 Fedi admins, please switch off instant signups! 🙏 You can do this at Preferences > Administration > Server Settings > Registrations > Who Can Sign Up, change to "approval required for signup", tick box marked "require a reason", save changes. If you allow instant signups, you are opening your server to spammers, causing headaches for hundreds of other servers who all have to block your spammers. The latest wave of spam is *all* from servers that have instant signups! 70 comments
p.s. If you don't do this, people may end up blocking your server entirely just to stop the spam. It's really not much work to approve signups. It's a lot less work than dealing with spammers on your server and the staining of your server's reputation.  @homegrown to demonstrate your point, there are spammers commenting on your post. Way to prove your point. Yup, and they're from servers with instant signups. I've reported them to their origin servers and suspended them at my end, but the posts will float around for some people until the origin servers deal with them. @homegrown if you imply people should block open registration servers, I'd say this is bordering on fud. Closed registration is a significant hurdle for some folks and a lot of serverteams are doing gods work to monitor signups closely to be able to keep their registration open. Please don't imply otherwise. I'm not saying they should, I'm saying they will. If someone's server is overrun by hundreds of spams from an ever-changing set of spam accounts on a remote server, and the remote server isn't doing anything about it, what other options are left other than blocking the remote server? @homegrown after the fact? Sure, I'm with you and do that myself (and always temporarily close our registration as soon as we're aware of a significant wave). The point is I see a disturbing lack of nuance, when it comes to asking to get rid of the option or even preventive blocking of servers that offer it. They're not all abandoned hellholes. On the contrary.  @dnddeutsch @homegrown @dnddeutsch @homegrown I mean they're clearly not - I've submitted reports of 11 spammer accounts across eight instances in the past few hours this morning, each one of those accounts has spammed *at least* 20 users (20 is the maximum number of posts we can check to report as 'evidence') - if a user on your instance is able to get THAT far with spamming, it's already too far and you are not able to effectively moderate open signups. @dnddeutsch @homegrown Meanwhile, moderators on other instances are getting bombarded with reports of the source instance's spam problem and we're having to deal with it to protect OUR community from spam because THOSE instances are not doing a good enough job. All our mods - most mods of instances across the fediverse - are unpaid and voluntary. It's Saturday morning, I'm not getting paid to sit in front of the report queue sniping spammers for the past four hours because another instance - @dnddeutsch @homegrown - cares more about increasing their number count than providing a safe space for not just *their* community, but all the other communities connected to them. The server teams 'doing gods work' are the ones who've responsibly turned off open sign ups and are still having to moderate spam from other instances who haven't. @dnddeutsch@mastodon.pnpde.social @homegrown@social.growyourown.services it's not FUD - blocking open-reg servers was the most effective solution to that first Misskey spam wave a while back. My co-admin actually wrote a script to do it automatically, and it helped so much more than any filter we applied.  @dnddeutsch @homegrown that's what happens though. We've silenced a shitton of instances who had their registrations open and were overrun with spam bots as a result. Manually approving signups is trivial. If that's too much of a hurdle for users, that they may have to wait for a day to get approved, then they need to learn some patience. @dnddeutsch @homegrown when you rent an apartment, you can't move in immediately. You have to pay a deposit, you have to clear a credit check, etc. When you join a club or political party, you aren't a member immediately, a human has to approve your application for membership. "Arrives the next day" shipping from Amazon and corporate social media has made people impatient, but historically, very few things happened instantaneously. Instant gratification is a very, very recent phenomenon.  @homegrown In my opinion, the developers of the Fediverse platforms should consider removing open registration entirely. There are currently a significant number of amateur administrators who lack the necessary expertise and experience to manage their fediverse instances effectively.  @Chris @homegrown That's why forbid my the registrations of my instance. Once I make it stable enough, I'll just invite some people from my local community. @Chris @homegrown Perhaps not remove but change the default? And perhaps a warning for the "enable instant sign up" like "you'll need a really quick responsive moderation as you may be a good target for spammers"  @homegrown I would never block an instance because of some spammers. I reported some today (on servers where I follow interesting people!) and the accounts were suspended in less than 30 minutes. This insecurity to be seen like "we block your server" brings a lot of good people to Bluesky & Co.  @homegrown just seen another one in this thread.  @homegrown elder here. On mstdn.social. Can’t find preferences under settings. Am I in the wrong place? Thanks.  @lillyfinch That's not a setting you can change as a user; it's a server administrator setting. mstdn.social already has sign-up review turned on, so what @homegrown discusses is already in place there. @homegrown I have never had a problem with open registration, I only close it when something happens. @Tealk @homegrown That's one thing you're doing right, then - closing registrations when something happens, while other instances just blaze through with their fingers in their ears going 'lalalala can't hear all these reports we're getting lalalala' @homegrown An instant "no" it is! 