Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

  • Lvxferre
    link
    fedilink
    arrow-up
    49
    arrow-down
    2
    ·
    2 years ago

    This might be related but I’ve noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.

      • Lvxferre
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        2 years ago

        I don’t think it’s the case here, as I’ve noticed this after posts in small communities:

        • c/linguistics (~240 members)
        • c/parana (1 member - new comm)

        I think that the person/bot/whatever is following specific people.

  • Wander@yiffit.net
    link
    fedilink
    arrow-up
    38
    arrow-down
    5
    ·
    2 years ago

    99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.

    • db0@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      54
      arrow-down
      2
      ·
      2 years ago

      We’re trying to capture the reddit refugees as well. It’s a fine-line to walk.

      • ඞmir
        link
        fedilink
        arrow-up
        35
        ·
        2 years ago

        Email + Captcha should be doable right?

      • hightrix@kbin.social
        link
        fedilink
        arrow-up
        21
        ·
        2 years ago

        Agreed. An application that must be human reviewed is a very large gate that many people will see and just close the site. Myself included.

        • nik282000
          link
          fedilink
          arrow-up
          4
          ·
          2 years ago

          Nothing against you but that is a good thing. The idea that applications being reviewed by a human could scare off users means less low-haning-fruit trolls and shit-posters.

    • AlmightySnoo 🐢🇮🇱🇺🇦@lemmy.world
      link
      fedilink
      arrow-up
      22
      arrow-down
      3
      ·
      2 years ago

      Email verification + captcha should be enough. The application part is cringe and a bad idea, unless you really want to be your own small high school clique and don’t have any growth ambitions, which is perfectly fine but again should not be expected from general instances looking to welcome Redditors.

  • d4rknusw1ld
    link
    fedilink
    arrow-up
    35
    arrow-down
    4
    ·
    2 years ago

    Sounds like a spez sponsored attack on Lemmy.

    • YMS@kbin.social
      link
      fedilink
      arrow-up
      19
      ·
      2 years ago

      Or just the unavoidable spam bot accounts coming as long as it’s easy and the instance operators being still unprepared.

    • couragethebravedog@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      2 years ago

      I highly doubt spez did this. Reddit is currently doing fine. Even if it all goes away he’s sitting on over a decade of genuine human conversations he can sell to AI companies and make millions. He isn’t worried.

      • TWeaK@lemm.ee
        link
        fedilink
        arrow-up
        4
        ·
        2 years ago

        Steve Huffman doesn’t do anything, he’s a greedy little pigboy who profits off of the creation of his dead “friend”. He claims ownership of your ideas, for reddit’s exclusive profit, at no benefit (if anything, at penalty) to yourself.

        However it would be naive to assume that he hasn’t directed at least some shade towards reddit. Almost as naive as to think that Google doesn’t create bots to target websites that don’t use their own captcha services.

        PSA: When “proving you’re human”, always try to poison the data. They’re using your input to train visual AI, without paying you for your efforts. With Google, they will typically put the training up front - there will be one or two images that a bot isn’t sure about. If you give the unexpected response, the next test will be one that the machine knows, to check that you’re a human who knows what they’re talking about. With hcaptcha or some others, they might put the obvious one first, then check your guesses are human after.

        The services will determine that you’re human by other means anyway (eg mouse movements) and eventually let you through, but by giving them the wrong answer when they don’t know but the right answer when they do, you can make their AI less effective.

        They should be paying you for your input into their commercial enterprise, so fuck them.

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      16
      ·
      2 years ago

      Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.

        • sunaurus@lemm.eeOP
          link
          fedilink
          arrow-up
          13
          ·
          2 years ago

          I think the easiest option is to just iterate through the list of suspicious instances, and then check {instance_url}/api/v3/site for each of them. Relevant keys of the response json are site_view.local_site.captcha_enabled, site_view.local_site.registration_mode, and site_view.local_site.require_email_verification.

          Since it’s a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.

