Email or username:

Password:

Forgot your password?
Eugen

There is an ongoing spam attack on the fediverse for the last couple of days. It's more widespread than before, as attackers are targeting smaller servers to create accounts. Before, usually only mastodon.social was targeted and our team could take care of it. For server administrators out there: If you don't need open registrations, switch over to approval mode. If you do, blocking disposable e-mail providers is a massive stopgap to the problem. Mastodon also supports hCaptcha.

80 comments
Sarah A

@Gargron Yep, my instance is set to approvals and I did only see one. they are getting ignored.

Emma

@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?

Cedara 📖🍵🤍

@ipg @gargron Yes, please, users and admins need finer tools to block spam, especially if those smaller instances don't seem to administrate well enough and still run on old versions.

Joe Brockmeier

@Gargron any idea where it’s coming from, or why now?

Greenpete (No Flag)

@jzb I've read here, that it's one person in Japan.

Anders Puck Nielsen

@kimwulff Det vil jeg mene. Men hvis du begynder at se underlige opslag på den lokale tidslinje, må du meget gerne sige til. Der er nogle af dem som anmoder om en konto, hvor det er svært at gennemskue hvem de er.

kim wulff

@anderspuck Det skal jeg gøre. Har støt på nogle fra andre server , som ikke er ret rene i kanten hvis man lige går i dybden, men du skal få det at vide hvis jeg opdager noget.

Anders Puck Nielsen

@kimwulff Ja, dem på de andre servere behøver du ikke at rapportere til mig. Så bliver jeg lagt ned af arbejde. 😅

kim wulff

@anderspuck Nej nej det gør jeg heller ikke 😅😅😎😎😎😇 vi kan jo ikke ha at stats ansatte bliver over bebyrdet 😎😎😎😇😇😂😂😂😂😂 ok godt ord igen.

Michael

@Gargron You must be doing a great job on .social, because I've not noticed a damn thing this time around. Glad to see there's help out there for the smaller instances, too.

artisanrox

@Gargron

you know you're on to the right ideas when jerks try to ruin it.

jz.tusk

@artisanrox @Gargron

Yup. I feel sorry for (and greatly appreciate) all the admins who have to spend their time fighting this, but trolls and spam are a sign that what you've created is becoming important.

artisanrox

@jztusk @Gargron

i'm on Bluesky a lot lately and they like to fart on Fedi a lot but each one has its own charm. I very much like both for different reasons but I'd choose decentralized format any day. Individuals/businesses/techbros/billionaires especially in the US are totally untrustworthy handling any public service.

hdante

@Gargron can the behavior of spammers be detected when sending the spam messages ?

Howard Abrams

@hdante @Gargron at the moment, it is a picture of a can of spam, so I would say... probably 😁

Pieselpriemel

@greygoo
No, that's another Fediverse software in development. Who accidently federated due a test and get measured by fedi.db.

@Gargron

Sexybiggetje🐖

@Gargron whilst being good advice, blocking disposable e-mail providers is not a great solution. Privacy focussed users often use those, and they are a legitimate userbase. Can't wait to see what else the fediverse comes up to remedy this problem, there are some pretty smart people on here! :)

ZeroEcks

@martijn you could probably just ask an admin to let you in manually or just run your own ;)

Sexybiggetje🐖

@ZeroEcks I believe in a low barrier of entry to the fediverse. Both are 'too hard' for many users. I agree, but my dad isn't that tech savvy :)

ZeroEcks

@martijn does your dad use anonymous mail services tho. The problem is that if you don't make people vouch for themselves to some degree, you will just get overrun with spammers eventually, the barrier to entry for email is super high because of this (which is then why we use email as the barrier to entry for everything else lol)

Joe Kikta

@Gargron I get the issue, but I hate Captcha…

Benoît Valiron

@Gargron oh, so this is where the surge in new users come?

Distante

@Gargron This is to be expected. The next attacks will probably be even bigger. I hope there are enough tools to neutralise spam in Mastodon

vascorsd

@Gargron where's the AI to save us when we need it to? 🫣

JimmyChezPants

@Gargron

Back in BBS days, most Sysops required a phone call before we enabled access to more than the "Introductions" board.

This created a human connection between user and Sysop that created a fairly congenial environment, even when very strong disagreements were the order of the day.

The VC need to hoover up accounts which they can monetize is what incentivizes open registration. Nobody else needs "all the accounts" so turning on approval is just a good idea for everyone.

JimmyChezPants

@condalmo @Gargron

You n me both.

Good news though, LoRaWAN gets you about 300bps, I am told, so my current plan is to start up a community meshtastic network with its first BBS hosted at my place.

I just need to get a job first so I can buy some radios.

Callalily

@Gargron I've been getting a lot of spam since Thursday or Friday. I keep reporting & blocking.

Eric Lathrop

@Gargron Defaults matter. Mastodon should default to screened signups and present a warning about open signups. Also the blocked email domains should default to include disposable email domains.

Johnny Peligro 🍅 :nix:
the issue is that they use like one or two accounts per unattended/unmaintained instance they find
Alex

@Gargron Does duckduckgo email masking count as disposable email?

irelephant

@shved@mastodon.social @Gargron@mastodon.social It may sometimes trigger it, but duckduckgo seem to have worked hard for it not to be used for that purpose

lampsofgold

@Gargron @GottaLaff thanks, it hit my server, setting signups to approval seems to have fixed it for now, I had two accounts up for about 12 hours and got a dozen reports in that time, thanks everyone for reporting!

Piousunyn

@Gargron Amusing, at one time I was going to try and move over to Mastodon Social, and liked it, but then they kicked me off. because I asked a question and mentioned GAZA.

