Gregory's ServerWe're aware of the spam attack hitting mastodon.social right now and our full moderation and DevOps teams are on the case mitigating any way we can (incl. switching to approval-mode registrations)
 195 comments
@moanos_foss @Gargron Decental... what? Are you suggesting having more than one default #mastodon instance? What a revolutionary idea 🎉 @moanos_foss yes dezentralisation prevent spam. we saw that with emails. @Hughenknubbel @Gargron Depends. It's easy to block one server (when it is not "to big to block"). And problems never affect the whole network. @moanos_foss @Hughenknubbel so you would just block an instance that is targeted by spam abusers? :schmusekadser: @SolSoCoG @Hughenknubbel Yes until they solved the issue. We (lediver.se) also limit mastodon.social for the time being. But a smaller instance would make less problems @moanos_foss @SolSoCoG @Hughenknubbel But it has different problems https://mastodon.social/@nhan/110222576212477948. @moanos_foss That's just gonna make your users having hard time to communicate with his friend at that blocked instance.
@moanos_foss @Hughenknubbel @Gargron how about when it is "to big to block"? And why can't they spam the whole network? Obtaining a list of accounts as they're doing now and just... spam like email? @moanos_foss there must be only one Docker Container Script, that setting up Mastodon instances automatically with random users while sleeping and federating some time and you will have the same problems. @gargron @Hughenknubbel Nope, you need domains to do that, they are at least somewhat expensive (you can block a root domain and all subdomains) @Hughenknubbel Bu you still have to pay it. And I guess domain registrars also have anti-spam measures (as they also have to deal with the outfall). So while not bullet-proof it's much better. My stolen credit card number this past weekend had 8 transactions (over an hour) on it before the fraud detect at the bank took action. Average transaction was $20 USD. Funding is not a problem for a determined mal-actor.  @Hughenknubbel Email didn't have as effective antiabuse measures, and what did get implemented tended to be terrible (like reject on DNSBL). @BalooUriza nothing prevent spammers to setting up thousend of micro instances. @Hughenknubbel There isn't, no, but, that's easily relatively easily mitigated since it's harder to set that up across multiple ASNs. But it does avoid the "overcrowded, undermoderated" problem large instances tend to have. @Hughenknubbel @moanos_foss @Gargron decentralization doesn't prevent spam as an only step. but it's certainly a valid approach along with other mitigations. one big juicy centralized target vs many different smaller ones that can intervene at their interface   @Gargron Thanks, Eugen. Disintegrate the Bitcoin spammers with an orbital laser.  @Gargron will you commit to writing and publishing a blameless postmortem explaining what happened and what steps are being taken to prevent it from recurring?  @wagesof @Gargron I think some level of safe open registration is possible. But it probably requires a lot of work. I've seen people today assuming that m.s did none of that work; I think that it's unfair to assume that, because even the best anti-spam defenses can be beaten. Obviously it wasn't *sufficient* though.  > on the case mitigating any way we can
The most obvious, and straightforward mitigation is to migrate users to smaller instances. Are you doing this?  @Gargron Must be quite the job with that many members, best of luck to ya and your team my dude! @Gargron my dude I was big into web 3 social media. The only way to even slow bots down is to implement one of those captchas like "pictures of boats" and then it's like 3-6 layers deep of having to pick out random objects. Some uhhh *coughs* web cam oriented sites *coughs* use them as well to great effect.      It's not hitting mastodon.social so much as it is hitting the ever-decreasing number of instances that still federate with it.  @Gargron Thanks Eugen! Reported and blocked my first Mastodon spam ever. Please let us know if we can help in any way. We basic users may not be very tech-knowledgeable, but we’re a faithful and feisty rabble, a bunch of peasants you can count on in the crunch. (Speaking only for myself and a few pals on here, of course.)👋 @Gargron Maybe it's not a good idea for the official app to direct all new users to one enormous poorly moderated server! @Gargron But did you limit the size of your server to encourage a distributed net, hmmm Blanche? No, no you didn’t. Now you’re a target. Enjoy!  @Gargron So Mastodon is in invite-only mode, much like BlueSky? come on man. Everyone saw this coming when mastodon.social was made the default server   All of the spam accounts have been suspended, reports queue cleared, IPs and e-mail domains used in the spam wave banned. We're continuing to monitor the situation and analyzing the pattern.     @Gargron did this attack involve any kind of exploit (for mass-sending or something) or did they just manually register accounts and started spamming with them?  @Gargron All the users on my server who reported spam are now banned. It's so easy 😎 @Gargron what if you limited supported email accounts to only popular ones? I’m wondering if that would help. @Gargron maybe you should have first gotten your teams ready before you moved to push every new user to mastodon.social but what do i know. guess every platform leader wants to learn this stuff for themselves instead of learning from the experience of others. @Gargron@mastodon.social do you not have any kind of capcha? I don't know how mastodon works. seems like a capcha could help this @Gargron thank you for your hard work. Just woke up to some crypto Spam this morning. Reported and blocked them.  @Gargron You could always try actually developing good moderation tools into mastodon. "any way we can (incl. switching to approval-mode registrations)" So you're not going to force new signups onto your instance by default, simply because you're the biggest instance and you control the Mastodon source code *and* the Mastodon name-branded app? Might want to reign back some of your plans for world conquest, eh? @Gargron Lotta bullshit post-hoc recriminations. If you saw it coming, did you say so specifically or did you just post some pablum about not liking the idea of a default server (and, in any event, I'm not so sure that's been going on long enough to make a difference)? So, if you've got ideas worth a damn, move them to Eugen in useful, operational form. Otherwise, why don't you huddle in a group to tell each other how smart you are. It's called growing pains.
 @Gargron So "making signing up on Mastodon easier than ever before" made it easier easy for bots too, huh?  @Gargron Maybe you shouldn't be funneling everyone to mastodon.social by default, huh?  @Gargron We are grateful for everything you do! No worries, we know you're working on it. :) @Gargron Now my Fakebook group page keeps getting spammed but I run some filters and that helps. |
@Gargron Almost seems like very large instances are not such a great idea 🤔 We should try something like decentralization...