this post was submitted on 20 Jun 2023
57 points (98.3% liked)

Lemmy

12557 readers
2 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It's not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you're an admin of an instance that's defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

top 50 comments
sorted by: hot top controversial new old
[–] poVoq@slrpnk.net 7 points 1 year ago (1 children)

This should be probably pinned.

[–] zShxck@lemmy.ml 1 points 1 year ago
[–] lvxferre@lemmy.ml 5 points 1 year ago (1 children)

This might be related but I've noticed that someone is [likely automatically] following my posts and downvoting them. Kind of funny in a 'verse without karma.

[–] Galloog1@kbin.social 1 points 1 year ago

Karma may mean nothing but the information space is a strategic domain.

[–] xavier666@lemm.ee 5 points 1 year ago (1 children)

CAPTCHA is the bare minimum. Who the hell turns it off?

[–] sunaurus@lemm.ee 2 points 1 year ago (4 children)

There is an argument to be made that captchas can be automatically bypassed with some effort.

OTOH, the current wave of bots is quite clearly favoring instances with captcha disabled, so clearly it's acting as at least a small deterrent.

[–] PaintedSnail@kbin.social 3 points 1 year ago (1 children)

Sometimes, security just means not being the low-hanging fruit.

[–] genoxidedev1@kbin.social 4 points 1 year ago

Doing no captcha is like leaving the door open, hoping no-one breaks in, instead of at least closing the door (a closed door decreases chance of break in by near 100%, even if it's not locked)

[–] alphapro784@lemmy.ml 1 points 1 year ago

It seems that the devs are considering to use mCaptcha. Link to the discussion

[–] ZILtoid1991@kbin.social 1 points 1 year ago

Some advanced OCR can hack the easier ones, but it's unusual.

[–] getBoolean@kbin.social 1 points 1 year ago (1 children)

captchas block script kiddies at the very least

[–] noodlejetski@kbin.social 2 points 1 year ago (1 children)

there's a browser addon that lets you solve Recaptcha with one click:
https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/

it automatically switches to the alternative accessibility option, which is based on typing in words that you hear, and uses speech recognition software to solve it. I'm fairly sure it could be automated quite easily.

[–] etrotta@kbin.social 1 points 1 year ago

Still way better than nothing at all

[–] db0@lemmy.dbzer0.com 5 points 1 year ago (1 children)

Here we go: https://overseer.dbzer0.com/

API doc: https://overseer.dbzer0.com/api/

curl -X 'GET' \
  'https://overseer.dbzer0.com/api/v1/instances' \
  -H 'accept: application/json'

Will spit out suspicious instances based on fediverse.observer . You can adjust the threshold to your own preference.

[–] sunaurus@lemm.ee 2 points 1 year ago (1 children)

Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.

[–] db0@lemmy.dbzer0.com 1 points 1 year ago (1 children)

Tell me how to fetch them and it will. ;)

[–] sunaurus@lemm.ee 2 points 1 year ago (1 children)

I think the easiest option is to just iterate through the list of suspicious instances, and then check {instance_url}/api/v3/site for each of them. Relevant keys of the response json are site_view.local_site.captcha_enabled, site_view.local_site.registration_mode, and site_view.local_site.require_email_verification.

Since it's a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.

[–] db0@lemmy.dbzer0.com 2 points 1 year ago

It occurs to me that this kind of thing is better left to observer, as it's set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well

[–] Admin@startrek.website 5 points 1 year ago (1 children)

Thanks for the heads up, StarTrek.website has enabled CAPTCHA and purged the bots from our database.

[–] SpaceCowboy@lemmy.ca 2 points 1 year ago

Starfleet takes changeling infiltrations seriously :P

[–] Somoon@lemmy.sumuun.net 4 points 1 year ago* (last edited 1 year ago) (1 children)

It was brought to my attention that my instance was hit with the spam bots regs. I've disabled registration and deleted the accounts from the DB. is there anything else I can do to clear the user stats on the sidebar? EDIT: I have reversed the stats too.

[–] sunaurus@lemm.ee 1 points 1 year ago

You can do this by updating site_aggregates.users in your database (WHERE site_id = 1)

[–] dylcal13@lemmy.coeus.icu 3 points 1 year ago* (last edited 1 year ago) (2 children)

Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.

Normally i'd just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.

Edit: There is a relevant issue open on the lemmy-ui repo, for those interested: https://github.com/LemmyNet/lemmy-ui/issues/456

[–] th3raid0r@tucson.social 1 points 1 year ago (1 children)

Fun fact, they're removing Captcha in the next release.

I won't be upgrading and I anticipate I'll be defederating with any instance that upgrades to v0.18.

Source - https://github.com/LemmyNet/lemmy/issues/2922

[–] dylcal13@lemmy.coeus.icu 1 points 1 year ago

That is true, but because of the recent spam wave there is also an issue to re-add captcha. https://github.com/LemmyNet/lemmy/issues/3200

We'll just have to see how it all shakes out.

[–] sunaurus@lemm.ee 1 points 1 year ago (2 children)

Did you figure out how to clean it up? You can see a list of users in your local_user table.

load more comments (2 replies)
[–] db0@lemmy.dbzer0.com 3 points 1 year ago
[–] db0@lemmy.dbzer0.com 2 points 1 year ago
[–] Fredselfish@lemmy.ml 2 points 1 year ago

One thing I like about lemmy was having to put in an application and waiting for approval. I knew I was vetted and others here were too.

