this post was submitted on 21 Jun 2023
433 points (99.5% liked)

Meta (lemm.ee)

3473 readers
3 users here now

lemm.ee Meta

This is a community for discussion about this particular Lemmy instance.

News and updates about lemm.ee will be posted here, so if that's something that interests you, make sure to subscribe!


Rules:


If you're a Discord user, you can also join our Discord server: https://discord.gg/XM9nZwUn9K

Discord is only a back-up channel, [email protected] will always be the main place for lemm.ee communications.


If you need help with anything, please post in !support instead.

founded 2 years ago
MODERATORS
 

Hello, lemmings!

I want to write a quick post about the recent wave of spam users on the federated network, and what steps I am taking to protect lemm.ee.

TL;DR:

  • Tens of thousands of bots are signing up on small unprotected Lemmy instances. lemm.ee has not been targeted so far.
  • To protect lemm.ee users from spam, I am going to start defederating such instances immediately.
  • If spam bots start signing up on lemm.ee in the future, I will be (temporarily) closing new sign-ups until we have better tools to deal with bots.

Read on for more details!

Background

In the past few days, the growth of Lemmy user counts across the whole network has increased exponentially:

While there’s no question that this growth includes a big amount of real people coming over from Reddit, unfortunately, there is also a huge amount of automated sign-ups by bots.

For now, lemm.ee has not been affected by automated sign-ups. Bots seem to be avoiding instances which employ some or all of the following protections:

  • E-mail verification
  • Captcha on sign-up
  • Sign-up applications with manual review

Currently, lemm.ee employs e-mail verifiaction and captchas.

There is a large amount of instances out there which don’t employ any of these protections. These are the instances the bots are mainly targeting. Most of these instances seem to be very small and not very active (often having <10 organic users and very few communities or posts). Some of these instances have taken notice of the bots and have begun taking steps to remove the bots and tighten up their sign-ups, but the majority have done nothing to combat the situation.

If you’re interested, I am maintaining a (non-comprehensive) list of most likely affected instances here. I have been updating it every now and then since yesterday in hopes of seeing positive change, but unfortunately, the situation seems to be getting worse.

Up until yesterday, these bots were mostly just quietly sitting there, but as of today, the bots have started posting spam. I have already been moderating several cases of automated spam, but I can only do this reactively.

Current solution: defederating spambot-infested instances

As I have mentioned previously in other threads, I do not really want to defederate any legitimate instances, but I will defederate instances which are actively making Lemmy worse for lemm.ee users. It seems clear in this case that the bots are planning to create a bad experience for all legitimiate users, and that the only way to really limit the effect of these bots is to defederate the instances where they are joining uncontrollably.

This is a lose-lose situation - if we don’t defederate them, then we risk exposing all lemm.ee users and communities to massive amounts of spam, but if we do defederate them, we are cutting off small instances who are clearly already struggling. I really like the idea of federated networks and people being able to curate their own feed from whatever instances they enjoy, so I do not make any defederation decisions lightly. At the end of the day, I can only choose the lesser evil, which at the moment does seem to be defederation.

Going forward, I will be regularly checking for spambot instances. If I detect new ones, I will be defederating lemm.ee from them immediately. Less regularly, I will also be checking to see if any of the instances have taken steps to deal with the bots - if they have, then I am planning to federate with them again. If anybody is interested in getting a cleaned up instance federated again, feel free to contact me over DM (if you're currently defederated, you can contact me on Matrix: @sunaurus:matrix.org).

What is the criteria for defederation?

While I don’t want to give out the exact details (it would just help spam bots with evading defederation), I can tell you in broad strokes that I am focused on defederating small instances with unnaturally huge user growth. I am currently not planning to defederate any popular instances with large communities and active moderation.