DELETED

@Gargron Unfortunately a lot of these instances are micro instances that seem like someone spun it up to test and then left unused. The batches that I’ve seen included a lot that are not maintained and running old versions of #Mastodon. So asking to have registration changed maybe yelling into the void.

Perhaps the defaults for signup should be set to closed? And if disposable email is used, the account is restricted until vetted? Also more robust filtering would be nice.

bullshitter

@Gargron Oh Yeah..
If they are attacking surely there's some good going on here.

john lehet

@Gargron I’m glad to say I *never* see span on mas.to. Thanks @trumpet !

JackieM

@Gargron it’s such a bummer. Thank you guys for all your hard work.

Retro Librarian

@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮‍💨

David Tanner 🏴󠁧󠁢󠁷󠁬󠁳󠁿

@LibrarianRA @Gargron It’s bizarre as I haven’t seen a single spam. I assume @jaz is working overtime keeping toot.wales spam free 🤷‍♂️

jaz 🏴󠁧󠁢󠁷󠁬󠁳󠁿

@DavidTanner @LibrarianRA it's all our fantastic @teamtoot staff and a lot of experience managing a busy service. Please do (if using Mastodon) go to your notifications preferences eg toot.wales/settings/preference and review "Other Notification Settings" to minimise spam notifications and messages.

Donald Ham

@LibrarianRA @Gargron
Please don't leave! Mastodon needs you.

The problem is temporary, let's make sure the Fediverse is not!

Barkeeper Tom :damnified:

@Gargron I honor every line of code that your team and you produce to maintain Mastodon.

But what I really miss as an instance administrator is some sort of spam detection. We have tools and libraries for that, e.G. for simple naive bayes detection.

Maybe it will not be 100 percent precise, but it would help a lot of Mastodon could block / delay suspicious posts based on simple machine learning mechanisms (like we have them for email).

🍃 Nick 🍁

@thomas I'd really enjoy mastodon having a plugin/extension system, so development of features can be decentralised a little more (and maybe good ones serving common use cases would get added to core).

@Gargron

Baloo Uriza

@Gargron One possibility that would be nice: Review accounts, but before accounts get reviewed, they're just limited, so they can still get set up and they might be able to spam, but they won't be able to hit a timeline other than their own followers until reviewed.

Galactic Stone 🇺🇦

@Gargron - is any of this related to Meta's Threads?

That company's lax attitude towards moderation could become a beacon for spammers to set up accounts there and then propagate their spam to the rest of the fediverse.

I am not an admin, so I don't know what goes on with the server side of things, and I am probably over-simplifying.

Jcrabapple

@galacticstone no the spammers are taking advantage of fediverse servers with open registrations.

jensitus

@Gargron
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!

Kevin Marks

@Gargron given that the spam is mainly the same images, could you hash them and use that as a rejection filter?

Sam :verified:

@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??

Michael Downey 🇺🇳

@sam To be fair there are like 5+ years of ignored admin/moderation improvement requests in the queue 😅

project always tired

@Gargron Captchas are still an accessibility nightmare. I'll die on this hill.

Jess :verifvelo:

@alter_unicorn
Plutôt que de bloquer les domaines, est ce qu'il serait possible de bloquer les fournisseurs de mails jetables ?

DELETED

@beatricejess @alter_unicorn

C'est quoi le problème des fournisseurs de mails jetables ? À l'époque #Randomail (circa 2013) c'était le feu !!!

EDIT : Je viens de lire le toot original, je comprends mieux. Merci

Jess :verifvelo:

@mate @alter_unicorn
Bon, ça n'a pas l'air d'être non plus une super solution, vu que des gens l'utilisent aussi, pas que des spammeurs.

DELETED

@Gargron We've already had to limit over 50 domains and it looks like some instances are created only for the purpose of this attack. This exposes a vulnerability of Mastodon in that admins have no way to prevent incoming spam other than after the fact.

So if you know of any tool or option that would enable receiving instances to keep this in check, please let us know.

Free Soft&Hardware Enthusiast

@Gargron targeted email blocking can be just as bad as targeted IP blocking it should not be assumed that every disposable email = spam, or every user connecting from an IP that spams also uses the connection to spam. I think having the ability to create fake accounts should be part of fediverse freedom. Performing some content checking to determine if it is a bot and limiting rate of spam postings on the content side might be an alternative.

Oliver Heldbock 🪲

@Gargron "disposable e-mail providers"
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.

joene :ecoan: :bij1_flag: :antifa: 🇵🇸 🕊️

@Gargron Still the problem is Mastodon. See github.com/mastodon/mastodon/d.

Please see these issues (two of them are created by me and are related) as well:

*Require blocking of disposable email providers and/or require a captcha provider when registrations are open*

github.com/mastodon/mastodon/i

*Set new registrations on new servers to manual approval by default*

github.com/mastodon/mastodon/i

*Ability to greylist new servers*

github.com/mastodon/mastodon/i

*Ability to use heuristic spam filtering tools*

github.com/mastodon/mastodon/i

*Instance-wide filtering*

github.com/mastodon/mastodon/i

cc @renchap

@Gargron Still the problem is Mastodon. See github.com/mastodon/mastodon/d.

Please see these issues (two of them are created by me and are related) as well:

*Require blocking of disposable email providers and/or require a captcha provider when registrations are open*

github.com/mastodon/mastodon/i

躺平鸟-等待被裁版 :purple_squid:

@Gargron but attackers can setup mastodon with different domains to go on spam the fediverse

:ffxivmsq_comp: Efertone :verifiedtrans:

@Gargron@mastodon.social yeah and sadly it's a very clever one, we can't do much about it as messages are coming from different users, from different servers, and it has no text only an image, so we can't even filter that :(

Go Up