Hmmm, every server I'm getting spam from has a new user in their public directory named yqqwe, and each one of these users is following mastodon_admin_yggwe on a single-user instance mastodon.tinynews.org. One can look at the 924 followers of this admin and they all are named yqqwe and they are all on servers I've been getting #spam from. #fediverse#moderation#administration
@simplenomad Perhaps the "yqqwe" user on each server may be able to survive by not sending out any spam itself, but instead inviting new accounts to the server which then send out the spam? That way if the mod bans the spam account, "yqqwe" can just invite more spam accounts (at least until the mods catch on).
@jrconlin If the instance has like 2 users and the owner/admin has posted four times with the last time being several months ago, I have no issue suspending over limiting.
@simplenomad Since this is ad spam, a "retribution list" of all known advertisers shown in the spam coupled with a boycott call and notification of that to every advertiser could kick the financial legs out from under this campaign. This would also deter future ad campaigns using another single-user instance.
@Blanco I think the most obvious “fix” is to make it where the “default” setting is that new users to an instance need to be approved by a moderator. This could be difficult for large instances with a lot of influx of users, but for small/new instances they’d have to manually shut it off.
Not perfect, as the next stage would be for the spammers to quickly set up their own instances and give the bots a place to launch from, but quickly set up new instances (like via a preconfigured container) as those instances are defederated.
I've found a few of these servers do NOT have the yqqwe account on them, these tend to be more active servers with admins moderating/removing spammers. Good!
@vees@simplenomad@dansup
The account will continue to log in even if it's suspended. Please reset that password as well.
and #Pixelfed also identifies the victimization of YQQWE's use of ad image storage.
We suspended the account and ran media:gc (Delete media uploads not attached to any active statuses), but the hundreds of images uploaded by this account are not being deleted are still being called externally.
@vees
I apologize. I may have overreacted.
I thought there was a possibility of a zero-day attack, even if it was suspended, that was always connected through the central server. I broke one more thing before the IP block.
@FoW@vees@simplenomad@dansup Thanks for this notice. We had suspended an account with this name Jan. 29 but the data had not hit the timeout yet for deletion. Based on this we deleted the data also.
This user yqqwe with the same email address and IP attempted to register in my instance on 2nd February.
My instance requires approval, so after we probed them for some background, they didn't reply within 7 days so their request was never approved and the account deleted.
So they have been building their network for at least 2 weeks.
@FinchHaven Yup, that's the one. And it looks like people are now deleting the accounts (all named yqqwe) on various instances as when I looked that account had well over 100 more accounts following. Good!
Add comment