Email or username:

Password:

Forgot your password?
Grow Your Own Services 🌱

Fedi admins, please switch off instant signups! 🙏

You can do this at Preferences > Administration > Server Settings > Registrations > Who Can Sign Up, change to "approval required for signup", tick box marked "require a reason", save changes.

If you allow instant signups, you are opening your server to spammers, causing headaches for hundreds of other servers who all have to block your spammers. The latest wave of spam is *all* from servers that have instant signups!

#FediAdmin #MastoAdmin

70 comments
Tom Tailor :damnified:

@homegrown can't emphasize that enough. Thanks for bringing this topic up.

Grow Your Own Services 🌱

p.s. If you don't do this, people may end up blocking your server entirely just to stop the spam.

It's really not much work to approve signups. It's a lot less work than dealing with spammers on your server and the staining of your server's reputation.

Fish :vegan:

@homegrown to demonstrate your point, there are spammers commenting on your post. Way to prove your point.

Grow Your Own Services 🌱

@rybson

Yup, and they're from servers with instant signups.

I've reported them to their origin servers and suspended them at my end, but the posts will float around for some people until the origin servers deal with them.

D3

@homegrown if you imply people should block open registration servers, I'd say this is bordering on fud. Closed registration is a significant hurdle for some folks and a lot of serverteams are doing gods work to monitor signups closely to be able to keep their registration open. Please don't imply otherwise.

Grow Your Own Services 🌱

@dnddeutsch

I'm not saying they should, I'm saying they will.

If someone's server is overrun by hundreds of spams from an ever-changing set of spam accounts on a remote server, and the remote server isn't doing anything about it, what other options are left other than blocking the remote server?

D3

@homegrown after the fact? Sure, I'm with you and do that myself (and always temporarily close our registration as soon as we're aware of a significant wave). The point is I see a disturbing lack of nuance, when it comes to asking to get rid of the option or even preventive blocking of servers that offer it. They're not all abandoned hellholes. On the contrary.

El Duvelle

@dnddeutsch @homegrown
Saying "people may end up blocking your server" (if you don't take care of spam) seems nuanced enough!

Mastodon•ART 🎨 Curator

@dnddeutsch @homegrown I mean they're clearly not - I've submitted reports of 11 spammer accounts across eight instances in the past few hours this morning, each one of those accounts has spammed *at least* 20 users (20 is the maximum number of posts we can check to report as 'evidence') - if a user on your instance is able to get THAT far with spamming, it's already too far and you are not able to effectively moderate open signups.

Mastodon•ART 🎨 Curator

@dnddeutsch @homegrown Meanwhile, moderators on other instances are getting bombarded with reports of the source instance's spam problem and we're having to deal with it to protect OUR community from spam because THOSE instances are not doing a good enough job.

All our mods - most mods of instances across the fediverse - are unpaid and voluntary. It's Saturday morning, I'm not getting paid to sit in front of the report queue sniping spammers for the past four hours because another instance -

Mastodon•ART 🎨 Curator

@dnddeutsch @homegrown - cares more about increasing their number count than providing a safe space for not just *their* community, but all the other communities connected to them.

The server teams 'doing gods work' are the ones who've responsibly turned off open sign ups and are still having to moderate spam from other instances who haven't.

Hazelnoot ALT

@dnddeutsch@mastodon.pnpde.social @homegrown@social.growyourown.services it's not FUD - blocking open-reg servers was the most effective solution to that first Misskey spam wave a while back. My co-admin actually wrote a script to do it automatically, and it helped so much more than any filter we applied.
(we un-blocked all the servers afterwards, of course.)

Mx Amber Alex

@dnddeutsch @homegrown that's what happens though. We've silenced a shitton of instances who had their registrations open and were overrun with spam bots as a result.

Manually approving signups is trivial. If that's too much of a hurdle for users, that they may have to wait for a day to get approved, then they need to learn some patience.

Mx Amber Alex

@dnddeutsch @homegrown when you rent an apartment, you can't move in immediately. You have to pay a deposit, you have to clear a credit check, etc.

When you join a club or political party, you aren't a member immediately, a human has to approve your application for membership.

"Arrives the next day" shipping from Amazon and corporate social media has made people impatient, but historically, very few things happened instantaneously. Instant gratification is a very, very recent phenomenon.

Chris

@homegrown In my opinion, the developers of the Fediverse platforms should consider removing open registration entirely. There are currently a significant number of amateur administrators who lack the necessary expertise and experience to manage their fediverse instances effectively.

nlupo

@Chris @homegrown That's why forbid my the registrations of my instance. Once I make it stable enough, I'll just invite some people from my local community.

always tired

@Chris @homegrown Perhaps not remove but change the default? And perhaps a warning for the "enable instant sign up" like "you'll need a really quick responsive moderation as you may be a good target for spammers"

Mx Amber Alex

@Chris @homegrown and it's not like approving signups is unusual. Twitter does it too, it's just less obvious, because the background check happens automatically under the hood (has this email been used before? is that email provider prone to spam?). But I can't count how often I've made a new account for some project or other and it was suspended within minutes and only reinstated after I provided a phone number.

