Email or username:

Password:

Forgot your password?
Eugen Rochko

There is an ongoing spam attack on the fediverse for the last couple of days. It's more widespread than before, as attackers are targeting smaller servers to create accounts. Before, usually only mastodon.social was targeted and our team could take care of it. For server administrators out there: If you don't need open registrations, switch over to approval mode. If you do, blocking disposable e-mail providers is a massive stopgap to the problem. Mastodon also supports hCaptcha.

101 comments
Emma (IPG)

@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?

Joe Brockmeier

@Gargron any idea where it’s coming from, or why now?

Greenpete (No Flag)

@jzb I've read here, that it's one person in Japan.

jbaggs

@greenpete @jzb I think it's still up in the air between "one person with a discord server in Japan", and someone with a grudge against said server admin. Aside from assured proclamations I haven't seen anyone present evidence one way or the other. All said, it's still a major PITA, no matter who is behind it.

Anders Puck Nielsen

@kimwulff Det vil jeg mene. Men hvis du begynder at se underlige opslag på den lokale tidslinje, må du meget gerne sige til. Der er nogle af dem som anmoder om en konto, hvor det er svært at gennemskue hvem de er.

kim wulff

@anderspuck Det skal jeg gøre. Har støt på nogle fra andre server , som ikke er ret rene i kanten hvis man lige går i dybden, men du skal få det at vide hvis jeg opdager noget.

Anders Puck Nielsen

@kimwulff Ja, dem på de andre servere behøver du ikke at rapportere til mig. Så bliver jeg lagt ned af arbejde. 😅

kim wulff

@anderspuck Nej nej det gør jeg heller ikke 😅😅😎😎😎😇 vi kan jo ikke ha at stats ansatte bliver over bebyrdet 😎😎😎😇😇😂😂😂😂😂 ok godt ord igen.

Michael

@Gargron You must be doing a great job on .social, because I've not noticed a damn thing this time around. Glad to see there's help out there for the smaller instances, too.

artisanrox

@Gargron

you know you're on to the right ideas when jerks try to ruin it.

jz.tusk

@artisanrox @Gargron

Yup. I feel sorry for (and greatly appreciate) all the admins who have to spend their time fighting this, but trolls and spam are a sign that what you've created is becoming important.

artisanrox

@jztusk @Gargron

i'm on Bluesky a lot lately and they like to fart on Fedi a lot but each one has its own charm. I very much like both for different reasons but I'd choose decentralized format any day. Individuals/businesses/techbros/billionaires especially in the US are totally untrustworthy handling any public service.

hdante

@Gargron can the behavior of spammers be detected when sending the spam messages ?

Howard Abrams

@hdante @Gargron at the moment, it is a picture of a can of spam, so I would say... probably 😁

Pieselpriemel

@greygoo
No, that's another Fediverse software in development. Who accidently federated due a test and get measured by fedi.db.

@Gargron

4censord :neocat_flag_pan:

@greygoo @Gargron nop, not really. That is single server that had create 30 million actors (users) for test purposes, but they didn't actually do anything. It wasn't supposed to federate, but was an accident.
If that was the source of the spam, one could just have blocked this single server.

The spam wave is some script kiddy going around and searching for servers with open registrations, and registering accounts there using disposable emails. These accounts then start tagging people with spam.

[DATA EXPUNGED]
Joe Kikta

@Gargron I get the issue, but I hate Captcha…

Distante

@Gargron This is to be expected. The next attacks will probably be even bigger. I hope there are enough tools to neutralise spam in Mastodon

vascorsd

@Gargron where's the AI to save us when we need it to? 🫣

JimmyChezPants

@Gargron

Back in BBS days, most Sysops required a phone call before we enabled access to more than the "Introductions" board.

This created a human connection between user and Sysop that created a fairly congenial environment, even when very strong disagreements were the order of the day.

The VC need to hoover up accounts which they can monetize is what incentivizes open registration. Nobody else needs "all the accounts" so turning on approval is just a good idea for everyone.

JimmyChezPants

@condalmo @Gargron

You n me both.

Good news though, LoRaWAN gets you about 300bps, I am told, so my current plan is to start up a community meshtastic network with its first BBS hosted at my place.

I just need to get a job first so I can buy some radios.

Callalily

@Gargron I've been getting a lot of spam since Thursday or Friday. I keep reporting & blocking.

Eric Lathrop

@Gargron Defaults matter. Mastodon should default to screened signups and present a warning about open signups. Also the blocked email domains should default to include disposable email domains.

