Spam attack on Twitter/X rival Mastodon highlights 'fediverse' vulnerabilities - eviltoast
  • Dave@lemmy.nz
    link
    fedilink
    arrow-up
    113
    ·
    9 months ago

    I’m gonna take this opportunity to mention LemmyAutomod, for Lemmy instance admins.

    This massive spam attack was unrelenting, but it came in the form of a large number of spam posts that had a small amount of variation. Using the above tool, it really helped to catch most of the spam within seconds or minutes of being posted.

    The dev is really helpful, which is good because I needed some hand-holding, but it has been a fantastic tool with this latest spam wave being the first true test of it. When the spammers started posting images of URLs instead of links, the dev added functionality to detect images that were the same or similar to a reference image.

    In addition, there’s also a Lemmy spam defense Matrix chat set up by Lemmy.world where instance admins post spam accounts so others can ban them on their own instances (and add them to their automod).

    • Fisch@lemmy.ml
      link
      fedilink
      arrow-up
      24
      ·
      9 months ago

      Tbh this is kinda making me want to spin up a Lemmy instance to try out this tool haha

    • onlinepersona@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      5
      ·
      edit-2
      9 months ago

      In addition, there’s also a Lemmy spam defense Matrix chat set up by Lemmy.world where instance admins post spam accounts so others can ban them on their own instances (and add them to their automod).

      Lemmy doesn’t have subscriptions to ban lists? 🤔

      CC BY-NC-SA 4.0

      • Dave@lemmy.nz
        link
        fedilink
        arrow-up
        8
        ·
        9 months ago

        Lemmy doesn’t have a lot of things. It’s not a finished product, but more like something that was in the process of being built when suddenly tens of thousands of people started using it. They didn’t even finish the planned roadmap as they had to pivot to rewrite stuff to handle the influx of users.

  • neuracnu@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    69
    ·
    9 months ago

    These are legitimate challenges that activitypub faces. I’m glad that they’re popping up like this so they can be observed, mitigated and planned for in the future.

  • Pronell@lemmy.world
    link
    fedilink
    arrow-up
    58
    arrow-down
    1
    ·
    9 months ago

    So I assume this attack was reported by the perpetrators, as spam on Twitter, Facebook, and Reddit are far far worse problems.

  • cosmic_slate@dmv.social
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    9 months ago

    IMO by default everyone should put up a barrier to registration, be it manual approvals or email verification.

    Both have their own set of flaws and can establish a sense of false security, but it’s the bare minimum to slow down spam registrations.

    I’m working on an instance-level spam filter that acts on all federated content to take this into consideration for the instance I run…

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      9 months ago

      Would it be possible to downrank / soft filter the instances that are more at risk? I’m not sure what that would look like exactly, but it would be nice to find a middle ground between accepting spam and defederating away

      • cosmic_slate@dmv.social
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        9 months ago

        People need to understand there are risks if they’re going to host an open server and are ultimately responsible for how it interacts in the network.

        Keeping defederation minimal requires a high degree of trust with all instances, regardless of size.

        If the instance has open reg, hosted spam for multiple days, has no activity from the admins for ever, and might be several versions behind, that’s entering “I simply don’t trust your ability to host” territory.

        I run a small instance. I turn on registration applications, spot-check new accounts to make sure there isn’t spam, keep an alert active so I get notified when updates are available, and occasionally post from an admin account to indicate it’s an active instance. I even check reports at least once a day. This all takes very little effort to do. If you’re a small instance, the burden of proof is on you to show that it’s being maintained.

        Some of the spam instances have had spam up for several days now. Sure, maybe one or two people may be on vacation and aren’t aware, but I doubt that’s the case for every host.

        We’re fortunate the spam (at least what I’ve seen) didn’t blatantly display malicious content.

  • Kbin_space_program@kbin.social
    link
    fedilink
    arrow-up
    26
    arrow-down
    1
    ·
    9 months ago

    Kbin, literally haven’t seen any spam, seen lots about how the fediverse Admins are taking care of it.

    So, thank you mods and admins.

    • kreynen@kbin.melroy.org
      link
      fedilink
      arrow-up
      5
      ·
      9 months ago

      @Kbin_space_program@kbin.social

      @ardi60@reddthat.com This has not been my experience at all. There was/is a lot of spam lingering on KBin long after it was removed from the federated source. I don’t know if that’s an issue with the removal being done in an unfederated way (bulk deletes at the db level), a sync issue cause by the recent kbin.social outages or just a general federation bug.

      My kbin.social account has been @'ed in hundreds of comments and some of the most popular Kbin magazine where Earnest remains the sole moderator were flooded with spam.

      Even this morning I tried reporting spam from a kbin.social account only to be told it had already been report… and yet 16 hours later the bot is still posting with this account.

      I’m glad you’ve found kbin.social usable through all this, but the spam is tbere.

  • Pasta Dental@sh.itjust.works
    link
    fedilink
    arrow-up
    14
    ·
    9 months ago

    On Fosstodon I didn’t see a single spam message, the only reason I learned there was a spam attack was through people complaining about it. I guess it comes down to selecting an instance with good moderation

    • tedu@azorius.net
      link
      fedilink
      arrow-up
      8
      ·
      9 months ago

      The list of accounts mentioned in the spam posts were harvested from the misskey.io timeline, so if you don’t have followers there you did not receive any.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    12
    ·
    9 months ago

    This is the best summary I could come up with:


    Over the past several days, attackers have targeted smaller Mastodon servers, taking advantage of open registrations to automate the creation of spam accounts.

    While this is not the first spam attack that has impacted the Fediverse, Rochko notes that only larger servers like Mastodon.social had been targeted previously.

    What’s different this time is that the spammers targeted the smaller and even abandoned servers offering open registration, allowing the bad actors to quickly create accounts and generate spam.