Figure that alone could keep out most of the trolls and definitely the bots.

[–] Zamboniman@lemmy.ca 2 points 1 year ago

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

Yup, I noticed this as well.

Hopefully the mods of the instances will notice this and remove these accounts quickly! Despite this, I think the mods of all instances, and of all communities, had better brace themselves for incoming spam and hate speech.

[–] d4rknusw1ld@lemmy.ml 2 points 1 year ago (2 children)

Sounds like a spez sponsored attack on Lemmy.

[–] YMS@kbin.social 3 points 1 year ago

Or just the unavoidable spam bot accounts coming as long as it's easy and the instance operators being still unprepared.

I highly doubt spez did this. Reddit is currently doing fine. Even if it all goes away he's sitting on over a decade of genuine human conversations he can sell to AI companies and make millions. He isn't worried.

[–] rm_dash_r_star@lemm.ee 2 points 1 year ago

I know from talking to admins when pbpBB was really popular that fighting spammers and unsavory bots was the big workload in running a forum. I'd expect the same for Fediverse instances. I hope a system can be worked out to make it manageable.

As a user I don't have a big problem with mechanisms like applications for the sake of spam control. It's hugely more convenient when an account can be created instantaneously, but I understand the need.

I do wonder how the fediverse is going to deal with self-hosting bad actors. I would think some kind of vetting process for federation would need to exist. I suppose you could rely on each admin to deal with that locally, but that does not sound like an efficient or particularly effective solution.

[–] badbrainstorm@lemmy.ml 1 points 1 year ago

I'm noobish, but could they be defederated until they get their act together before they spam everybody?

[–] fax@lemm.ee 1 points 1 year ago

had to create an account to post since my comments from sffa.community and kbin.social weren't showing up.

I'm an admin over at sffa.community. We did notice the bot wave. They never got past email verification. We hve since implemented CAPTCHA and have purged the bots from our database.

You can see we are down to organic users. We've only been officially open for a couple weeks so we're still working on content but we are safe to federate with again, if you'd like.

[–] livejamie@lemm.ee 1 points 1 year ago* (last edited 1 year ago)

Taking a cursory look at the top 3 it looks like they're trying to remove people but I don't know if there's a way for them to do it in bulk:

It also seems like they're banning a lot of the same names/accounts, a lot of rabbitea.rs accounts seem to show up.

[–] tal@kbin.social 1 points 1 year ago

I suspect that there's going to need to be some analysis software that can run on the kbin and lemmy server logs looking for suspicious stuff.

Say, for instance, a ton of accounts come from one IP. That's not a guarantee that they're malicious -- like, could be some institution that NATs connections or something. But it's probably worth at least looking at, and if someone signed up 50 accounts from a single IP, that's probably at least worth red-flagging to see if they're actually acting like a normal account. Especially if the email provider is identical (i.e. they're all from one domain).

Might also want to have some kind of clearinghouse for sharing information among instance admins about abuse cases.

One other point:

I would recommend pre-emptively banning as many bot accounts as possible,

A bot is not intrinsically a bad thing. For example, I was suggesting yesterday that it would be neat if there was a bot running that posted equivalent nitter.net links in response to comments providing twitter.com links, for people who want to use those. There were a number of legitimately-helpful bots that ran on Reddit -- I personally got a kick out of the haiku bot, that mentioned to a user when their comment was a haiku -- and legitimately-helpful bots that run on IRC.

Though perhaps it would be a good idea to either adopt a convention ("bots must end in "Bot") or have some other way for bots to disclose that they are bots and provide contact information for a human, in case they malfunction and start causing problems.

But if someone is signing up hordes of them, then, yeah, that's probably not a good actor. Shouldn't need a ton of accounts for any legit reason.

[–] freeskier@centennialstate.social 0 points 1 year ago* (last edited 1 year ago) (1 children)

Looks like my instance got hit with a bot. I had email verification enabled but had missed turning on captcha (captcha enable should be up with enabling email verification settings). The bot used fake emails so none of the accounts are verified, but still goes towards account numbers. Is there really any good way to clean this up? Need a way to purge unverified accounts or something.

[–] sunaurus@lemm.ee 1 points 1 year ago (1 children)

How comfortable are you with SQL? You can see all unused verifications in the email_verification table. You should be able to just delete those users from local_user, and then update your user count with the new count of the local_user table in site_aggregates.user (where site_id = 1)

[–] voldern@lemmy.ml 4 points 1 year ago

Thank you for proactively contacting me regarding this @sunaurus@lemm.ee. I've had this issue on my https://feddi.no instance, but I have added a captcha and registration applications now. Hopefully it will alleviate some of the problem.

All of the bots accounts seems to have a number in their email so I manually looked through the list of users in email_verification that contained numbers in the email to look for false positives:

select * from email_verification where email ~ '[0-9]+';

before running

delete from local_user where id in (select local_user_id from email_verification);

to delete the users.

By suggestion from @sunaurus@lemm.ee I updated site_aggregates to reflect the new users count on the instance:

UPDATE site_aggregates SET users = (SELECT count(*) FROM local_user) WHERE site_id = 1;.

load more comments
view more: next ›