this post was submitted on 22 Jun 2023
88 points (96.8% liked)

Lemmy

12572 readers
10 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

A dev initially suggested in the Lemmy GitHub to remove captchas from future releases altogether because "they're easy to bypass".

Here's the thing though, the lemmy.world instance avoided the daily 10k+ bot signups per day the other instances are currently experiencing simply by activating captchas.

Yes basic OCR easily bypasses them, but the whole point is that you're forcing the spammer to use it, and it costs CPU resources, meaning that for the same budget the spammer will be able to create LESS bot accounts, or none at all if he doesn't know how to automate the use of an OCR. Compare that with the current situation where anyone who followed a Python crash course can easily write a small script doing tens of thousands of automated signups using just the requests module.

Please enable captchas by default in future releases. You can try out other proposed solutions like hashcash too but IMO focus on the low hanging fruit first and make captchas a default in 0.18 already. One barrier, no matter how weak it is, is much better than no barrier at all.

And to those who maintain websites that list instances and rank them by size, you are also contributing to this problem by adding an incentive for bad actors to inflate their own instances. Please either remove that ranking, or remove the spammy looking instances by hand.

Also, maybe change the user count such that only users having clicked on the verification link are counted.

you are viewing a single comment's thread
view the rest of the comments
[–] TheYang@lemmy.ml 17 points 1 year ago (3 children)

I mean, it's a currently approved PR

There's also an active Issue about replacing captchas (which are often an issue privacy-wise) with a mCaptcha, where you computer does "Bitcoin-Like" useless calculations which the server easily can verify that you did.
So it would be much more costly to make a billion spam accounts

[–] AlmightySnoo@lemmy.world 3 points 1 year ago

that's awesome but is it a default on new instances?

[–] RedWizard@lemmygrad.ml 2 points 1 year ago

This is the right move I think.

[–] CoderKat@kbin.social -2 points 1 year ago

I'm very skeptical that mCaptcha would actually work besides perhaps temporarily slowing bots down due to being niche. How expensive can you make it without hurting legitimate users? And how expensive does it need to be to discourage bots? Especially when purposefully designed bots can actually do the kinda math we're talking about in optimized software and hardware while legitimate users can't.