    Because Mastodon’s smaller servers are often hobbyist projects run by enthusiasts they were vulnerable to this sort of attack.

    Many servers were simply shut off as their admins decided it would be easiest to wait out the attack or abandon Mastodon altogether.

    “At the moment, there are no good built-in tools to handle this, as this is a complex issue — federated networks are not easy!


    The original article contains 1,023 words, the summary contains 143 words. Saved 86%. I’m a bot and I’m open source!

  • Grouchy@lemmy.grouchysysadmin.com
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    9 months ago

    Mastodon and friends are built as open conduits with very little in the way of safety or permissions. Spam should be expected.

    It’s not a Fediverse vulnerability. It’s a Mastodon vulnerability. Don’t want spam? Use a better fediverse technology.

      • cosmic_slate@dmv.social
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        4
        ·
        edit-2
        9 months ago

        Completely disagree on the scalability argument and I find it silly.

        Most instances are small. Not everyone is going to run a 20,000 person instance where all 20,000 show up on the same day.

        If you’re a big instance like lemmy.world, then sure, I can buy the scalability argument, but once you’re at that point you’ve likely established that there is an active and engaged admin team.

        As a bonus, it even serves as a great asshole filter. If someone gets upset they had to wait a day for an approval, imagine how they’d act once they’re in.

    • haui@lemmy.giftedmc.com
      link
      fedilink
      arrow-up
      1
      arrow-down
      6
      ·
      9 months ago

      I think the best solution are federating ip bans and maybe mass registration prevention.

      The idea would be to note your ip in the account which then gets federated and if this ip registers a third account, it gets blocked. (Two might be a changing ip or a lost password)

      • cmnybo@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        13
        ·
        9 months ago

        IP bans are not very useful considering that almost nobody has a static IP these days.

        CGNAT IP addresses change frequently and can be shared by over 100 users. I find it very annoying to have to connect to a VPN until my IP changes because someone else got the IP I’m using banned.

        Browser fingerprinting would be a better way of detecting ban evaders.

        • Mnglw@beehaw.org
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          9 months ago

          browser fingerprinting is inherently bad for privacy and would require scripts that nobody wants to run

          not to mention the GDPR issues with servers having that amount of data

          • cmnybo@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            9 months ago

            I’m not a fan of fingerprinting either, although good luck avoiding it considering just how much of the web is behind Cloudflare.

            • Mnglw@beehaw.org
              link
              fedilink
              arrow-up
              5
              ·
              9 months ago

              the fediverse largely prides itself on no tracking, in fact in the past instances that used cloudflare have been harshly criticised.

              This is against the fediverse’s core values

              • xthexder@l.sw0.com
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                I’ve had my server behind Cloudflare this entire time. Should I not be doing that? At a minimum I need something to hide my server’s real IP.

        • haui@lemmy.giftedmc.com
          link
          fedilink
          arrow-up
          2
          arrow-down
          2
          ·
          9 months ago

          They‘re useful for a very short amount of time and add frustration for the spammer but yes, the downsides are large as well.

          If a person knows how to change their ip after being banned, they probably dont use a normal browser either, dont you think? Or have I missed something about browser fingerprinting? You can post to lemmy over an api, right?

      • Mnglw@beehaw.org
        link
        fedilink
        arrow-up
        6
        ·
        9 months ago

        most of my friends (and me myself) have far more than 3 accounts. Many instances I’ve been on have died, leading to me having to move and my old account on dead instances still being in databases. That said, even without that, I have far more than 3 active accounts

        sure we dont have hundreds or thousands like spammers would but putting an arbetrary number on “amount of accounts an IP can have” is against what the fediverse is

        • haui@lemmy.giftedmc.com
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          I get that. Still, there are solutions to this (dead servers obviously wouldnt count for example) and having multiple accounts might just be your hobby but so could vote manipulation, negatively overwhelming a certain post and other egregious behavior be. Multiple accounts are like amassing wealth, its ultimately just means to do things that arent great for the community.

          Account migration should be high priority imo though. Its pretty bad that we have no way of doing this in lemmy atm. Mastodon does have it but I‘m not sure how well it works atm.

          • Mnglw@beehaw.org
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            what if one wants accounts on say, 3 mastodon servers (one personal, one public, one backup, this is entirely reasonable, but many have more reasons for making separate accounts) and then wants a separate Lemmy account or two, because they prefer the Lemmy interface for specifically that. Or maybe someone wants to separate their work and personal life in addition. Or! They’re a minority and have specific reasons to separate their accounts. Or they’re an artist and want a separate art account

            and then other fediverse software comes along that interacts completely differently than content aggregation (Lemmy) or microblogging (mastodon etc). Neither federates properly yet and wont for a while, so guess what, another account

            you see how this doesn’t work? it has nothing to do with amassing wealth or voting manipulation as this is a problem across fedi (and voting isnt even a thing outside of Lemmy etc) and more to do with accessibility There are valid reasons to have several accounts to the fediverse, and it goes against the spirit of the fediverse to stop that.

            • haui@lemmy.giftedmc.com
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              I agree that there are reasons to have multiple accounts. There is a natural limit to what a person can reasonably (without using bots and such) fill with cotent though. We‘ll see how it plays out.

    • 7heo@lemmy.ml
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      9 months ago

      RU / CN / KP / IR (strike out what does not apply)

        • 7heo@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Why would the countries that literally can MITM and censor content at the source would ever do spam campaigns? 🤨

          At some point, use your brain… As with the freedom of speech, if you don’t use it, it will become powerless.

          • TheAnonymouseJoker@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Because it happens? Use your own advice. Western countries do that enough to need to formulate propaganda about “foreign” enemies. Guess who invented telemarketer spam and email spam?