there is no causal relation between servers that are part of the current wave and the software version.
servers that run on managed hosting get the updates automatically, but may not have thought about hCaptcha etc because it’s not part of their standard setup. As such they may be more lilely to be part of the spamming.
long term I suspect that the bigger risk is gonna be spammers setting up some random AP compatible server (or farm of servers) for spamming rather than abusing mastodon, as it’ll most likely be cheaper and easier.
@michael@fuomag9 tbh Mastodon's API is trivial and a lot of instances speak it; there are way more Mastodon servers than there are web hosts so it's harder to burn through all your attack vectors at that layer of the stack.
Mastodon itself may not be terribly efficient under the hood, but from a C2 perspective it's way less resource intensive than the chatty mess that is ActivityPub.
@michael@fuomag9 If ActivityPub was a sufficiently attractive target for return vs. effort, activitypub-troll.cf (ca. December 2022) wouldn't be the last-ish time that the protocol itself got custom software written for it to attack things.
@ian yes, ap-troll is a good point. I had forgotten about them.
I was wondering how hard it would be to just write a very barebones implementation of either AP or the mastodon API that (a) pretends to be mastodon on the relevant endpoints, and (b) can only be used to pump out posts. It doesn't need to be able to receive any interaction, but would be purely one-sided. Then write a script that automates setting these up en-masse.
I suppose getting valid domains would be your limitation, though. So maybe as you say this isn't actually practical.
@michael yeah, domains are the limiter, as even if you had the entire infra on something packed super tightly or serverless you're still paying $ for domains
@ian@fuomag9 While its not the method the spammers are using, I've noticed a pretty strong correlation between instances that haven't been updated in a long time, and instances that are sending spam -- in both cases you have instances where the admin isn't active and isn't checking in on the instance.
@theo@fuomag9 The tricky bit here is anyone on masto.host is on the current version, but is more likely to autopilot than average (I spot checked versions earlier on)
@theo@ian this was one of the reasons of proposing my idea as well (I'd personally try to send a "last message" to the admin like I did with qoto.org which was on 3.x and now seems to be updating, but if no response after that I'd defederate)
Add comment