Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.
To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.
It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715
If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org
Maybe this is what’s implied or I’m just being silly; What is to stop a bad actor spinning up a Lemmy instance, creating a bunch of bot accounts with no restrictions, and spamming other instances? Would the only route of action be for the non spam instances to individually defederate the spam ones? Seems like that would be a bit of a cat and mouse situation. I’m not too familiar with the inner workings and tools that Lemmy has that would be useful in this situation
They can do this, and it is cat and mouse. But…
Email has shown us that there’s a playbook that kind of works here, but it’s not easy or pleasant.
That sounds like the best way to handle it.
I’ve been thinking about this as well. As a user of a private instance, I would be absolutely fine with a “federation application” much like user registration is currently.