What does defederation mean for me as a lemm.ee user?
  • You will not be able to see any new posts or comments from defederated instances made on ANY instance.
    • You will still be able to see old ones that they made before defederation
  • Users from defederated instances will not be able to post or comment at all in communities hosted on lemm.ee

Future: if lemm.ee gets hit by spam bots, then sign-ups will be (temporarily) closed

While it’s true that we so far have not had a problem with automated sign-ups at lemm.ee, it is for sure possible that the bots in the future will be improved to automate e-mail verification and captcha solving. I do have some additional measures in place already to protect us, but nothing is guaranteed.

If it does happen that lemm.ee sign-ups become a target for spam sign-ups, I am intending to completely close sign-ups until there are better tools to deal with bots. There are several such tools already proposed, and I am planning to start development on one of them next month, so hopefully any potential closing of sign-ups would not last very long!

I want to emphasize that even if we end up closing sign-ups, your communities on lemm.ee will still be able to grow. As always, users from any federated instance will be able to subscribe to your communities and interact in all the ways that a local lemm.ee user would be able to.

To conclude, I really hope that this news does not ruin the experience for any of our users.

It's honestly a really bad situation and I wish I wouldn't have to be writing this post right now, but the reality is that things like this happen from time to time. We just have to deal with it in the best ways that we can. If you have any feedback or thoughts about any of this, please leave a comment below!

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 32 points 1 year ago (1 children)

I've heard many people lamenting defederation. Mindful defederation is an extremely important tool to prevent abuse, both by malicious actors and by corporate interests ("They're the same picture"), especially in this time of rapid fediverse expansion. It is important for instance operators to understand that "If you don't play nice, you will be forced to sit in the corner." Demonstrating the consequences of "not playing nice" will sort out not only the present issues with bot accounts, but also act as a warning to other instances and potential instances.

Rather than lamenting defederation, I believe that mindful defederation should be applied with some haste, at least for now. As you mentioned, it does not have to be permanent. It's like a nuclear bomb that you can unexplode.

load more comments (1 replies)
[–] [email protected] 25 points 1 year ago

Thank you for always being at the forefront of the fight against problems that affect Lemmt. I'm glad I chose this instance as my home.

[–] [email protected] 23 points 1 year ago (1 children)

I know the situation really sucks, but I'm really glad I happened to join an instance with such a competent host. Not just decisions like this but also your approach to the infrastructure.

Thanks for all your ongoing efforts, and transparency with the community.

[–] [email protected] 11 points 1 year ago

I was thinking the exact thing, I really got lucky with my choice of host (thanks to HN)

[–] [email protected] 22 points 1 year ago

Thank you for being proactive and defending the health of the community.
I really appreciate the open and clear communication.

I don’t know enough about how Lemmy works to offer suggestions, but I’ll try to bone up soon and see if I can offer suggestions.

[–] [email protected] 16 points 1 year ago

Excellent work and thank you for being transparent in your decision. I think it was the right call and I appreciate your work on contributing to the Lemmy code base.

[–] [email protected] 16 points 1 year ago

That's exactly how I would do it!

[–] [email protected] 15 points 1 year ago

Thanks for all the hard work your putting on this. Initially I thought that running an instance would pretty much have monetary cost only and not much time invested after things were set up. But looks like this is consuming your time as much as a full time job, all to make our experience better. Thanks a lot

[–] [email protected] 15 points 1 year ago

I think this is a good idea.. Some instances don’t seem to take action and are growing quickly!

I’m gonna do the same on Geddit to be sure 👌🏻🥰

[–] [email protected] 14 points 1 year ago (3 children)

I just want to take this opportunity to say - I'm a real person! :)

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (1 children)

Let me guess GuyDudeman, you also work in the "business factory" ? How do we know that you aren't just 3 bots stacked on top of each other in a trench coat?

load more comments (1 replies)
[–] [email protected] 9 points 1 year ago

Nice try, bot.

[–] [email protected] 6 points 1 year ago

I am one of the people of all time.

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

Thanks for the heads up on that. Initially I thought defederation was a bad thing as in admins deciding for me what content I can and can not have access to. Now I see it's a necessary evil in preventing exploitation by spammers and bots. Thanks for staying on top of this and preserving instance quality.