          • db0@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            11
            ·
            2 years ago

            It occurs to me that this kind of thing is better left to observer, as it’s set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well

  • badbrainstorm
    link
    fedilink
    arrow-up
    21
    arrow-down
    1
    ·
    2 years ago

    I’m noobish, but could they be defederated until they get their act together before they spam everybody?

  • Somoon@lemmy.sumuun.net
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    2 years ago

    It was brought to my attention that my instance was hit with the spam bots regs. I’ve disabled registration and deleted the accounts from the DB. is there anything else I can do to clear the user stats on the sidebar? EDIT: I have reversed the stats too.

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      6
      ·
      2 years ago

      You can do this by updating site_aggregates.users in your database (WHERE site_id = 1)

  • BigDale123@lemmy.coeus.icu
    link
    fedilink
    arrow-up
    11
    ·
    edit-2
    2 years ago

    Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.

    Normally i’d just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.

    Edit: There is a relevant issue open on the lemmy-ui repo, for those interested: https://github.com/LemmyNet/lemmy-ui/issues/456

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      3
      ·
      2 years ago

      Did you figure out how to clean it up? You can see a list of users in your local_user table.

      • BigDale123@lemmy.coeus.icu
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        2 years ago

        I did manage to get a list of all users without a verified email using a postgress command, but sadly no, I can not figure out how to use the PurgePerson or AdminPurgePerson endpoints that are “described” in the documentation. I ended up just writing a small python script to ban all of them for now until I can figure out how to purge them.

        It’s extra tough because user management in Lemmy is tied to posts and comments right now. Since none of the spam accounts have made posts, there’s no way in the UI to purge their accounts.

  • freeskier@centennialstate.social
    link
    fedilink
    arrow-up
    8
    ·
    edit-2
    2 years ago

    Looks like my instance got hit with a bot. I had email verification enabled but had missed turning on captcha (captcha enable should be up with enabling email verification settings). The bot used fake emails so none of the accounts are verified, but still goes towards account numbers. Is there really any good way to clean this up? Need a way to purge unverified accounts or something.

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      5
      ·
      2 years ago

      How comfortable are you with SQL? You can see all unused verifications in the email_verification table. You should be able to just delete those users from local_user, and then update your user count with the new count of the local_user table in site_aggregates.user (where site_id = 1)

      • voldern
        link
        fedilink
        arrow-up
        4
        ·
        2 years ago

        Thank you for proactively contacting me regarding this @sunaurus@lemm.ee. I’ve had this issue on my https://feddi.no instance, but I have added a captcha and registration applications now. Hopefully it will alleviate some of the problem.

        All of the bots accounts seems to have a number in their email so I manually looked through the list of users in email_verification that contained numbers in the email to look for false positives:

        select * from email_verification where email ~ '[0-9]+';

        before running

        delete from local_user where id in (select local_user_id from email_verification);

        to delete the users.

        By suggestion from @sunaurus@lemm.ee I updated site_aggregates to reflect the new users count on the instance:

        UPDATE site_aggregates SET users = (SELECT count(*) FROM local_user) WHERE site_id = 1;.

      • freeskier@centennialstate.social
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        2 years ago

        What I ended up doing is getting the person_ids, from the local_user table, that had verified emails. Since my instance literally only has 4 real users I then just deleted all the rows in the person table that were local users and weren’t the 4 real users. It took almost 2 hours to run but it worked. User count automatically updated and corresponding rows in all the other tables were automatically deleted.

        This is the command for getting person_ids of verified users:

        SELECT person_id FROM local_user WHERE email_verified = 'true';

        Then to delete all the local users, except for those with verified emails:

        DELETE FROM person WHERE local = 'true' AND id NOT IN (<ID1>,<ID2>,<ID3>);

        Unfortunately, this isn’t really helpful for anyone with lots of real users. Unless a SQL wizard knows how to do this, making a python script that queries all the person_ids of unverified users then deletes those from the person table is probably easiest.

        I’ll copy this to the Matrix room too since it might help admins there.