Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.
To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.
It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715
If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org
This should be probably pinned.
Agree
Thanks for the heads up, StarTrek.website has enabled CAPTCHA and purged the bots from our database.
Starfleet takes changeling infiltrations seriously :P
deleted by creator
CAPTCHA is the bare minimum. Who the hell turns it off?
There is an argument to be made that captchas can be automatically bypassed with some effort.
OTOH, the current wave of bots is quite clearly favoring instances with captcha disabled, so clearly it’s acting as at least a small deterrent.
Sometimes, security just means not being the low-hanging fruit.
Doing no captcha is like leaving the door open, hoping no-one breaks in, instead of at least closing the door (a closed door decreases chance of break in by near 100%, even if it’s not locked)
captchas block script kiddies at the very least
there’s a browser addon that lets you solve Recaptcha with one click:
https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/it automatically switches to the alternative accessibility option, which is based on typing in words that you hear, and uses speech recognition software to solve it. I’m fairly sure it could be automated quite easily.
Still way better than nothing at all
Some advanced OCR can hack the easier ones, but it’s unusual.
This might be related but I’ve noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.
Karma may mean nothing but the information space is a strategic domain.
I don’t think it’s the case here, as I’ve noticed this after posts in small communities:
- c/linguistics (~240 members)
- c/parana (1 member - new comm)
I think that the person/bot/whatever is following specific people.
Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.
Normally i’d just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.
Edit: There is a relevant issue open on the lemmy-ui repo, for those interested: https://github.com/LemmyNet/lemmy-ui/issues/456
Fun fact, they’re removing Captcha in the next release.
I won’t be upgrading and I anticipate I’ll be defederating with any instance that upgrades to v0.18.
That is true, but because of the recent spam wave there is also an issue to re-add captcha. https://github.com/LemmyNet/lemmy/issues/3200
We’ll just have to see how it all shakes out.
Sure, but as it stands v.0.18 WILL ship with captcha removed. (They’re already in the Release Candidate phase).
Unless the maintainers mark this issue as a priority I recommend that we ALL stay away from that release.
Did you figure out how to clean it up? You can see a list of users in your
local_usertable.I did manage to get a list of all users without a verified email using a postgress command, but sadly no, I can not figure out how to use the PurgePerson or AdminPurgePerson endpoints that are “described” in the documentation. I ended up just writing a small python script to ban all of them for now until I can figure out how to purge them.
It’s extra tough because user management in Lemmy is tied to posts and comments right now. Since none of the spam accounts have made posts, there’s no way in the UI to purge their accounts.
I’ll try to help you out in DMs in a minute, hang tight!
Here we go: https://overseer.dbzer0.com/
API doc: https://overseer.dbzer0.com/api/
curl -X 'GET' \ 'https://overseer.dbzer0.com/api/v1/instances' \ -H 'accept: application/json'Will spit out suspicious instances based on fediverse.observer . You can adjust the threshold to your own preference.
Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.
Tell me how to fetch them and it will. ;)
I think the easiest option is to just iterate through the list of suspicious instances, and then check
{instance_url}/api/v3/sitefor each of them. Relevant keys of the response json aresite_view.local_site.captcha_enabled,site_view.local_site.registration_mode, andsite_view.local_site.require_email_verification.Since it’s a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.
It occurs to me that this kind of thing is better left to observer, as it’s set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well
It was brought to my attention that my instance was hit with the spam bots regs. I’ve disabled registration and deleted the accounts from the DB. is there anything else I can do to clear the user stats on the sidebar? EDIT: I have reversed the stats too.
You can do this by updating
site_aggregates.usersin your database (WHERE site_id = 1)
99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.
We’re trying to capture the reddit refugees as well. It’s a fine-line to walk.
Email + Captcha should be doable right?
yes, that’s the bare minimum until we get better toolset
Agreed. An application that must be human reviewed is a very large gate that many people will see and just close the site. Myself included.
Nothing against you but that is a good thing. The idea that applications being reviewed by a human could scare off users means less low-haning-fruit trolls and shit-posters.
Email verification + captcha should be enough. The application part is cringe and a bad idea, unless you really want to be your own small high school clique and don’t have any growth ambitions, which is perfectly fine but again should not be expected from general instances looking to welcome Redditors.
One thing I like about lemmy was having to put in an application and waiting for approval. I knew I was vetted and others here were too.
Figure that alone could keep out most of the trolls and definitely the bots.
Yep, I noticed that as well: https://lemmy.dbzer0.com/post/87761
FYI, startrek.website has purged the bot accounts and enabled CAPTCHA. Just letting you know because they were showing up on your list.
Are you already defederating from suspicious instances? If not, What are you planning to do?
I am and I’ve already started work on https://github.com/db0/lemmy-overseer
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
Yup, I noticed this as well.
Hopefully the mods of the instances will notice this and remove these accounts quickly! Despite this, I think the mods of all instances, and of all communities, had better brace themselves for incoming spam and hate speech.
I’m sure it’s different per instance, but is there any discussion on what is being done with the collected emails?
I understand the need to fight bots and spam, but there are also those of us who don’t want to associate emails with accounts so some privacy-related way of handling this would be appreciated.
there’s plenty of services that provide one-use emails or disposable ones
True, I use one myself.
That’s a cool instance you’re running over there, by the way! I appreciate it.
First Anti-spam service ready: https://lemmy.dbzer0.com/post/95652
I’m noobish, but could they be defederated until they get their act together before they spam everybody?
Yes, and I believe some instances are already doing this