Johnny Peligro 🍅
the issue is that they use like one or two accounts per unattended/unmaintained instance they find
Alex

@Gargron Does duckduckgo email masking count as disposable email?

irelephant

@shved@mastodon.social @Gargron@mastodon.social It may sometimes trigger it, but duckduckgo seem to have worked hard for it not to be used for that purpose

lampsofgold

@Gargron @GottaLaff thanks, it hit my server, setting signups to approval seems to have fixed it for now, I had two accounts up for about 12 hours and got a dozen reports in that time, thanks everyone for reporting!

Piousunyn

@Gargron Amusing, at one time I was going to try and move over to Mastodon Social, and liked it, but then they kicked me off. because I asked a question and mentioned GAZA.

DELETED

@Gargron Unfortunately a lot of these instances are micro instances that seem like someone spun it up to test and then left unused. The batches that I’ve seen included a lot that are not maintained and running old versions of #Mastodon. So asking to have registration changed maybe yelling into the void.

Perhaps the defaults for signup should be set to closed? And if disposable email is used, the account is restricted until vetted? Also more robust filtering would be nice.

bullshitter

@Gargron Oh Yeah..
If they are attacking surely there's some good going on here.

john lehet

@Gargron I’m glad to say I *never* see span on mas.to. Thanks @trumpet !

Retro Librarian

@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮‍💨

David Tanner 🏴󠁧󠁢󠁷󠁬󠁳󠁿

@LibrarianRA @Gargron It’s bizarre as I haven’t seen a single spam. I assume @jaz is working overtime keeping toot.wales spam free 🤷‍♂️

jaz :twt: :wales_flag:

@DavidTanner @LibrarianRA it's all our fantastic @teamtoot staff and a lot of experience managing a busy service. Please do (if using Mastodon) go to your notifications preferences eg toot.wales/settings/preference and review "Other Notification Settings" to minimise spam notifications and messages.

Donald Ham

@LibrarianRA @Gargron
Please don't leave! Mastodon needs you.

The problem is temporary, let's make sure the Fediverse is not!

Tom Tailor :damnified:

@Gargron I honor every line of code that your team and you produce to maintain Mastodon.

But what I really miss as an instance administrator is some sort of spam detection. We have tools and libraries for that, e.G. for simple naive bayes detection.

Maybe it will not be 100 percent precise, but it would help a lot of Mastodon could block / delay suspicious posts based on simple machine learning mechanisms (like we have them for email).

🍃 Nick 🍁

@thomas I'd really enjoy mastodon having a plugin/extension system, so development of features can be decentralised a little more (and maybe good ones serving common use cases would get added to core).

@Gargron

Baloo Uriza

@Gargron One possibility that would be nice: Review accounts, but before accounts get reviewed, they're just limited, so they can still get set up and they might be able to spam, but they won't be able to hit a timeline other than their own followers until reviewed.

jensitus

@Gargron
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!

Kevin Marks

@Gargron given that the spam is mainly the same images, could you hash them and use that as a rejection filter?

4censord :neocat_flag_pan:

@KevinMarks @Gargron Assuming they use the exact same image, possibly. But if they even so much as slightly change the image (e.g., convert to another format, change some colour mapping etc) then it won't work with traditional hashing.
There exist hashing methods that work on visual similarity, but those are more complicated, and significantly harder to get right.
Also, more vulnerable to false positives, and worse catch rate.

Sam :verified:

@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??

Michael Downey 🇺🇳

@sam To be fair there are like 5+ years of ignored admin/moderation improvement requests in the queue 😅

always tired (moved to chaos)

@Gargron Captchas are still an accessibility nightmare. I'll die on this hill.

[DATA EXPUNGED]
Free Soft&Hardware Enthusiast

@Gargron targeted email blocking can be just as bad as targeted IP blocking it should not be assumed that every disposable email = spam, or every user connecting from an IP that spams also uses the connection to spam. I think having the ability to create fake accounts should be part of fediverse freedom. Performing some content checking to determine if it is a bot and limiting rate of spam postings on the content side might be an alternative.

Oliver 👔

@Gargron "disposable e-mail providers"
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.

Pieselpriemel

@oliver
I assume, there are no mobile users on your instance. :blobcat3c:
@Gargron

Mike Johnston

@Gargron it needs to be easier for moderators to find report and suspend accounts or instances that are compromised. It's hours of clicking to do it "properly" right now and I don't have a full time staff - it's just me doing clean up 🥲

bikejourno

@Gargron Take care of this bastard @kazbo, please. Whatever it takes, take him out.

joene 🏴🍉🌲

@Gargron Still the problem is Mastodon. See github.com/mastodon/mastodon/d.

