Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

  • d4rknusw1ld
    link
    fedilink
    arrow-up
    35
    arrow-down
    4
    ·
    2 years ago

    Sounds like a spez sponsored attack on Lemmy.

    • YMS@kbin.social
      link
      fedilink
      arrow-up
      19
      ·
      2 years ago

      Or just the unavoidable spam bot accounts coming as long as it’s easy and the instance operators being still unprepared.

    • couragethebravedog@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      2 years ago

      I highly doubt spez did this. Reddit is currently doing fine. Even if it all goes away he’s sitting on over a decade of genuine human conversations he can sell to AI companies and make millions. He isn’t worried.

      • TWeaK@lemm.ee
        link
        fedilink
        arrow-up
        4
        ·
        2 years ago

        Steve Huffman doesn’t do anything, he’s a greedy little pigboy who profits off of the creation of his dead “friend”. He claims ownership of your ideas, for reddit’s exclusive profit, at no benefit (if anything, at penalty) to yourself.

        However it would be naive to assume that he hasn’t directed at least some shade towards reddit. Almost as naive as to think that Google doesn’t create bots to target websites that don’t use their own captcha services.

        PSA: When “proving you’re human”, always try to poison the data. They’re using your input to train visual AI, without paying you for your efforts. With Google, they will typically put the training up front - there will be one or two images that a bot isn’t sure about. If you give the unexpected response, the next test will be one that the machine knows, to check that you’re a human who knows what they’re talking about. With hcaptcha or some others, they might put the obvious one first, then check your guesses are human after.

        The services will determine that you’re human by other means anyway (eg mouse movements) and eventually let you through, but by giving them the wrong answer when they don’t know but the right answer when they do, you can make their AI less effective.

        They should be paying you for your input into their commercial enterprise, so fuck them.