PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read!
PSA: Many Lemmy instances are currently experiencing massive automated sign-ups (bots)! If you run an instance with open sign-ups, please read!
cross-posted from: https://lemm.ee/post/177673
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
This happened to me, although luckily I managed to turn off registration after about 80 signups. I did have email verification enabled but noticed that every single email address was fake/the email bounced, so they havent been able to verify the accounts and post.
I have now enabled applications (along with email verification) - does anyone have any opinion on using captcha instead of applications? I feel like captcha has already been defeated by bots.
Fwiw the captcha support in lemmy is probably going away soon. It needs to be reimplemented into another database table (or something like that) anyway. Given that it is too hard for many humans, too easy for many bots, and devs are slammed with work, makes more sense to delete as a first step
I don't have the time right now but someone should double check if captcha rework is in the GitHub issues as well so that they not only remove it but keep track of redoing it later as well...
Captcha is seemingly what is protecting this instance. Although it is bypassable in theory, it's working for us right now.
As the other commenters mentioned they are planning to remove Captcha in the next update but also other people have created an issue on GitHub to keep Captcha.
Bypassing captcha is technically possible but very hard, hard enough that it doesn't make sense financially to do it. Keeping it is a must. If they do end up removing it, we need to add it back in (actually not that hard to do)
One of those servers has 30k users but no posts or communities. Makes me think if I was a bad actor other then creating bot account on normal instances I would make my own instance and fill it with bots. If it's federated it can still interact with other instances.
Wouldn't it just make it easier to avoid the bots because all instances would quickly unfederate with them? Vs creating bot accounts on established instance it makes it harder to deal with since you have to play whack a mole.
It would but it looks like when a new instance is spun up it's just auto federated? Looking at https://sh.itjust.works/instances we see only one instance that has been blocked and that was our favorite and just admin blocking it. So someone creates and instance and can just spam a thousand other instances before everyone wises up and blocks them? I could be wrong but that's what it looks like to me.
Yeah, I caught (at the same time as lemmy.nz) the bit signups in time. I only had about 20 and @[email protected] had about 100. We both have captcha enabled now.
Interestingly none of the 20 I had had email address but username of <word>nnn where lemmy.nz all had obvious spam email address.
https://beehaw.org/post/662481
https://lemmy.world/post/296344
Some cross posts. The bot army is going to be an issue in the next few weeks. .18 drops captcha all together so any server that upgrades is going to be a target. Though a lot of servers dont run captcha, question or email verification anyways so they are already targets. Pretty sure sh.itjust.works didnt either when I signed up.
Not sure how much damage bots can do at this point other than skew the narrative and try to make these places unwelcoming but I am sure we will see first hand how bad it gets.
I've got sign ups with applications and a hard captcha set up. My other sites had the same issues, random spam bots. Surprisingly well behaved tbh but I don't care they're not welcome.
Well behaved for now, but most likely not indefinitely. They’re either trying to steer signups to particular instance(s), or just paving the way for future astroturfing.
Just trying to build karma and influence, they did it on reddit all the time.
I've not seen any yet here. Only doing captcha for now but I know emails do work if needed.
Yeah it seems like many of the older instances are already protecting themselves.
https://fedidb.org/current-events/threadiverse
If you go to the top 20 fastest growing servers, they are all empty, bot filled servers as far as I can tell.
https://the-federation.info/platform/73#drawer-opened
This site seems to be doing a better job of ignoring the bot accounts, and you can see all the original active instances have only grown a modest amount in the past couple days.
Wow, that's hundreds of thousands of "users" within two days. It could be software testing or preparing a massive blow.
Thanks, I am an instance admin and I realized I did not previously have captcha on. That’s been rectified now.
Not that I get a ton of signups anyway. Ever since the join-Lemmy page of instances was reworked, I’m not popular enough to be listed :(