It would be nice to see some kind of federation council (for lack of a better phrase) that could vet the inception of new instances. Would really take the load off admins in ferreting out the bad ones.

[–] [email protected] 7 points 1 year ago

Initially I thought defederation was a bad thing as in admins deciding for me what content I can and can not have access to.

That's because the first major incident involving defederation was done by beehaw, which absolutely did NOT need to defederate. Their actions were like the equivalent of chopping a leg off because they got a few superficial cuts.

[–] [email protected] 13 points 1 year ago (1 children)

It's pretty darn interesting that instead of an entire site having to deal with spam issues, you can simply cut them off the back of the train before they latch onto you! And the future of Lemmy is easily gonna be based on safe sign-in instances and bots are merely gonna push people to that. All solvable with time and proper responses like this in this changing age.

[–] [email protected] 13 points 1 year ago (1 children)

Looking at it differently, instead of a centralized anti-spam approach, you now depend on numerous instance admins taking anti-spam measures, and/or your instance admin to not only take anti-spam measures on their own instance but evaluate and moderate other instances too.

[–] [email protected] 5 points 1 year ago

In my head, I think the future will lead to a bunch of community moderators coming together to create some kinda League of Extraordinary Instances. A place where these moderators gather and keep their sites and those they help look out for in top shape. All community driven. Things might be messy now, but this might eventually set into place... Hell, it may have already happened with just how fast news spread of reddit 3rd party app designers working on Lemmy versions. Exciting messy times we're in!

[–] [email protected] 13 points 1 year ago

I'm so glad I chose this instance, keep up the fantastic work.

[–] [email protected] 13 points 1 year ago

this seems like a reasonably measured response. thanks sunaurus

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

I just want to say thanks for working on this issue!

I have signed up for and evaluated many lemmy instances and ended up choosing this as my main.

I think I made the right choice given your thoughtful process and work for the users of this instance.

Thanks!

[–] [email protected] 11 points 1 year ago (1 children)

Spam has long been the corrosion eating away at internet services. It killed Usenet, and nearly did email.

load more comments (1 replies)
[–] [email protected] 10 points 1 year ago (1 children)

I fully approve of the decisions.

Can you share what these bots are spamming about (the topic), so that the community is aware that discussion of the said topic might not be fully organic?

[–] [email protected] 22 points 1 year ago (1 children)

The ones I've banned were all posting an identical message about some remote work opportunity, with some sketchy looking link 😅

[–] [email protected] 10 points 1 year ago

Lmao, this is the same set of spams that my university has occasionally.

Check if any spam bots are selling pianos for $500 as well.

[–] [email protected] 10 points 1 year ago (1 children)

Completely unrelated, but lemmys.ee would be a great instance domain name.

load more comments (1 replies)
[–] [email protected] 10 points 1 year ago (1 children)

Can we have a public, continuously updated list of communities we are defederated from?

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago) (3 children)

when you're on the lemm.ee instance, scroll to the very bottom of the page and click on the "instances" link. that page shows "linked" instances on the left column and "blocked" instances on the right column. "linked" are the instances we're federated with(grows naturally), and "blocked" are the instances that sunaurus elected to defederate with. you can go to any instance and look at their lists too, even without an account, so they are very publicly visible.

is that what you're looking for?

side-note: before today our blocked instances list was empty every time i checked, which i do fairly often.

[–] [email protected] 8 points 1 year ago

That's awesome, thanks for the info. I didn't realize that existed

load more comments (2 replies)
[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

Thank you for doing this. I have been watching the user stats, and it's very clear which instances are being targeted.

Defederation should only be considered when there is a potential for serious damage to the community. Given the volume of spambots (there are a few small instances with >10,000 new "users"), defederation is the right solution in these cases. No amount of extra mods can help delete comments from tens of thousands of spambots. If it's a more manageable number of bad actors, then defederation should not be used (looking at you, beehaw).

I don't know if you want to comment publicly, but I remember seeing some discussion with the lemmy devs over implementation of captcha. Was that resolved?