On Mastodon instances (idk about other software), it's just more transparent: it says "request account" or something, and since a human does it, it takes longer than the few seconds it does on commercial platforms.

It's the same process as everywhere else, just with less room for software error.

@Chris @homegrown and it's not like approving signups is unusual. Twitter does it too, it's just less obvious, because the background check happens automatically under the hood (has this email been used before? is that email provider prone to spam?). But I can't count how often I've made a new account for some project or other and it was suspended within minutes and only reinstated after I provided a phone number.

Petra van Cronenburg

@homegrown I would never block an instance because of some spammers. I reported some today (on servers where I follow interesting people!) and the accounts were suspended in less than 30 minutes.

This insecurity to be seen like "we block your server" brings a lot of good people to Bluesky & Co.

MarjorieR

@homegrown just seen another one in this thread.
Also now seeing instance swapping: intially they were all on mastodon.social 'Mercyjohn' has now appeared from 3 instances advertising the same spam.
So it's now whack-a-mole on any server that doesn't vet sign ups, though I foresee that if we all started to vet the spammers would simply develop strategies, probably using AI, for that and it would become about as effective as having a catchpa.

Catherine Schmidt

@homegrown elder here. On mstdn.social. Can’t find preferences under settings. Am I in the wrong place? Thanks.

mkj

@lillyfinch That's not a setting you can change as a user; it's a server administrator setting.

mstdn.social already has sign-up review turned on, so what @homegrown discusses is already in place there.

Tealk

@homegrown I have never had a problem with open registration, I only close it when something happens.

Mastodon•ART 🎨 Curator

@Tealk @homegrown That's one thing you're doing right, then - closing registrations when something happens, while other instances just blaze through with their fingers in their ears going 'lalalala can't hear all these reports we're getting lalalala'

Enrico "meldrian" Michaelis

@homegrown
moderator here.
I love those accounts sending an approval sayin' "chi cha chat, e-commerce, leading technology, publishing, cheapest deals" etc.

An instant "no" it is! 🤗

Tom Walker

@homegrown The trouble is that this is a bad experience for users, because who knows if or when anyone is going to approve your signup?

Grow Your Own Services 🌱

@tomw

It's almost always approved quickly and then they never have to think about it again though?

Whereas spam is going to bother them the whole time if there are instant signups.

Tom Walker

@homegrown Each time there is a peak in signups a lot of people get caught up in a backlog. People just don't know if it's going to take an hour, a day or never. The fact that it's usually quick doesn't really solve that.

Maggie Maybe

@tomw @homegrown that might be how I ended up on two different servers. If I remember right I didn’t think my registration went through so I did it again and tried a different server. I got approved on both. Whoops.

William B Peckham

@tomw @homegrown User here. I did not find sign up difficult or problematic in any way and I am far happier to have no ads and no spam. And that's what keeps me on the Fediverse. Don't underestimate your users.

Baloo Uriza

@homegrown Or at least prevent signups from IP ranges out of scope of your server (granted, easier said than done if yours isn't around a specific part of the network or geography)

William B Peckham

@BalooUriza @homegrown Only if your user base is one you want to be geographically based. I'm a member of two sites and not by accident. I am in the Americas and have membership in one site that is geographically the closest to me. And the other one is in Germany that is the closest to my interests. But of course it is the purpose of having the site that the site admin considers important that will decide that.

Baloo Uriza

@wbpeckham Pretty sure I covered that in my parenthetical.

Scott Starkey

@homegrown

That box should be checked by default! I wonder why it is not.

JimmyChezPants

@homegrown

I wish some of my favorite follows would get off the main server. I only need a few of em and the whole Fedi can cut loose from that Titanic.

Maggie Maybe

@jpaskaruk @homegrown I think I’m blocked from that server because the admin demanded to know why I stated that gabapentin sucks. And I guess I didn’t see it in time and she blocked me from that whole generic server. 😂

And I really wish I could find her and tell her that I was wrong, gabapentin is a miracle medication for menopausal night sweats, but I stand by my statement that it’s absolutely garbage for pain that isn’t nerve pain. And it will destroy your teeth.

But those night sweats were no joke, I choose sleep over teeth if I have to choose.

@jpaskaruk @homegrown I think I’m blocked from that server because the admin demanded to know why I stated that gabapentin sucks. And I guess I didn’t see it in time and she blocked me from that whole generic server. 😂

And I really wish I could find her and tell her that I was wrong, gabapentin is a miracle medication for menopausal night sweats, but I stand by my statement that it’s absolutely garbage for pain that isn’t nerve pain. And it will destroy your teeth.

JimmyChezPants

@maggiejk @homegrown

Gabapentin has been a character in our play as well, what reading do you have on this? Possibility of heading something off before it's a problem here...

