this post was submitted on 20 Jun 2023
68 points (98.6% liked)

Lemmy

12557 readers
2 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
nutomic@lemmy.ml
68
PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read! (lemm.ee)
submitted 1 year ago* (last edited 1 year ago) by sunaurus@lemm.ee to c/lemmy@lemmy.ml
63 comments fedilink hide all child comments
 

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] bread@lemmy.world 1 points 1 year ago (1 children)

Maybe this is what's implied or I'm just being silly; What is to stop a bad actor spinning up a Lemmy instance, creating a bunch of bot accounts with no restrictions, and spamming other instances? Would the only route of action be for the non spam instances to individually defederate the spam ones? Seems like that would be a bit of a cat and mouse situation. I'm not too familiar with the inner workings and tools that Lemmy has that would be useful in this situation

[โ€“] PriorProject@lemmy.world 2 points 1 year ago

They can do this, and it is cat and mouse. But...

  1. It generally costs money to stand up an instance. It often requires a credit-card, which reduces anonymity. This will dissuade many folks.
  2. A malicious instance can be defederated, so it might not be all that useful.
  3. People can contact the security team at the host providing infra/internet to the spammer. Reputable hosts will kill the account of a spammer, which again is harder to duplicate if the host requires payment and identity info.
  4. Malicious hosts that fail to address repeated abuse reports can be ip-blocked.
  5. Eventually Lemmy features can be built to protect against this kind of thing by delaying federation, requiring admin approval, or shadow -banning them during a trial period.

Email has shown us that there's a playbook that kind of works here, but it's not easy or pleasant.