@GossiTheDog oh shit. The Tor node (non-exit) that we host was the target of a DoS from random Linode VMs on Friday. Could it be part of the same thing?
There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.
IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.
Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.
Now, it does become a bigger problem if the current spammers publish their source code and more join in.
There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.
The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.
Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).
Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.
Not going to doxx anyone, but this just came down my Home timeline:
"My instance also got a lot of those spam account requests. But guess what, I didn't approve any of them. It's not the purpose of a #Mastodon instance to grow as large as possible, it is to keep it in the manageable scale.
I will give some time to the instances sending spam to get it under control before I start suspending whole instances for negligence."
So, yeah
"suspending whole instances for negligence"
Collateral damage, eh?
Easy to bake up conspiracies, but what might be a potential motivation beyond being mere shit-posting edge lord script kiddies?
Mastodon has been in deep decline for months (eg active user numbers have halved), but now the metrics are turning around due to one Japanese Discord spammer 🤣
It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code. (And yes, they’re really just trolling a Discord server, lolol).
@GossiTheDog I had an attempted follow from one and it was a relatively realistic profile. One of the main giveaways was there was far too much content for the time it had been online.
Sooo it's not possible to just reject federation from any misskey instances?
Do mastodon instances not have a user agent equivalent when federating content? (goes to read the spec)
Again, this isn't about killing the infection, it's about getting people isolated until enough masks and vaccines are available. As a species, we should have internalized this by now.
"Most of the targets receiving the spam use Misskey or a fork of Misskey and communicated at least once with a Japanese user or mentioned a big japanese instance (mostly misskey.io)"
If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.
I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers. The show went on for an hour of me just saying ‘yo the net sucks’.
@GossiTheDog I think "Advanced Persistent Teenagers" are pretty much responsible for messing up that huge indoor Trump rally in Tulsa Oklahoma a few years ago -- the one where the stadium was embarrassingly empty because TikTok kids signed up for all the free tickets.
@GossiTheDog i'm glad the internet was designed to survive nuclear warfare, i don't know how it could handle bored teenagers most of the time otherwise.
Mastodon change incoming in next release, if no mod logs into a server for a week open registrations will close. Will probably take a few weeks but should solve the current spam issue largely. https://github.com/mastodon/mastodon/pull/29318
@GossiTheDog While I love this change for future installations, updating to the new version with this patch requires interaction, which is exactly what's missing from the servers doing the spamming now!
@GossiTheDog@patterfloof Mastodon, however, could still very easily stop accepting traffic from Mastodon servers that are X versions behind. This would be good for the health of the network in general. And when/if those servers upgraded, it could start accepting traffic from them again.
@GossiTheDog@patterfloof Not my circus, not my monkeys. Sadly, I don’t have time in the day enough to contribute to every codebase on the planet. But I’ll keep the idea in mind as a possible feature that we could implement in Small Web apps to ensure we don’t run into the same problem. (Small Web apps auto update anyway but it’ll be a good check to have in case someone has disabled that for their server.)
@GossiTheDog we went from "this system can survive a nuclear attack knocking out many nodes" to "what if we added single points of failure that every site uses"
@GossiTheDog A great way to get ahold of classified military technical information is start a dispute about a system like a plane, tank, ship, or missile being over or under modeled in an online video game. The dispute rages until someone gets the real data and posts it. James Bond is now on the dole because his work has been outsourced to raging gamers.
@thisismissem@GossiTheDog Yeah. I mean, i've done internally owned/controlled plugins via Rails engines in the past, but it's not a meaningful security boundary and thus not really... a plugin system.
@GossiTheDog 100% agree on plugins. It's sad that core devs have to be a gate keeper for every idea people want when plugins can really outsource the combo of features that are most wanted.
The pluggable/modular idea is a very nice design, that will be quite helpful.
However please whatever you do, include an account reputation/lifecycle part in the telemetry. Long-term nothing else will work: ip/email even phonenr are too low level and easily obtainable by bad actors
@GossiTheDog unfortunately hCaptcha is garbage for accessibility, despite being touted as the most accessible captcha, and the email-based workarounds they try to use for screenreader folks are apparently just completely broken at the moment so it fully breaks masto sign-up for blind and vision impaired folks.
@GossiTheDog a plugin system for mastodon would be the best thing that ever happened to it, and unfortunately given its design the least possible thing i could imagine happening to it
@GossiTheDog captchas might work for this spam bot, but I wouldn't count on them for the long term.
Outside of fedi, I've seen captcha-solving spambots years ago. Also they took their time, slowly registering sleeper accounts over the span of a year, before using them to send any spam.
@GossiTheDog CAPTCHA is offensively inaccessible, including the supposedly accessible hCAPTCHA. So, no, you should not enable it. You'd be automatically excluding many blind people from joining your instance.
@GossiTheDog either the people behind this have a sense of humor or someone is doing this with the help of an "AI assistant" and instructed it to send spam.
Add comment