this post was submitted on 20 Jun 2023
286 points (99.7% liked)
Announcements
765 readers
1 users here now
Official announcements from the Lemmy project. Subscribe to this community or add it to your RSS reader in order to be notified about new releases and important updates.
You can also find major news on join-lemmy.org
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Peeps, I am seeing some really worrying trends on https://lemmy.fediverse.observer/list. Many instances are quickly filling up with thousands of spam accounts which will soon be unleashed on the threadiverse. While bots can bypass captchas, they at least limit the simplest scripts. We are going to face this really really soon https://lemmy.dbzer0.com/post/87753
Can we at least add support for disabling VPNs, or using some other captcha solution like recaptcha? IP rate limiting is useless with VPNs, and email verification is more trivially bypassed than the current captchas.
I like the ideas of good captchas or text applications to join. However, using one's IP kinda goes against the idea of privacy. I'd prefer if we find alternatives.
One alternative that already exists and has been working well for instances that use it is an application process.
The server can see your IP when you connect to it and IPs are not sensitive either way. That's not a privacy issue.
I'll paste my comment to @[email protected], which also applies in this situation: I see your point. What if I use VPNs with a killswitch? —meaning that I can only ever connect to the internet through my VPN. What if someone is avoiding surveillance from their government? Should they disable their killswitch and risk them finding out they're part of something 'political' like Lemmy?
Using an IP in this way has no impact on privacy. Instances already have your IP info as a result of interacting with them.
I see your point. What if I use VPNs with a killswitch? —meaning that I can only ever connect to the internet through my VPN. What if someone is avoiding surveillance from their government? Should they disable their killswitch and risk them finding out they're part of something 'political' like Lemmy?
I would also imagine some tooling to make it easier to remove spam accounts might be helpful, especially if they start acting up.
Additionally, even once spam bot users have been banned or bounced by failed email verification or whatever, they continue toward the user count of the instance. Not really a functional problem, but the growth of lemmy is garnering some attention, and with the bot account explosion, this growth looks astounding.
It may become a rather bad look once lemmy’s user count is basically seen to be all spam bots.
So maybe some way to adjust user counts? I’ve seen something like this in the GitHub issues I think.
See, eg: https://botsin.space/@threadcount/110581723322900741
A bot reporting on the growth of lemmy has ceased posting because the numbers are clearly bloated and wrong.
How can you tell they're spam accounts btw?
Small instance, open signups, rapidly growing users. On balance, given the issues others are having, it's probably bots creating the accounts.
On my instance if you looked in the database they all had gmail emails and all had the same pattern to the email. We were adding 20 users a day, then suddenly had 100 new accounts in an hour. There was a lot of talk from other instance admins seeing the same thing.
On top of that there's also activity, I saw a server with only 7 posts for 6K users, there's no way those are real people.