Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

  • Wander@yiffit.net
    link
    fedilink
    arrow-up
    38
    arrow-down
    5
    ·
    1 year ago

    99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.

    • db0@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      54
      arrow-down
      2
      ·
      1 year ago

      We’re trying to capture the reddit refugees as well. It’s a fine-line to walk.

      • ඞmir
        link
        fedilink
        arrow-up
        35
        ·
        1 year ago

        Email + Captcha should be doable right?

      • hightrix@kbin.social
        link
        fedilink
        arrow-up
        21
        ·
        1 year ago

        Agreed. An application that must be human reviewed is a very large gate that many people will see and just close the site. Myself included.

        • nik282000
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          Nothing against you but that is a good thing. The idea that applications being reviewed by a human could scare off users means less low-haning-fruit trolls and shit-posters.

    • AlmightySnoo 🐢🇮🇱🇺🇦@lemmy.world
      link
      fedilink
      arrow-up
      22
      arrow-down
      3
      ·
      1 year ago

      Email verification + captcha should be enough. The application part is cringe and a bad idea, unless you really want to be your own small high school clique and don’t have any growth ambitions, which is perfectly fine but again should not be expected from general instances looking to welcome Redditors.