@Gargron Yep, my instance is set to approvals and I did only see one. they are getting ignored.

@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?

@Gargron any idea where it’s coming from, or why now?

@Gargron @anderspuck Tænker du har styr på det.

@Gargron You must be doing a great job on .social, because I've not noticed a damn thing this time around. Glad to see there's help out there for the smaller instances, too.

@Gargron

you know you're on to the right ideas when jerks try to ruin it.

@Gargron can the behavior of spammers be detected when sending the spam messages ?

@Gargron Might this be related?
https://mastodon.social/@ErikUden@mastodon.de/111951999084148777

@Gargron See also this thread for mitigations: https://mastodon.de/@ErikUden/111940301222380638

@Gargron whilst being good advice, blocking disposable e-mail providers is not a great solution. Privacy focussed users often use those, and they are a legitimate userbase. Can't wait to see what else the fediverse comes up to remedy this problem, there are some pretty smart people on here! :)

@Gargron WOW

@Gargron I get the issue, but I hate Captcha…

@Gargron oh, so this is where the surge in new users come?

@Gargron This is to be expected. The next attacks will probably be even bigger. I hope there are enough tools to neutralise spam in Mastodon

@JamesGleick

@Gargron where's the AI to save us when we need it to? 🫣

@Gargron

Back in BBS days, most Sysops required a phone call before we enabled access to more than the "Introductions" board.

This created a human connection between user and Sysop that created a fairly congenial environment, even when very strong disagreements were the order of the day.

The VC need to hoover up accounts which they can monetize is what incentivizes open registration. Nobody else needs "all the accounts" so turning on approval is just a good idea for everyone.

@Gargron I've been getting a lot of spam since Thursday or Friday. I keep reporting & blocking.

@Gargron Defaults matter. Mastodon should default to screened signups and present a warning about open signups. Also the blocked email domains should default to include disposable email domains.

@Gargron More methods to stop the ongoing attack:

https://mastodon.de/@ErikUden/111940301222380638

@Gargron Does duckduckgo email masking count as disposable email?

@Gargron @GottaLaff thanks, it hit my server, setting signups to approval seems to have fixed it for now, I had two accounts up for about 12 hours and got a dozen reports in that time, thanks everyone for reporting!

@Gargron Amusing, at one time I was going to try and move over to Mastodon Social, and liked it, but then they kicked me off. because I asked a question and mentioned GAZA.

@Gargron Unfortunately a lot of these instances are micro instances that seem like someone spun it up to test and then left unused. The batches that I’ve seen included a lot that are not maintained and running old versions of #Mastodon. So asking to have registration changed maybe yelling into the void.

Perhaps the defaults for signup should be set to closed? And if disposable email is used, the account is restricted until vetted? Also more robust filtering would be nice.

@Gargron Oh Yeah..
If they are attacking surely there's some good going on here.

@Gargron I’m glad to say I *never* see span on mas.to. Thanks @trumpet !

@Gargron it’s such a bummer. Thank you guys for all your hard work.

@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮‍💨

@Gargron I honor every line of code that your team and you produce to maintain Mastodon.

But what I really miss as an instance administrator is some sort of spam detection. We have tools and libraries for that, e.G. for simple naive bayes detection.

Maybe it will not be 100 percent precise, but it would help a lot of Mastodon could block / delay suspicious posts based on simple machine learning mechanisms (like we have them for email).

@Gargron One possibility that would be nice: Review accounts, but before accounts get reviewed, they're just limited, so they can still get set up and they might be able to spam, but they won't be able to hit a timeline other than their own followers until reviewed.

@Gargron
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!

@Gargron given that the spam is mainly the same images, could you hash them and use that as a rejection filter?

@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??

@Gargron Captchas are still an accessibility nightmare. I'll die on this hill.

@Gargron @staff

@alter_unicorn
Plutôt que de bloquer les domaines, est ce qu'il serait possible de bloquer les fournisseurs de mails jetables ?

@Gargron We've already had to limit over 50 domains and it looks like some instances are created only for the purpose of this attack. This exposes a vulnerability of Mastodon in that admins have no way to prevent incoming spam other than after the fact.

So if you know of any tool or option that would enable receiving instances to keep this in check, please let us know.