Please see these issues (two of them are created by me and are related) as well:

*Require blocking of disposable email providers and/or require a captcha provider when registrations are open*

github.com/mastodon/mastodon/i

*Set new registrations on new servers to manual approval by default*

github.com/mastodon/mastodon/i

*Ability to greylist new servers*

github.com/mastodon/mastodon/i

*Ability to use heuristic spam filtering tools*

github.com/mastodon/mastodon/i

*Instance-wide filtering*

github.com/mastodon/mastodon/i

cc @renchap

@Gargron Still the problem is Mastodon. See github.com/mastodon/mastodon/d.

Please see these issues (two of them are created by me and are related) as well:

*Require blocking of disposable email providers and/or require a captcha provider when registrations are open*

github.com/mastodon/mastodon/i

躺平鸟-等待被裁版 :purple_squid:

@Gargron but attackers can setup mastodon with different domains to go on spam the fediverse

:ffxivmsq_comp: Efertone :verifiedtrans:

@Gargron@mastodon.social yeah and sadly it's a very clever one, we can't do much about it as messages are coming from different users, from different servers, and it has no text only an image, so we can't even filter that :(

Sibshops

@Gargron If you want to encourage servers to switch to manual approval. Maybe switch the order on joinmastodon.org to put the servers that require manual approval ahead of the open servers? By putting the open servers first it appears joinmastodon.org is endorsing open registrations.

Screenshot of joinmastodon.org page showing open registration servers before manual approval servers.
Christy Smith

@Gargron HCaptcha is a bad idea. I wish they'd use something different. It can block screen reader users when their cookie system fails to work the way it's supposed to.

Allan Chow

@Gargron how many are just servers people set up and forgot about

Emil Jacobs - Collectifission

@Gargron hCaptcha is problematic. I'm sure you're aware of this github issue: github.com/mastodon/mastodon/i

It's becoming a harder sell that this is an "emergency feature implementation" 9 months after the issue was opened.

top.ofthe.top

I think spam problem could be faciliated with better UI. I'd divide incoming events into categories like "events from friends", "events from subscriptions", "events from discussions where I participated (e.g. replies)", "events from bots" and "events from people I never interacted with" with ability to temporarily mute some of them. In this case spam will make less harm by flooding the whole inbox.

Thomas Frans 🇺🇦

@Gargron Thanks to everyone who is working behind the screens to filter this and prevent it from reaching users. This must take so much work :ablobcatheartsqueeze:

DELETED

@Gargron Man. City-Brentford, the review: data, information, date, time, and television of the Head Association match
Watch Now: tinyurl.com/y5et47cw

The Brights

This is really like:

- We have a dude that is registering many accounts on abandoned old servers and is spamming all users. What we can do?!

- We urge admins of OTHER, not abandoned servers, to close registrations! (or enable captcha, approval etc.)

- What?! 🥴

@Gargron
#Mastoadmin

Ryan Mann

@Gargron @GottaLaff Everything sounds good except, please, please, please no Hcaptcha. Hcaptcha is a pain for people who are blind.

Hiker Geek 🌲💻🌲

@Gargron

Any thought on developing a federated anti-spam system? If one instance blocks an email or domain it propagates to the servers that choose to federate with its anti-spam so that email or domain can't be used on other servers.

kristophr

@Gargron This it me and our server - I tried to shut it down and think I'm successful - but do worry what happens to our small server and getting defederated because of this.

Misty

@Gargron Do you have any advice for admins on the receiving end of this? I haven’t been able to find any tooling that helps servers that are being inundated deal with all the spam except in a very slow, labour intensive way.

nopewafl

@Gargron An example of "It is your fault if you are be blocked by the fediverse if you do not secure you instance to avoid spam."

Jamoteusz

@Gargron I understand it has became more popular - so ther is some kind of "jalousy" among the old emperors? I know it seams to sound as conspiracy-theory... but it isn't. Growth of fediv takes the numbers away... so...

Andre Louis

@Gargron #HCaptcha is a barrier for many blind/visually impaired users, for some of the reasons outlined in my recent post here: universeodon.com/@FreakyFwoof/

Kinky Kobolds

@Gargron A lot of furry servers have been set to approval required for a while. The verification field asks "What is your fursona and why is this a good home for them?" to weed out both spam and uninteresting trolls.

Go Up