[–] [email protected] 7 points 1 year ago (1 children)

There are now plans for an improved captcha & it seems like the existing weak captcha (which was previously removed for 0.18) is being re-added into the code as a temporary solution!

load more comments (1 replies)
[–] [email protected] 9 points 1 year ago

Thanks so much for publishing your findings re: spambot-afflicted instances. Even though I'm from kbin, this should mean lemm.ee's actions will help improve the rest of the threadiverse, too.

[–] [email protected] 9 points 1 year ago (2 children)

Couldn't help but think that the big social media like FB Or ReddIt might be behind such spam attacks.

[–] [email protected] 6 points 1 year ago

Could be the spam farms that crawl reddit are seeing a drop in engagement and are branching out, or some enterprising assholes are trying to get an early foothold while they think no one's paying attention.

load more comments (1 replies)
[–] [email protected] 8 points 1 year ago (2 children)

spez ordering these spambots to target lemmy because he thinks that the new users will be more likely to get back to reddit in these conditions 😂

load more comments (2 replies)
[–] [email protected] 8 points 1 year ago

I was thinking the other day what purpose does defederating serve? I tend to maintain a neutral stance when it comes things. Lately have learned of a few negative reasons for defederating, was wondering what are the positive aspects? With your efforts you have showed me. Thanks for letting us know and for your efforts ☺️

[–] [email protected] 8 points 1 year ago (1 children)

Thanks for the communication, sounds like a solid plan. Do you have an opinion on the removal of captcha for Lemmy v .18?

[–] [email protected] 8 points 1 year ago

The current plan is to actually replace it with something better, which overall is a good thing.

I'm definitely worried that the next release will come out with the old captcha already removed and no alternative in place yet. This would be leaving many instances who decide to update vulnerable to the current bots if they don't put in alternate mitigations.

[–] [email protected] 8 points 1 year ago

I agree with this entirely. Defed the instances that are allowing spam to rise. They will bring all the other instances down if no action is taken. This is all part of natural selection.

[–] [email protected] 8 points 1 year ago

Given the tools that we have currently, this seems like the best approach. Still, defederation feels like using a nuke to handle a pest problem, which I think will be especially apparent once bots start appearing on more established instances where defederation will have more apparent consequences. It seems like you're working towards a better solution, can you share anything about what you're planning? (Without giving any tips to bad actors about evasion, obviously)

Personally, I'm wondering if there could be a way for an instance with bot filters to put users on other instances through similar filters before allowing the users to use/post in their communities. Like, for example a user from a tiny instance might have to do a captcha to get post/comment access on a lemm.ee community, while a beehah user could be auto whitelisted since the same thing isn't a problem on their instance. It would obviously take some overhauls to the community filters/join process, but I feel like it could be feasible

[–] [email protected] 7 points 1 year ago

I fully support this.

[–] [email protected] 7 points 1 year ago

Thank you, this is exactly the kind of action we need. I have started building a small instance and have controls in place, so fortunately I haven't yet been impacted. But I expect the spammers will start hitting the instances with controls once the easy targets dry up. I'll be updating my blocklist periodically with the data you're publishing.

[–] [email protected] 6 points 1 year ago

Thank you! I feel so informed & connected to this community, I can't tell you how much I appreciate your hard work & taking fast action against spam bots.

[–] [email protected] 6 points 1 year ago

I’m sure a captcha would stop all bots. They are robots so they won’t press on the “I’m not a robot” prompt 😎😎😎 easy fix

[–] [email protected] 6 points 1 year ago (2 children)

Here I am, struggling to set up an instance trying to make sense of the documentation that's not complete, meanwhile people who successfully are running an instance, don't take good care of them. SMH.

load more comments (2 replies)
[–] [email protected] 6 points 1 year ago

Sounds sensible. Lemmy is going to have a rough time as reddit burns, if people come on mass the current growth rate is only going to look small by comparison. Using the tools federation gives you seems to be the right way to handle it.

load more comments
view more: next ›