This is indeed not an ideal situation, but I guess on most instances this isn't possible. I agree instances should require a captcha of some sort for signing up.
Unfortunately lemmy devs removed captchas recently https://github.com/LemmyNet/lemmy/issues/2922 so email verification and/or rate limiting is probably the only real option for protection.
I saw some small instance owners saying they were going to enable open registration and I couldn't help thinking how bad an idea that sounded all around... For exactly a situation such as this inevitably emerging.
I was playing a bit with the API today and yea it might even be a bit too easy at the moment. You can easily use that army of Lemmy bots to upvote all your posts.
We should probably make it very clear in tutorials and setup guides that no email verification and no captcha is very insecure.
Fuck captcha
Lemmy
Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.