PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read!
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
Open sign-ups
No captcha
No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
Close sign-ups entirely
Only allow sign-ups with applications
Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.
To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.
It's not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715
If you're an admin of an instance that's defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org
This might be related but I've noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.
I highly doubt spez did this. Reddit is currently doing fine. Even if it all goes away he's sitting on over a decade of genuine human conversations he can sell to AI companies and make millions. He isn't worried.
Steve Huffman doesn't do anything, he's a greedy little pigboy who profits off of the creation of his dead "friend". He claims ownership of your ideas, for reddit's exclusive profit, at no benefit (if anything, at penalty) to yourself.
However it would be naive to assume that he hasn't directed at least some shade towards reddit. Almost as naive as to think that Google doesn't create bots to target websites that don't use their own captcha services.
PSA: When "proving you're human", always try to poison the data. They're using your input to train visual AI, without paying you for your efforts. With Google, they will typically put the training up front - there will be one or two images that a bot isn't sure about. If you give the unexpected response, the next test will be one that the machine knows, to check that you're a human who knows what they're talking about. With hcaptcha or some others, they might put the obvious one first, then check your guesses are human after.
The services will determine that you're human by other means anyway (eg mouse movements) and eventually let you through, but by giving them the wrong answer when they don't know but the right answer when they do, you can make their AI less effective.
They should be paying you for your input into their commercial enterprise, so fuck them.
99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.
Email verification + captcha should be enough. The application part is cringe and a bad idea, unless you really want to be your own small high school clique and don't have any growth ambitions, which is perfectly fine but again should not be expected from general instances looking to welcome Redditors.
It was brought to my attention that my instance was hit with the spam bots regs.
I've disabled registration and deleted the accounts from the DB. is there anything else I can do to clear the user stats on the sidebar?
Maybe this is what's implied or I'm just being silly; What is to stop a bad actor spinning up a Lemmy instance, creating a bunch of bot accounts with no restrictions, and spamming other instances? Would the only route of action be for the non spam instances to individually defederate the spam ones? Seems like that would be a bit of a cat and mouse situation. I'm not too familiar with the inner workings and tools that Lemmy has that would be useful in this situation
It generally costs money to stand up an instance. It often requires a credit-card, which reduces anonymity. This will dissuade many folks.
A malicious instance can be defederated, so it might not be all that useful.
People can contact the security team at the host providing infra/internet to the spammer. Reputable hosts will kill the account of a spammer, which again is harder to duplicate if the host requires payment and identity info.
Malicious hosts that fail to address repeated abuse reports can be ip-blocked.
Eventually Lemmy features can be built to protect against this kind of thing by delaying federation, requiring admin approval, or shadow -banning them during a trial period.
Email has shown us that there's a playbook that kind of works here, but it's not easy or pleasant.
I've been thinking about this as well. As a user of a private instance, I would be absolutely fine with a "federation application" much like user registration is currently.
Eventually Lemmy features can be built to protect against this kind of thing by delaying federation, requiring admin approval, or shadow -banning them during a trial period.
I know from talking to admins when pbpBB was really popular that fighting spammers and unsavory bots was the big workload in running a forum. I'd expect the same for Fediverse instances. I hope a system can be worked out to make it manageable.
As a user I don't have a big problem with mechanisms like applications for the sake of spam control. It's hugely more convenient when an account can be created instantaneously, but I understand the need.
I do wonder how the fediverse is going to deal with self-hosting bad actors. I would think some kind of vetting process for federation would need to exist. I suppose you could rely on each admin to deal with that locally, but that does not sound like an efficient or particularly effective solution.
I suspect that there's going to need to be some analysis software that can run on the kbin and lemmy server logs looking for suspicious stuff.
Say, for instance, a ton of accounts come from one IP. That's not a guarantee that they're malicious -- like, could be some institution that NATs connections or something. But it's probably worth at least looking at, and if someone signed up 50 accounts from a single IP, that's probably at least worth red-flagging to see if they're actually acting like a normal account. Especially if the email provider is identical (i.e. they're all from one domain).
Might also want to have some kind of clearinghouse for sharing information among instance admins about abuse cases.
One other point:
I would recommend pre-emptively banning as many bot accounts as possible,
A bot is not intrinsically a bad thing. For example, I was suggesting yesterday that it would be neat if there was a bot running that posted equivalent nitter.net links in response to comments providing twitter.com links, for people who want to use those. There were a number of legitimately-helpful bots that ran on Reddit -- I personally got a kick out of the haiku bot, that mentioned to a user when their comment was a haiku -- and legitimately-helpful bots that run on IRC.
Though perhaps it would be a good idea to either adopt a convention ("bots must end in "Bot") or have some other way for bots to disclose that they are bots and provide contact information for a human, in case they malfunction and start causing problems.
But if someone is signing up hordes of them, then, yeah, that's probably not a good actor. Shouldn't need a ton of accounts for any legit reason.
I'm sure it's different per instance, but is there any discussion on what is being done with the collected emails?
I understand the need to fight bots and spam, but there are also those of us who don't want to associate emails with accounts so some privacy-related way of handling this would be appreciated.
Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.
Normally i'd just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.
I did manage to get a list of all users without a verified email using a postgress command, but sadly no, I can not figure out how to use the PurgePerson or AdminPurgePerson endpoints that are "described" in the documentation. I ended up just writing a small python script to ban all of them for now until I can figure out how to purge them.
It's extra tough because user management in Lemmy is tied to posts and comments right now. Since none of the spam accounts have made posts, there's no way in the UI to purge their accounts.
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
Yup, I noticed this as well.
Hopefully the mods of the instances will notice this and remove these accounts quickly! Despite this, I think the mods of all instances, and of all communities, had better brace themselves for incoming spam and hate speech.
Looks like my instance got hit with a bot. I had email verification enabled but had missed turning on captcha (captcha enable should be up with enabling email verification settings). The bot used fake emails so none of the accounts are verified, but still goes towards account numbers. Is there really any good way to clean this up? Need a way to purge unverified accounts or something.
How comfortable are you with SQL? You can see all unused verifications in the email_verification table. You should be able to just delete those users from local_user, and then update your user count with the new count of the local_user table in site_aggregates.user (where site_id = 1)
Thank you for proactively contacting me regarding this @[email protected]. I've had this issue on my https://feddi.no instance, but I have added a captcha and registration applications now. Hopefully it will alleviate some of the problem.
All of the bots accounts seems to have a number in their email so I manually looked through the list of users in email_verification that contained numbers in the email to look for false positives:
select * from email_verification where email ~ '[0-9]+';
before running
delete from local_user where id in (select local_user_id from email_verification);
to delete the users.
By suggestion from @[email protected] I updated site_aggregates to reflect the new users count on the instance:
UPDATE site_aggregates SET users = (SELECT count(*) FROM local_user) WHERE site_id = 1;.
Something like: news article about politician A downvote to -50, news article about politician B upvote to 70, people are more likely to click on the article about politician B and skip over politician A's article.
had to create an account to post since my comments from sffa.community and kbin.social weren't showing up.
I'm an admin over at sffa.community. We did notice the bot wave. They never got past email verification. We hve since implemented CAPTCHA and have purged the bots from our database.
You can see we are down to organic users. We've only been officially open for a couple weeks so we're still working on content but we are safe to federate with again, if you'd like.