There is an ongoing spam attack on the fediverse for the last couple of days. It's more widespread than before, as attackers are targeting smaller servers to create accounts. Before, usually only mastodon.social was targeted and our team could take care of it. For server administrators out there: If you don't need open registrations, switch over to approval mode. If you do, blocking disposable e-mail providers is a massive stopgap to the problem. Mastodon also supports hCaptcha.
@collectifission@Gargron +1 have seen multiple reports of blind people being locked out due to HCapcha. Respectfully, Throwing your disabled users under the bus when they're inconvenient is not being a good ally.
@Gargron I honor every line of code that your team and you produce to maintain Mastodon.
But what I really miss as an instance administrator is some sort of spam detection. We have tools and libraries for that, e.G. for simple naive bayes detection.
Maybe it will not be 100 percent precise, but it would help a lot of Mastodon could block / delay suspicious posts based on simple machine learning mechanisms (like we have them for email).
Any thought on developing a federated anti-spam system? If one instance blocks an email or domain it propagates to the servers that choose to federate with its anti-spam so that email or domain can't be used on other servers.
@Gargron If you want to encourage servers to switch to manual approval. Maybe switch the order on joinmastodon.org to put the servers that require manual approval ahead of the open servers? By putting the open servers first it appears joinmastodon.org is endorsing open registrations.
@Gargron it needs to be easier for moderators to find report and suspend accounts or instances that are compromised. It's hours of clicking to do it "properly" right now and I don't have a full time staff - it's just me doing clean up 🥲
@Gargron If you could like... idk... actually write software or something?? to make moderation easier??? that would help a fuckton. or approve the MRF??
@Gargron will there be at least discussions on improving the moderation capabilities in Mastodon so server admins (both victims and passer-bys) can more easily manage these attacks?
@brights Speaking as the admin of a definitely not abandoned, previously-open-registration instance, not all of them have 24/7 admin coverage to handle spam reports. I had a flood while I was asleep, and I took care of them in the morning and changed to requiring approval with a reason. Then last night another similarly actively maintained server I know of was attacked in the same way and made the same change this morning. I'm sure there are others too; I'm just reporting what I know from my tiny corner of the fediverse.
So, why not start from an assumption that people aren't idiots? Turns out there are a lot of people here who actually know what they are doing.
Just because abandoned servers are highly visibly affected because no one is eventually cleaning up the mess doesn't mean that only abandoned servers are affected.
@mcdanlj
> So, why not start from an assumption that people aren't idiots?
I didn't assume this, Gargron did. Because I closed the registration on my server about 24 hours ago, right after the wave started. I assumed that every "not stupid" admin on not abandoned server would do the same without a message from Gargron, right?
So, my assumption was - those servers, that are not switched to closed/approved/captcha enabled registration mode, are the source of the issue.
This was the first.
Second:
Closing registration or enabling captcha on not-abandoned servers WILL NOT solve the issue for the Fediverse because of those abandoned, but actively spamming servers.
The proposed "solution" is just a small mitigation at best :(
@brights You are the one calling it a solution. Everyone else seems to agree that it is a mitigation. You are reading a lot into what Gargron said that I don't think is there...
@Gargron Man. City-Brentford, the review: data, information, date, time, and television of the Head Association match
Watch Now: http://tinyurl.com/y5et47cw
@Gargron HCaptcha is a bad idea. I wish they'd use something different. It can block screen reader users when their cookie system fails to work the way it's supposed to.
@Gargron We've already had to limit over 50 domains and it looks like some instances are created only for the purpose of this attack. This exposes a vulnerability of Mastodon in that admins have no way to prevent incoming spam other than after the fact.
So if you know of any tool or option that would enable receiving instances to keep this in check, please let us know.
@KevinMarks@Gargron Assuming they use the exact same image, possibly. But if they even so much as slightly change the image (e.g., convert to another format, change some colour mapping etc) then it won't work with traditional hashing.
There exist hashing methods that work on visual similarity, but those are more complicated, and significantly harder to get right.
Also, more vulnerable to false positives, and worse catch rate.
@4censord the images are indeed always different in hash because each instance also has its own image quality settings, as far as I understand. however the images that I have tested have about 99.9% visual match, so would easily be qualified as the same, and thus as spam
@Gargron my account is getting tagged in about 20-30 a day. If this keeps up , I have little choice then to leave . I’m reporting more spam than engaging with followers . It’s exhausting 😮💨
@EverydayMoggie@LibrarianRA@Gargron Thank you , but most of these won’t work for my page. Turning some of them off won’t allow me to interact with the over 3.k followers of this page. It also doesn’t stop the spam. I hope they can do something soon . I’ve had another 10 in the last hour . 🫠
@Gargron well that sucks because I use Protonmail and DDG's email masker because fuck google. I hope this doesn't mean that only massive, centralized corporate mail servers are acceptable
@condalmo Hi! Can you give us some more details? Have you experienced issues with Proton Mail being blocked while trying to use your email to register to some website or similar?
Add comment