🇨🇦 OhOkKay

@jpaskaruk
This. I have a few people I really enjoy on one the bigger Instances and I wish they would leave it so I could block the whole damn Instance. It has so many spammers, reply-guys, and weirdos, I just want to be done with them completely.
Sink the titanic!!

gavinisdie :troll:

@homegrown I spent like half an hour reporting bots earlier 💀

Tokyo Outsider (337ppm)

@homegrown @plsik There are lots of instances that allow instant signups and don't have the same kind of spam problems.

A while ago I heard about the idea of there being some kind of "dead man's switch" that would turn on the requirement for approval when an admin hadn't logged in for a certain number of days, and that seemed like a good balance. Wish I could remember where I read about it.

a fish named dog

@homegrown it's still weird to me that for a while the episcopalian fedi instance had reviewed signups but the Jewish one (babka.social) didn't.

frankie (beta version)

@homegrown
doesn't that impede newbies' signup?

When I was new to Fedi, if someone asks me for a reason for signing up I wouldn't know what to say. :blobcatgiggle: Shouldn't feel like a social security form or a Harvard application. :blobhalo:

#Fediverse

Maggie Maybe

@frankie @homegrown I don’t know, if someone had asked me I would have said because I am leaving Twitter. I don’t think they’re looking to grade you on the quality of your reason, I think it’s an extra step to make a human type something if they want to sign up.

frankie (beta version)

@maggiejk

Agree.
But, then, can bots also fill in a good enough reason to get in, I wonder? :blobcatgiggle:

@homegrown

Troy

@homegrown this 1000%. The spammers will literally say they’re there to spam in the reason field. Sure it’s a little overhead to check but way less effort than cleaning up spam.

Will Phoenix

@homegrown Or just have a good IP blocklist and be active in controlling it.

Simon Jaeger

@homegrown @quanin I had to scour the internet to figure out how to also disable invites on mine. (It's in user roles.) My server is brand new and I wanted to be the one to decide who signs up.

Winter blue tardis🇧🇬🇭🇺

@simon @homegrown @quanin Yeah, it's a super stupid place. I ran a masto instance. Once, and it was on mastohost but bleh I dislike that interface. But yeah, all hale small tiny baby instances! Whee!

Lovely

@homegrown do you have any suggestions for those of us who signed up on instant sign up servers bc we were new and intimidated by the sign up approval process? I would love to be on a server that won’t get blocked but I also am very intimidated by the process even still.

ikt 🇺🇦

@homegrown sounds like the fediverse is going just great, where is Molly when you need her

you want manual approval for all new users, that’s definitely not going to hard rate limit signups on a social network that is stagnating at best

:blobcataww:

Cenobyte :abunhdowohop:

@homegrown For those of you who have open registrations. If I get spam from your server, I will try to e-mail the admin. If it’s more than one piece of spam from that server, I will likely block the whole server. If I get no e-mail back within a day or so I will block the server. Period. It’s not that much of a hurdle.

Mx Amber Alex

@homegrown I keep wishing for a Mastodon feature (or better, some kind of plug-in functionality for admins to develop their own event listeners) that would automatically limit a server if it has open sign-ups.

pancake :radare2: 🌱

@homegrown @ona why this option is not disabled by default in @Mastodon ? Its not the first spam wave caused by this

ona [she/they]

@pancake i don't know. but if you create an issue o find one, please tell and i will vote it.

@homegrown @Mastodon

Grow Your Own Services 🌱

@ona @pancake @Mastodon

There is an issue, give a thumbs up here:

github.com/mastodon/mastodon/i

(This is an excellent issue by the way, it suggests some good ideas to help new users alongside the request for making approval default.)

To be fair to the current version of Mastodon, it does now warn admins not to use open signups unless they have a strong moderation team, but it seems some admins ignore that warning. 😦

pancake :radare2: 🌱

@homegrown thanks for sharing, my upvote is there, hope more admins check it too! cc @spla @jerry

spla :senyera: :fed: :vim:

@pancake @homegrown @jerry
after several years around here I found out that a good way to avoid spammers is blocking Tor exit nodes IP's.

Grow Your Own Services 🌱

@spla @pancake @jerry

Wouldn't that exclude people legitimately using Tor for privacy?

spla :senyera: :fed: :vim:

@homegrown yes but none of them are legitimated users, zero complains. @pancake @jerry

Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified:​

@spla yeah, I should probably block tor exit nodes. I get plenty of spam from other IPs too, but nearly everything coming out of exit nodes is malicious. I have a hidden service that people can use, but that almost no one does so I am not sure blocking exit nodes would be a big hit to privacy conscious people. @homegrown @pancake

spla :senyera: :fed: :vim:

@homegrown since Mastodon v4.2.8 it automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
And registrations are closed by default on new installations.
github.com/mastodon/mastodon/r
@ona @pancake @Mastodon

Scott M. Stolz
I wish we had a probationary period where people can only post to their own profile but it only sends out notifications to their followers in the beginning. If they mention someone, it doesn't send a notification (or perhaps puts it in a queue that will only be released after a moderate or admin approves their account). Because the current vector of attack seems to be mentioning popular accounts.
Go Up