entity but it does list role (singular) attribute. I found out by inspecting the Instance entity of various instances using t...
UndeadJamie
COMPU73E ❄️
S.R. Weaver@staff It seems like Rinoa Jones might be one of those pseudonyms.
Dinisha Meera@staff Thank you for your Information
AKT@staff Your profile neither have a "badge" nor a verified domain.
Ladies and gentlemen we got him.
Su_GYes, I join with others thankful for the work of Admins to protect us. ♥️
Tagomago@staff Bear in mind that badges are not showed on the official mobile app.
Dawn Ahukanna@staff this scam is taking advantage of an information vacuum (why doesn’t every mastodon user know you don’t have to verify your account to keep using it?), digital deference(it’s on a computer so I must do what it says). Instead of assuming why people are responding to these messages, ask them in order to understand their assumptions and situation.
Also indicates a gap in providing admin level messages, similar to old school forum discussion boards or SMS from mobile phone provider.
Also indicates a gap in providing admin level messages, similar to old school forum discussion boards or SMS from mobile phone provider.
always tiredThat's misleading because real admin accounts ought not to post phishy stuff either.
slinjkje 
Tofm2 🇫🇷 🇺🇦 🇪🇺@staff I will signal your account as a scam.
Edit: done.
Edit: done.
jjlinux | X unverified 😅@staff you guys were my second Mastodon instance. I can't even recall which one I migrated from. Having said that, you guys are heroes to me. Thanks for all your effort and for maintaining this great instance and community.
Tracy Thomas@staff I didn’t realize that reporting these posts would help. Done.
Matija Nalis@TracyTThomas
It would also would be good to additionally report the phishing URL itself on https://safebrowsing.google.com/safebrowsing/report-url (I'm not big fan of Google, but that safe browsing list is used by different browsers, Firefox included, and may help if people do click on those links) #safebrowsing
@staff
It would also would be good to additionally report the phishing URL itself on https://safebrowsing.google.com/safebrowsing/report-url (I'm not big fan of Google, but that safe browsing list is used by different browsers, Firefox included, and may help if people do click on those links) #safebrowsing
@staff
Cassandrich@staff Tacking on this sentence was irresponsible and unnecessary:
"Real staff accounts either have a special role badge on their profile or are verified through the joinmastodon.org domain."
The potential victims of this scam don't understand how to verify those conditions and it just gives the scammers a way to trick them ("see here for the role badge we told you to look for when warning you about scams").
The responsible thing to say is "Real staff accounts will NEVER DM you asking you to click a link, disclose private information, or verify your account. Any such request is a scam."
Robert Harron@staff great info
Angua 
@staff
Well i'll stick with Misskey forks* and occasionally Akkoma thanks.
*At this rate you might as well fork Misskey, there'll come a point you can't add the features we have without breaking it completely.
Not so "frivolous" now.
And Mastodon AntiSocial stays muted.
I saw yours in a boost by a mutual.
#mastodon #misskey #SignUpApprovalByDefault
Well i'll stick with Misskey forks* and occasionally Akkoma thanks.
*At this rate you might as well fork Misskey, there'll come a point you can't add the features we have without breaking it completely.
Not so "frivolous" now.
And Mastodon AntiSocial stays muted.
I saw yours in a boost by a mutual.
#mastodon #misskey #SignUpApprovalByDefault
Nova@staff
Love you staff
Love you staff
Clinton Anderson SwordForHireMastodon needs a way to "verify" that doesn't require having some other website
If I could follow "Real people only" I absolutely would.
@staff Yeah, I’ve seen a few of those scam messages too. Best to ignore and report them right away. I usually double-check info from trusted sources only, same way I do when browsing sites like f30imask.com to avoid clicking on shady links.
Domingos naranjas 🪵🍂☕️@staff Does anything happen if you click on the link and then close it without taking any further action? I received one of these messages and accidentally clicked on it. The link looked something like mastodon order sessionz3910 .icu