Hello, lemmings!

I want to write a quick post about the recent wave of spam users on the federated network, and what steps I am taking to protect lemm.ee.

TL;DR:

  • Tens of thousands of bots are signing up on small unprotected Lemmy instances. lemm.ee has not been targeted so far.
  • To protect lemm.ee users from spam, I am going to start defederating such instances immediately.
  • If spam bots start signing up on lemm.ee in the future, I will be (temporarily) closing new sign-ups until we have better tools to deal with bots.

Read on for more details!

Background

In the past few days, the growth of Lemmy user counts across the whole network has increased exponentially:

While there’s no question that this growth includes a big amount of real people coming over from Reddit, unfortunately, there is also a huge amount of automated sign-ups by bots.

For now, lemm.ee has not been affected by automated sign-ups. Bots seem to be avoiding instances which employ some or all of the following protections:

  • E-mail verification
  • Captcha on sign-up
  • Sign-up applications with manual review

Currently, lemm.ee employs e-mail verifiaction and captchas.

There is a large amount of instances out there which don’t employ any of these protections. These are the instances the bots are mainly targeting. Most of these instances seem to be very small and not very active (often having <10 organic users and very few communities or posts). Some of these instances have taken notice of the bots and have begun taking steps to remove the bots and tighten up their sign-ups, but the majority have done nothing to combat the situation.

If you’re interested, I am maintaining a (non-comprehensive) list of most likely affected instances here. I have been updating it every now and then since yesterday in hopes of seeing positive change, but unfortunately, the situation seems to be getting worse.

Up until yesterday, these bots were mostly just quietly sitting there, but as of today, the bots have started posting spam. I have already been moderating several cases of automated spam, but I can only do this reactively.

Current solution: defederating spambot-infested instances

As I have mentioned previously in other threads, I do not really want to defederate any legitimate instances, but I will defederate instances which are actively making Lemmy worse for lemm.ee users. It seems clear in this case that the bots are planning to create a bad experience for all legitimiate users, and that the only way to really limit the effect of these bots is to defederate the instances where they are joining uncontrollably.

This is a lose-lose situation - if we don’t defederate them, then we risk exposing all lemm.ee users and communities to massive amounts of spam, but if we do defederate them, we are cutting off small instances who are clearly already struggling. I really like the idea of federated networks and people being able to curate their own feed from whatever instances they enjoy, so I do not make any defederation decisions lightly. At the end of the day, I can only choose the lesser evil, which at the moment does seem to be defederation.

Going forward, I will be regularly checking for spambot instances. If I detect new ones, I will be defederating lemm.ee from them immediately. Less regularly, I will also be checking to see if any of the instances have taken steps to deal with the bots - if they have, then I am planning to federate with them again. If anybody is interested in getting a cleaned up instance federated again, feel free to contact me over DM (if you’re currently defederated, you can contact me on Matrix: @sunaurus:matrix.org).

What is the criteria for defederation?

While I don’t want to give out the exact details (it would just help spam bots with evading defederation), I can tell you in broad strokes that I am focused on defederating small instances with unnaturally huge user growth. I am currently not planning to defederate any popular instances with large communities and active moderation.

What does defederation mean for me as a lemm.ee user?
  • You will not be able to see any new posts or comments from defederated instances made on ANY instance.
    • You will still be able to see old ones that they made before defederation
  • Users from defederated instances will not be able to post or comment at all in communities hosted on lemm.ee

Future: if lemm.ee gets hit by spam bots, then sign-ups will be (temporarily) closed

While it’s true that we so far have not had a problem with automated sign-ups at lemm.ee, it is for sure possible that the bots in the future will be improved to automate e-mail verification and captcha solving. I do have some additional measures in place already to protect us, but nothing is guaranteed.

If it does happen that lemm.ee sign-ups become a target for spam sign-ups, I am intending to completely close sign-ups until there are better tools to deal with bots. There are several such tools already proposed, and I am planning to start development on one of them next month, so hopefully any potential closing of sign-ups would not last very long!

I want to emphasize that even if we end up closing sign-ups, your communities on lemm.ee will still be able to grow. As always, users from any federated instance will be able to subscribe to your communities and interact in all the ways that a local lemm.ee user would be able to.

To conclude, I really hope that this news does not ruin the experience for any of our users.

It’s honestly a really bad situation and I wish I wouldn’t have to be writing this post right now, but the reality is that things like this happen from time to time. We just have to deal with it in the best ways that we can. If you have any feedback or thoughts about any of this, please leave a comment below!

    • baconeater@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Let me guess GuyDudeman, you also work in the “business factory” ? How do we know that you aren’t just 3 bots stacked on top of each other in a trench coat?

  • eee@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Thank you for doing this. I have been watching the user stats, and it’s very clear which instances are being targeted.

    Defederation should only be considered when there is a potential for serious damage to the community. Given the volume of spambots (there are a few small instances with >10,000 new “users”), defederation is the right solution in these cases. No amount of extra mods can help delete comments from tens of thousands of spambots. If it’s a more manageable number of bad actors, then defederation should not be used (looking at you, beehaw).

    I don’t know if you want to comment publicly, but I remember seeing some discussion with the lemmy devs over implementation of captcha. Was that resolved?

  • andres@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Thank you for always being at the forefront of the fight against problems that affect Lemmt. I’m glad I chose this instance as my home.

  • CoolRhino@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Can we have a public, continuously updated list of communities we are defederated from?

    • Sleepographer@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      when you’re on the lemm.ee instance, scroll to the very bottom of the page and click on the “instances” link. that page shows “linked” instances on the left column and “blocked” instances on the right column. “linked” are the instances we’re federated with(grows naturally), and “blocked” are the instances that sunaurus elected to defederate with. you can go to any instance and look at their lists too, even without an account, so they are very publicly visible.

      is that what you’re looking for?

      side-note: before today our blocked instances list was empty every time i checked, which i do fairly often.

  • stux⚡ @geddit.social
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I think this is a good idea… Some instances don’t seem to take action and are growing quickly!

    I’m gonna do the same on Geddit to be sure 👌🏻🥰

  • rodneylives@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Spam has long been the corrosion eating away at internet services. It killed Usenet, and nearly did email.

    • sunaurus@lemm.eeOPM
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      They have an abnormal active users to registered users ratio - about 50x more registered users than monthly active users - and my automation picked up on that. But they haven’t been growing uncontrollably, so I assume they have a handle on this, I will re-federate for now.

      I could probably also reduce the sensitivity on my automation a bit, I’ll take a look at it tomorrow!