Skip Navigation
Lemmy @lemmy.ml sunaurus @lemm.ee

PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read!

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.

Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It's not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you're an admin of an instance that's defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

74

You're viewing a single thread.

74 comments

  • Here we go: https://overseer.dbzer0.com/

    API doc: https://overseer.dbzer0.com/api/

    curl -X 'GET' \
  'https://overseer.dbzer0.com/api/v1/instances' \
  -H 'accept: application/json'

    Will spit out suspicious instances based on fediverse.observer . You can adjust the threshold to your own preference.

    • Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.

      • Tell me how to fetch them and it will. ;)

        • I think the easiest option is to just iterate through the list of suspicious instances, and then check {instance_url}/api/v3/site for each of them. Relevant keys of the response json are site_view.local_site.captcha_enabled, site_view.local_site.registration_mode, and site_view.local_site.require_email_verification.

          Since it's a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.

          • It occurs to me that this kind of thing is better left to observer, as it's set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well

74 comments