@Gargron targeted email blocking can be just as bad as targeted IP blocking it should not be assumed that every disposable email = spam, or every user connecting from an IP that spams also uses the connection to spam. I think having the ability to create fake accounts should be part of fediverse freedom. Performing some content checking to determine if it is a bot and limiting rate of spam postings on the content side might be an alternative.

@Gargron "disposable e-mail providers"
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.

@Gargron it needs to be easier for moderators to find report and suspend accounts or instances that are compromised. It's hours of clicking to do it "properly" right now and I don't have a full time staff - it's just me doing clean up 🥲

@Gargron

I haven't received any yet. 🤞

@Gargron Take care of this bastard @kazbo, please. Whatever it takes, take him out.

@Gargron but attackers can setup mastodon with different domains to go on spam the fediverse

@Gargron@mastodon.social yeah and sadly it's a very clever one, we can't do much about it as messages are coming from different users, from different servers, and it has no text only an image, so we can't even filter that :(

@Gargron Thanks for keeping us safe from these digital hooligans.

@Gargron If you want to encourage servers to switch to manual approval. Maybe switch the order on joinmastodon.org to put the servers that require manual approval ahead of the open servers? By putting the open servers first it appears joinmastodon.org is endorsing open registrations.

@Gargron @stux maybe this could be useful?

@Gargron HCaptcha is a bad idea. I wish they'd use something different. It can block screen reader users when their cookie system fails to work the way it's supposed to.

@Gargron how many are just servers people set up and forgot about

@Gargron hCaptcha is problematic. I'm sure you're aware of this github issue: https://github.com/mastodon/mastodon/issues/25023

It's becoming a harder sell that this is an "emergency feature implementation" 9 months after the issue was opened.

@Gargron
FYI @christianp

@Gargron HELL NO / DESTROY ALL SPAM ! Including ep0c times info wars and whatever the f : https://www.floridabulldog.org/2024/02/ben-swann-moscows-broadcast-man-in-miami/

I think spam problem could be faciliated with better UI. I'd divide incoming events into categories like "events from friends", "events from subscriptions", "events from discussions where I participated (e.g. replies)", "events from bots" and "events from people I never interacted with" with ability to temporarily mute some of them. In this case spam will make less harm by flooding the whole inbox.

@Gargron Thanks to everyone who is working behind the screens to filter this and prevent it from reaching users. This must take so much work :ablobcatheartsqueeze:

@Gargron Man. City-Brentford, the review: data, information, date, time, and television of the Head Association match
Watch Now: http://tinyurl.com/y5et47cw

This is really like:

- We have a dude that is registering many accounts on abandoned old servers and is spamming all users. What we can do?!

- We urge admins of OTHER, not abandoned servers, to close registrations! (or enable captcha, approval etc.)

- What?! 🥴

@Gargron
#Mastoadmin

@Gargron I was like #wtf 😅 😓 🤦

@Gargron some rustic rate limiting as a default in the server software may help for cases like this... (like when signups or total message sent out per server are more than 2 standard deviations the daily number in the past N days, reject with a "we're full" message or queue for moderation)

@Gargron

Please send help 🙏

@Gargron @GottaLaff Everything sounds good except, please, please, please no Hcaptcha. Hcaptcha is a pain for people who are blind.

@Gargron

Any thought on developing a federated anti-spam system? If one instance blocks an email or domain it propagates to the servers that choose to federate with its anti-spam so that email or domain can't be used on other servers.

@Gargron @meatlotion take a look

@Gargron This it me and our server - I tried to shut it down and think I'm successful - but do worry what happens to our small server and getting defederated because of this.

@Gargron Do you have any advice for admins on the receiving end of this? I haven’t been able to find any tooling that helps servers that are being inundated deal with all the spam except in a very slow, labour intensive way.

@Gargron An example of "It is your fault if you are be blocked by the fediverse if you do not secure you instance to avoid spam."

@Gargron I understand it has became more popular - so ther is some kind of "jalousy" among the old emperors? I know it seams to sound as conspiracy-theory... but it isn't. Growth of fediv takes the numbers away... so...

@Gargron #HCaptcha is a barrier for many blind/visually impaired users, for some of the reasons outlined in my recent post here: https://universeodon.com/@FreakyFwoof/111954929582025753

@Gargron A lot of furry servers have been set to approval required for a while. The verification field asks "What is your fursona and why is this a good home for them?" to weed out both spam and uninteresting trolls.