@Gargron Yep, my instance is set to approvals and I did only see one. they are getting ignored.

@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?

@Gargron any idea where it’s coming from, or why now?

@Gargron @anderspuck Tænker du har styr på det.

@Gargron You must be doing a great job on .social, because I've not noticed a damn thing this time around. Glad to see there's help out there for the smaller instances, too.

@Gargron

you know you're on to the right ideas when jerks try to ruin it.

@Gargron can the behavior of spammers be detected when sending the spam messages ?

@Gargron Might this be related?
https://mastodon.social/@ErikUden@mastodon.de/111951999084148777

@Gargron See also this thread for mitigations: https://mastodon.de/@ErikUden/111940301222380638

@Gargron whilst being good advice, blocking disposable e-mail providers is not a great solution. Privacy focussed users often use those, and they are a legitimate userbase. Can't wait to see what else the fediverse comes up to remedy this problem, there are some pretty smart people on here! :)

@Gargron WOW

@Gargron I get the issue, but I hate Captcha…

@Gargron oh, so this is where the surge in new users come?

@Gargron This is to be expected. The next attacks will probably be even bigger. I hope there are enough tools to neutralise spam in Mastodon

@JamesGleick

@Gargron where's the AI to save us when we need it to? 🫣

@Gargron

Back in BBS days, most Sysops required a phone call before we enabled access to more than the "Introductions" board.

This created a human connection between user and Sysop that created a fairly congenial environment, even when very strong disagreements were the order of the day.

The VC need to hoover up accounts which they can monetize is what incentivizes open registration. Nobody else needs "all the accounts" so turning on approval is just a good idea for everyone.

@Gargron I've been getting a lot of spam since Thursday or Friday. I keep reporting & blocking.

@Gargron Defaults matter. Mastodon should default to screened signups and present a warning about open signups. Also the blocked email domains should default to include disposable email domains.

@Gargron More methods to stop the ongoing attack:

https://mastodon.de/@ErikUden/111940301222380638

@Gargron Does duckduckgo email masking count as disposable email?

@Gargron @GottaLaff thanks, it hit my server, setting signups to approval seems to have fixed it for now, I had two accounts up for about 12 hours and got a dozen reports in that time, thanks everyone for reporting!

@Gargron Amusing, at one time I was going to try and move over to Mastodon Social, and liked it, but then they kicked me off. because I asked a question and mentioned GAZA.

@Gargron Unfortunately a lot of these instances are micro instances that seem like someone spun it up to test and then left unused. The batches that I’ve seen included a lot that are not maintained and running old versions of #Mastodon. So asking to have registration changed maybe yelling into the void.

Perhaps the defaults for signup should be set to closed? And if disposable email is used, the account is restricted until vetted? Also more robust filtering would be nice.

@Gargron Oh Yeah..
If they are attacking surely there's some good going on here.

@Gargron I’m glad to say I *never* see span on mas.to. Thanks @trumpet !

@Gargron it’s such a bummer. Thank you guys for all your hard work.

@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮‍💨

@Gargron I honor every line of code that your team and you produce to maintain Mastodon.

But what I really miss as an instance administrator is some sort of spam detection. We have tools and libraries for that, e.G. for simple naive bayes detection.

Maybe it will not be 100 percent precise, but it would help a lot of Mastodon could block / delay suspicious posts based on simple machine learning mechanisms (like we have them for email).

@Gargron One possibility that would be nice: Review accounts, but before accounts get reviewed, they're just limited, so they can still get set up and they might be able to spam, but they won't be able to hit a timeline other than their own followers until reviewed.

@Gargron - is any of this related to Meta's Threads?

That company's lax attitude towards moderation could become a beacon for spammers to set up accounts there and then propagate their spam to the rest of the fediverse.

I am not an admin, so I don't know what goes on with the server side of things, and I am probably over-simplifying.

@Gargron
I have blocked mx.fex.plus and since then no new spam-registrations
If this won't work at all switching to approval mode would be an option, thanks for this hint!

@Gargron given that the spam is mainly the same images, could you hash them and use that as a rejection filter?

@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??

@Gargron Captchas are still an accessibility nightmare. I'll die on this hill.

@Gargron @staff

@alter_unicorn
Plutôt que de bloquer les domaines, est ce qu'il serait possible de bloquer les fournisseurs de mails jetables ?

@Gargron We've already had to limit over 50 domains and it looks like some instances are created only for the purpose of this attack. This exposes a vulnerability of Mastodon in that admins have no way to prevent incoming spam other than after the fact.

So if you know of any tool or option that would enable receiving instances to keep this in check, please let us know.

@Gargron targeted email blocking can be just as bad as targeted IP blocking it should not be assumed that every disposable email = spam, or every user connecting from an IP that spams also uses the connection to spam. I think having the ability to create fake accounts should be part of fediverse freedom. Performing some content checking to determine if it is a bot and limiting rate of spam postings on the content side might be an alternative.

@Gargron "disposable e-mail providers"
lol in 2 years I've seen around 20 #spam accounts trying to register on our instance. Gmail-share: 💯%!
It really is an advantage to only manage an instance for German-speaking users: more or less nobody registers with a #Google address - and if a registration comes from #Gmail, you can easily save yourself the verification work.

@Gargron

I haven't received any yet. 🤞

@Gargron but attackers can setup mastodon with different domains to go on spam the fediverse

@Gargron@mastodon.social yeah and sadly it's a very clever one, we can't do much about it as messages are coming from different users, from different servers, and it has no text only an image, so we can't even filter that :(