Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

  • Somoon@lemmy.sumuun.net
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    2 years ago

    It was brought to my attention that my instance was hit with the spam bots regs. I’ve disabled registration and deleted the accounts from the DB. is there anything else I can do to clear the user stats on the sidebar? EDIT: I have reversed the stats too.

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      You can do this by updating site_aggregates.users in your database (WHERE site_id = 1)

  • Zamboniman@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

    Yup, I noticed this as well.

    Hopefully the mods of the instances will notice this and remove these accounts quickly! Despite this, I think the mods of all instances, and of all communities, had better brace themselves for incoming spam and hate speech.

    • YMS@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Or just the unavoidable spam bot accounts coming as long as it’s easy and the instance operators being still unprepared.

  • Wander@yiffit.net
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    2 years ago

    99% of fedi instances should require sign-ups with applications and email. It does not make sense to let in users indiscriminately unless you have a 24h staff in charge of moderation.

    • Email verification + captcha should be enough. The application part is cringe and a bad idea, unless you really want to be your own small high school clique and don’t have any growth ambitions, which is perfectly fine but again should not be expected from general instances looking to welcome Redditors.

  • Lvxferre@lemmy.ml
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    2 years ago

    This might be related but I’ve noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.

      • Lvxferre@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        2 years ago

        I don’t think it’s the case here, as I’ve noticed this after posts in small communities:

        • c/linguistics (~240 members)
        • c/parana (1 member - new comm)

        I think that the person/bot/whatever is following specific people.

  • badbrainstorm@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    I’m noobish, but could they be defederated until they get their act together before they spam everybody?

  • rm_dash_r_star@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    I know from talking to admins when pbpBB was really popular that fighting spammers and unsavory bots was the big workload in running a forum. I’d expect the same for Fediverse instances. I hope a system can be worked out to make it manageable.

    As a user I don’t have a big problem with mechanisms like applications for the sake of spam control. It’s hugely more convenient when an account can be created instantaneously, but I understand the need.

    I do wonder how the fediverse is going to deal with self-hosting bad actors. I would think some kind of vetting process for federation would need to exist. I suppose you could rely on each admin to deal with that locally, but that does not sound like an efficient or particularly effective solution.

  • ikiru@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    I’m sure it’s different per instance, but is there any discussion on what is being done with the collected emails?

    I understand the need to fight bots and spam, but there are also those of us who don’t want to associate emails with accounts so some privacy-related way of handling this would be appreciated.

  • BigDale123@lemmy.coeus.icu
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 years ago

    Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.

    Normally i’d just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.

    Edit: There is a relevant issue open on the lemmy-ui repo, for those interested: https://github.com/LemmyNet/lemmy-ui/issues/456

    • sunaurus@lemm.eeOP
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Did you figure out how to clean it up? You can see a list of users in your local_user table.

      • BigDale123@lemmy.coeus.icu
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 years ago

        I did manage to get a list of all users without a verified email using a postgress command, but sadly no, I can not figure out how to use the PurgePerson or AdminPurgePerson endpoints that are “described” in the documentation. I ended up just writing a small python script to ban all of them for now until I can figure out how to purge them.

        It’s extra tough because user management in Lemmy is tied to posts and comments right now. Since none of the spam accounts have made posts, there’s no way in the UI to purge their accounts.