8
There is currently a huge wave of automated spambot sign-ups on other Lemmy instances. This post explains how lemm.ee will respond. - lemm.ee
lemm.ee# Hello, lemmings! I want to write a quick post about the recent wave of spam
users on the federated network, and what steps I am taking to protect lemm.ee
[http://lemm.ee]. TL;DR: * Tens of thousands of bots are signing up on small
unprotected Lemmy instances. lemm.ee [http://lemm.ee] has not been targeted so
far. * To protect lemm.ee [http://lemm.ee] users from spam, I am going to start
defederating such instances immediately. * If spam bots start signing up on
lemm.ee [http://lemm.ee] in the future, I will be (temporarily) closing new
sign-ups until we have better tools to deal with bots. Read on for more details!
### Background In the past few days, the growth of Lemmy user counts across the
whole network has increased exponentially:
[https://lemm.ee/pictrs/image/724334e0-daed-4ff9-b7a4-89fe2fc01df2.webp] While
there’s no question that this growth includes a big amount of real people coming
over from Reddit, unfortunately, there is also a huge amount of automated
sign-ups by bots. For now, lemm.ee [http://lemm.ee] has not been affected by
automated sign-ups. Bots seem to be avoiding instances which employ some or all
of the following protections: * E-mail verification * Captcha on sign-up *
Sign-up applications with manual review
Currently, lemm.ee [http://lemm.ee] employs e-mail verifiaction and captchas.
There is a large amount of instances out there which don’t employ any of these
protections. These are the instances the bots are mainly targeting. Most of
these instances seem to be very small and not very active (often having <10
organic users and very few communities or posts). Some of these instances have
taken notice of the bots and have begun taking steps to remove the bots and
tighten up their sign-ups, but the majority have done nothing to combat the
situation. If you’re interested, I am maintaining a (non-comprehensive) list of
most likely affected instances here
[https://docs.google.com/spreadsheets/d/e/2PACX-1vRthB7RtY4Rr0t5fhVKaliJnwSmptMc5oJi7uha_OBcF4wpu4eElxAxNzaCqjlq6NsOE9GpgSnMzZ2x/pubhtml].
I have been updating it every now and then since yesterday in hopes of seeing
positive change, but unfortunately, the situation seems to be getting worse. Up
until yesterday, these bots were mostly just quietly sitting there, but as of
today, the bots have started posting spam. I have already been moderating
several cases of automated spam, but I can only do this reactively. ### Current
solution: defederating spambot-infested instances As I have mentioned previously
in other threads, I do not really want to defederate any legitimate instances,
but I will defederate instances which are actively making Lemmy worse for
lemm.ee [http://lemm.ee] users. It seems clear in this case that the bots are
planning to create a bad experience for all legitimiate users, and that the only
way to really limit the effect of these bots is to defederate the instances
where they are joining uncontrollably. This is a lose-lose situation - if we
don’t defederate them, then we risk exposing all lemm.ee [http://lemm.ee] users
and communities to massive amounts of spam, but if we do defederate them, we are
cutting off small instances who are clearly already struggling. I really like
the idea of federated networks and people being able to curate their own feed
from whatever instances they enjoy, so I do not make any defederation decisions
lightly. At the end of the day, I can only choose the lesser evil, which at the
moment does seem to be defederation. Going forward, I will be regularly checking
for spambot instances. If I detect new ones, I will be defederating lemm.ee
[http://lemm.ee] from them immediately. Less regularly, I will also be checking
to see if any of the instances have taken steps to deal with the bots - if they
have, then I am planning to federate with them again. If anybody is interested
in getting a cleaned up instance federated again, feel free to contact me over
DM (if you’re currently defederated, you can contact me on Matrix:
@sunaurus:matrix.org). ##### What is the criteria for defederation? While I
don’t want to give out the exact details (it would just help spam bots with
evading defederation), I can tell you in broad strokes that I am focused on
defederating small instances with unnaturally huge user growth. I am currently
not planning to defederate any popular instances with large communities and
active moderation. ##### What does defederation mean for me as a lemm.ee
[http://lemm.ee] user? * You will not be able to see any new posts or comments
from defederated instances made on ANY instance. * You will still be able to see
old ones that they made before defederation * Users from defederated instances
will not be able to post or comment at all in communities hosted on lemm.ee
[http://lemm.ee] ### Future: if lemm.ee [http://lemm.ee] gets hit by spam bots,
then sign-ups will be (temporarily) closed While it’s true that we so far have
not had a problem with automated sign-ups at lemm.ee [http://lemm.ee], it is for
sure possible that the bots in the future will be improved to automate e-mail
verification and captcha solving. I do have some additional measures in place
already to protect us, but nothing is guaranteed. If it does happen that lemm.ee
[http://lemm.ee] sign-ups become a target for spam sign-ups, I am intending to
completely close sign-ups until there are better tools to deal with bots. There
are several such tools already proposed, and I am planning to start development
on one of them next month, so hopefully any potential closing of sign-ups would
not last very long! I want to emphasize that even if we end up closing sign-ups,
your communities on lemm.ee [http://lemm.ee] will still be able to grow. As
always, users from any federated instance will be able to subscribe to your
communities and interact in all the ways that a local lemm.ee [http://lemm.ee]
user would be able to. ### To conclude, I really hope that this news does not
ruin the experience for any of our users. It’s honestly a really bad situation
and I wish I wouldn’t have to be writing this post right now, but the reality is
that things like this happen from time to time. We just have to deal with it in
the best ways that we can. If you have any feedback or thoughts about any of
this, please leave a comment below!
Reputation Block Lists are lists used by many email server admins to reject incoming email from servers that have been caught spamming/scamming/phishing etc.
A similar system will probably be necessary for Lemmy at some point to block incoming posts from other dodgy Lemmy instances in realtime. The good thing about the system is that evidence must be provided to block a server and admins of the blocked server can request an unblock if they can show that they have fixed/removed the source of the abuse of their server.