There have been a number of comment spam attacks in various posts in a couple of /c’s that I follow by a user/individual who uses account names like Thulean*

For example: [email protected] in [email protected]

and [email protected] in [email protected]

edit: Also [email protected] in [email protected]

The posts have been removed or deleted by the respective /c’s mods, and the offending accounts banned, but you can see the traces of them in those /c’s modlogs.

The comments consist of an all-caps string of words with profanities, and Simpsons memes.

An attack on a post may consist of several repeated or similar looking comments.

This looks like a bored teenager prank, but it may also be an organization testing Lemmy’s systemic and collective defenses and ability to respond against spam and bot posts.

  • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    30
    ·
    9 months ago

    A per-user rate limit of some sort could have reduced the attack surface I think? Something like that would be quite a bit of dev work to implement though…

    At least the situation was promptly resolved and users nuked, although R.I.P. to any smaller Lemmy servers that went down due to the massive spam wave

    • Scrubbles@poptalk.scrubbles.tech
      link
      fedilink
      English
      arrow-up
      35
      ·
      9 months ago

      Actually there is, spammers are kind of funny because they help solidify the platform long term for short term gains. Turns out rate limiting was broken in the latest release of Lemmy, and no one noticed until this latest attack. So, there’s a big fix and sounds like it’ll be patched in the latest version. Thanks spammer for helping us bugfix the platform to shore it up!

    • zabadoh@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      8
      ·
      9 months ago

      I’m not sure how extensive the spam wave was, nor how quickly the user was able to create an account, make the comments.

      I doubt that the quantity in that I came across would be enough to take down a server, but that may be the point: To test lemmy’s collective defenses and response without drawing too much attention.

      A common IP address or address range ban file that’s frequently updated and downloaded by each instance might be another way to boost security.

      If this is actually an org attack, I’m guessing that we’ll see botnet DDOS comment and post attacks next.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        I highly doubt it’s an org attack, Lemmy just isn’t popular enough to see something like that.

        I don’t know if Lemmy has the ability to shadow ban, but those can be pretty effective for cases like this. It obviously wouldn’t help with a botnet attack, but it would help with your average, run of the mill pranksters.

        • zabadoh@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          It’s part of the ol’ Big Tech playbook:

          If a promising emerging competitor emerges:

          1. Acquire the emerging competitor for cheap when it’s still small
          2. Copy the competitor’s best features to make them irrelevant
          3. Co-opt them with integration so the competitor’s users won’t see any advantage to staying with them
          4. Pollute the competitor’s content to make your own offering look better
          5. Steal the competitor’s best talent
          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            I mean it’s possible, but lemmy only has ~50k monthly active users. Reddit, on the other hand, is in the millions (>400M monthly active users last year, and >50M daily active users). Lemmy just isn’t anywhere in the ballpark of being a threat to anyone.

            I also think Lemmy has some architectural issues that will make it very difficult to scale to anywhere near Reddit size, even if it somehow gets the users.

            It’s a cool service, I just highly doubt it’s the target of any big campaign. And that’s a big part of why I’m here, it’s big enough to have interesting communities, but small enough to avoid most of the spam.

    • Atemu@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      This wouldn’t really solve the issue as the user could rather simply create as many accounts as they like to circumvent per-account limits.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        9 months ago

        That takes more effort though, especially if accounts require some kind of “not a robot” thing, like email verification, submitting an “essay,” etc. I’m not a fan of that and think a different moderation system would be preferred (prefer to not go into details here), but it’s easy and should be quite helpful.

        It’s not a “fix,” more of a mitigation.

        • haui@lemmy.giftedmc.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          Typical mistake by the comment above yours: anti theft of anti break-in measures dont make it impossible to break in, they just make it harder and more time consuming. You dont need to outrun the bear, you just need to outrun the person next to you.

          So this absolutely is a great idea.