cross-posted from: https://lemm.ee/post/177673
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
One of those servers has 30k users but no posts or communities. Makes me think if I was a bad actor other then creating bot account on normal instances I would make my own instance and fill it with bots. If it’s federated it can still interact with other instances.
Wouldn’t it just make it easier to avoid the bots because all instances would quickly unfederate with them? Vs creating bot accounts on established instance it makes it harder to deal with since you have to play whack a mole.
It would but it looks like when a new instance is spun up it’s just auto federated? Looking at https://sh.itjust.works/instances we see only one instance that has been blocked and that was our favorite and just admin blocking it. So someone creates and instance and can just spam a thousand other instances before everyone wises up and blocks them? I could be wrong but that’s what it looks like to me.
I see what you’re saying. So even the creation of instances could be spammed in theory.