🤗  @homegrown The trouble is that this is a bad experience for users, because who knows if or when anyone is going to approve your signup? It's almost always approved quickly and then they never have to think about it again though? Whereas spam is going to bother them the whole time if there are instant signups. @homegrown Each time there is a peak in signups a lot of people get caught up in a backlog. People just don't know if it's going to take an hour, a day or never. The fact that it's usually quick doesn't really solve that.  @tomw @homegrown that might be how I ended up on two different servers. If I remember right I didn’t think my registration went through so I did it again and tried a different server. I got approved on both. Whoops.  @tomw @homegrown User here. I did not find sign up difficult or problematic in any way and I am far happier to have no ads and no spam. And that's what keeps me on the Fediverse. Don't underestimate your users.  @homegrown Or at least prevent signups from IP ranges out of scope of your server (granted, easier said than done if yours isn't around a specific part of the network or geography) @BalooUriza @homegrown Only if your user base is one you want to be geographically based. I'm a member of two sites and not by accident. I am in the Americas and have membership in one site that is geographically the closest to me. And the other one is in Germany that is the closest to my interests. But of course it is the purpose of having the site that the site admin considers important that will decide that.   I wish some of my favorite follows would get off the main server. I only need a few of em and the whole Fedi can cut loose from that Titanic. Gabapentin has been a character in our play as well, what reading do you have on this? Possibility of heading something off before it's a problem here...  @jpaskaruk  @homegrown @plsik There are lots of instances that allow instant signups and don't have the same kind of spam problems. A while ago I heard about the idea of there being some kind of "dead man's switch" that would turn on the requirement for approval when an admin hadn't logged in for a certain number of days, and that seemed like a good balance. Wish I could remember where I read about it.  @homegrown it's still weird to me that for a while the episcopalian fedi instance had reviewed signups but the Jewish one (babka.social) didn't.  @homegrown When I was new to Fedi, if someone asks me for a reason for signing up I wouldn't know what to say. :blobcatgiggle: Shouldn't feel like a social security form or a Harvard application. :blobhalo: @frankie @homegrown I don’t know, if someone had asked me I would have said because I am leaving Twitter. I don’t think they’re looking to grade you on the quality of your reason, I think it’s an extra step to make a human type something if they want to sign up. Agree. @homegrown this 1000%. The spammers will literally say they’re there to spam in the reason field. Sure it’s a little overhead to check but way less effort than cleaning up spam. @homegrown @quanin I had to scour the internet to figure out how to also disable invites on mine. (It's in user roles.) My server is brand new and I wanted to be the one to decide who signs up. @simon @homegrown @quanin Yeah, it's a super stupid place. I ran a masto instance. Once, and it was on mastohost but bleh I dislike that interface. But yeah, all hale small tiny baby instances! Whee! @homegrown do you have any suggestions for those of us who signed up on instant sign up servers bc we were new and intimidated by the sign up approval process? I would love to be on a server that won’t get blocked but I also am very intimidated by the process even still.  @homegrown sounds like the fediverse is going just great, where is Molly when you need her you want manual approval for all new users, that’s definitely not going to hard rate limit signups on a social network that is stagnating at best :blobcataww:  @homegrown For those of you who have open registrations. If I get spam from your server, I will try to e-mail the admin. If it’s more than one piece of spam from that server, I will likely block the whole server. If I get no e-mail back within a day or so I will block the server. Period. It’s not that much of a hurdle. @homegrown I keep wishing for a Mastodon feature (or better, some kind of plug-in functionality for admins to develop their own event listeners) that would automatically limit a server if it has open sign-ups.  @homegrown @ona why this option is not disabled by default in @Mastodon ? Its not the first spam wave caused by this @pancake i don't know. but if you create an issue o find one, please tell and i will vote it. There is an issue, give a thumbs up here: https://github.com/mastodon/mastodon/issues/10590 (This is an excellent issue by the way, it suggests some good ideas to help new users alongside the request for making approval default.) To be fair to the current version of Mastodon, it does now warn admins not to use open signups unless they have a strong moderation team, but it seems some admins ignore that warning. 😦 @homegrown thanks for sharing, my upvote is there, hope more admins check it too! cc @spla @jerry  @pancake @homegrown @jerry @homegrown yes but none of them are legitimated users, zero complains. @pancake @jerry  @spla yeah, I should probably block tor exit nodes. I get plenty of spam from other IPs too, but nearly everything coming out of exit nodes is malicious. I have a hidden service that people can use, but that almost no one does so I am not sure blocking exit nodes would be a big hit to privacy conscious people. @homegrown @pancake @jerry no, it's not but did the job for me in the past. @homegrown since Mastodon v4.2.8 it automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.  I wish we had a probationary period where people can only post to their own profile but it only sends out notifications to their followers in the beginning. If they mention someone, it doesn't send a notification (or perhaps puts it in a queue that will only be released after a moderate or admin approves their account). Because the current vector of attack seems to be mentioning popular accounts.
|
Gregory's Server
@homegrown can't emphasize that enough. Thanks for bringing this topic up.