cross-posted from: https://lemm.ee/post/177673

Cross posting this here for visibility since lemmy.ml federation has been very hit or miss the last week. Original post from @sunaurus@lemm.ee

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.

  • cerevant@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    2
    ·
    2 years ago

    Sadly, this may signal the end of open federation. I can’t see how trust by default is going to work long term.

    • Ulu-Mulu-no-die@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 years ago

      It depends on how federated platforms react, it’s necessary to control who signs up in some way, if that’s “globally” accepted trust can hold well long term.

      • cerevant@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        Right now the instances are working to stifle this by restricting account creation, but we’re just a step away from spammers creating instances on demand, flooding networks with stuff like the crypto spam on Reddit. I’m thinking major instances are going to have to go whitelist federation as a result.

        • marsokod@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          I would not be surprised if at some point you have a few whitelists, or some kind of reputation management for instances. One could even say they can have a karma number associated to them.

          In the end, this is the same problem as for emails and the landscape will probably structure itself around several big actors and countless of smaller actors who will have to be really careful in order to not be defederated.

          • Zak@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            A reputation system is really important. Open federation may not be viable long term without one.

    • Cinner@lemmy.worldB
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 years ago

      This is one place where 2-of-3 multisig crypto could truly excel. If posters were required to have, say, $5 in XYZ per account per site, but that $5 will get you access to every site on the fediverse AND you can withdrawal it whenever you want, but it will close your accounts. Like a $5 participation escrow. Spammers could still spam, but they’d need to have $5 per account created to do so. I’m sure there are pros and cons to this, but it is technologically feasible.

      • Zetaphor@zemmy.ccOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 years ago

        You just described token gating, not multisig. Also you can do multisig without involving any money (or tokens)

        • Cinner@lemmy.worldB
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 years ago

          My comment says deleted by creator (I didn’t delete it) so I don’t remember exactly what I said, but the point is to temporarily (as long as the account exists) put money on the books, which can be taken if you spam but you can withdrawal it when you close your account if you don’t. There would need to be a trusted signing authority so instance admins couldn’t just take it.