Mastodawn

Dan Wallach Apr 7

PSA: I have just cleaned a set of russian misinfo spambots from this instance.

⚠️ We moderate registrations, and have invites enabled. ⚠️

This is how they got in:

8 days ago (mar 29) they requested an account. The request did not appear LLM generated. The request was topical enough to meet our flexible informal threshold, and read as clumsy English.
6 days ago (apr 1) I reviewed and approved the account.
Their signup email accounts were from the emailondeck tempmail provider. Each domain was different. I only bother looking at the email domain if there are other red flags. (A lot of people who choose us are technical with their own email domains. Random domains don't stand out.)
They signed up from an IPv6 address and only ever connected from 1 IP.
They made 0 posts from this account. They did not set a bio. They did not set a PFP.
They created 1 invite code for 5 uses.
5 days ago this invite code was used to make 1 account. They did not post anything, nor did they set a bio or PFP.
That second account, and all other accounts, used IPv4. They also only connected from 1 IP.
Over the next 4 days, the final 4 accounts via that invite code were made.
These accounts set bios that were a few random words and an emoji. They made the non-hashtag variety of posts the misinfo accounts make; bland word salad poetry. They boosted a bunch of other posts to try look normal.
All IPs involved have been labelled by https://spur.us as OPEN_ROUTABLE_PROXY and the IPv4 ones were also labelled as TOR_PROXY.
The admin interface identifies the posts as using clients called "ssl", "scsi", "ib".

The cleanup procedure:

Ban the accounts immediately.
Deactivate the invite code immediately.
Review other recently created accounts and invite codes.
Write this all down for future reference.

Notes:

It's easy to be complacent when you've got account creations moderated or by invite codes.

Chances are that if I had not noticed, each of the active accounts may have created their own invite code. and there would have been another 20 or more of them.

#fediblock #mastoadmin

Spur IP Enrichment & Intelligence - Detect Residential Proxies, VPNs & Bots

Reveal the truth hiding in plain sight with Spur. Enrich IP data to detect residential proxies, VPNs, and bots using the highest-fidelity IP intelligence to stop fraud, fake users, and threats in real time.

Spur Intelligence Corporation

Pls go add very convincing emojis to this issue:

https://github.com/mastodon/mastodon/issues/38594

Invite quarantines and/or moderation · Issue #38594 · mastodon/mastodon

Pitch It would be good to be able to quarantine and/or moderate invite codes from shiny new accounts. Quarantine invites option: No invites for $config duration after account approval. Default conf...

GitHub

@el did the requests look like these? https://oc.todon.fr/@admin/116344897867917225

Admin oc.todon.fr (@[email protected])

Attached: 2 images Pour éviter le spam, les inscriptions sur oc.todon.fr nécessitent d'écrire un petit message et une validation manuelle. Voici le genre messages que je reçois depuis un mois

Octodon

@val Yes exactly like that.

@val The word salad looks like that yes. Account 0 here was not word salad in the request.

@val This one was account 0

@val https://fosstodon.org/@el_on_libera/116258659164157715 will also be useful for diagnosing

@el wow that's really good

@val and now we're getting word salad poetry requests like your screenshots, but were not before...

@el Good job catching this before it went any further

@el Thank you for posting this. I frequently need help with this. Always unsure if I'm denying a genuine person. Or letting in a spammer.

thank you very much for the detailed research!
On our instance it came a few days earlier

our "bot-bridgehead" signed up with the domain @nick-ao.com

It was definitely a human, and invested the time to understand a bit the idea of our instance.
We have moderated sign-ups, but in this case this didn't help?
They wrote as reasons to join: "Mostly here to read and learn, maybe post sometimes. Looking for an alternative to bluesky after they approved the ICE account... "

The account was set up on 24th of March, never posted, but created the invites for several bots. At first we thought the gibberish word salad was harmless, or poetry or whatever....

Now several of them started posting Russian propaganda in Greek.🤔

Parade du Grotesque 💀Apr 9

Saw the exact same behavior here. Good job.

@el be aware that numerous abandoned or unmanaged (AUD) services are highly targeted by this group, and you may wish to defederate with these services.

We are closing version 1 of the account tracker, all remaining known active accounts is available at https://docs.google.com/spreadsheets/d/1GT_C2nAswYgM2-cGr-GkshSoFN-vN85A2JJnnGq_4k0/edit?gid=141229103#gid=141229103

More background information: https://about.iftas.org/2025/10/05/coordinated-pro-russian-propaganda-network-targeting-activitypub-and-atproto-services/

AUD Denylist: https://about.iftas.org/library/iftas-abandoned-and-unmanaged-domain-list/

@el i am curious, how did you notice these accounts?

@tay im the only one who routinely processes our moderation queue (others help with the report queue). I saw a spurt of accounts I didn't recognize in the "... signed up" notifs, so i knew they were invites. And then i saw the stardew-style pfp one of them had and recognized that someone was inviting the standard misinfo bots. worked back from there.

@el ahh, thanks!

@el Another thanks for posting this! Always good to see what kind of nonsense the criminals are up to.