this post was submitted on 20 Jun 2023
108 points (98.2% liked)

Lemmy

12579 readers
47 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.


Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.

To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.

It's not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715

If you're an admin of an instance that's defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 1 year ago (1 children)

CAPTCHA is the bare minimum. Who the hell turns it off?

[–] [email protected] 6 points 1 year ago (4 children)

There is an argument to be made that captchas can be automatically bypassed with some effort.

OTOH, the current wave of bots is quite clearly favoring instances with captcha disabled, so clearly it's acting as at least a small deterrent.

[–] [email protected] 7 points 1 year ago (1 children)

Sometimes, security just means not being the low-hanging fruit.

[–] [email protected] 4 points 1 year ago

Doing no captcha is like leaving the door open, hoping no-one breaks in, instead of at least closing the door (a closed door decreases chance of break in by near 100%, even if it's not locked)

[–] [email protected] 1 points 1 year ago

Some advanced OCR can hack the easier ones, but it's unusual.

[–] [email protected] 1 points 1 year ago

It seems that the devs are considering to use mCaptcha. Link to the discussion

[–] [email protected] 1 points 1 year ago (1 children)

captchas block script kiddies at the very least

[–] [email protected] 4 points 1 year ago (1 children)

there's a browser addon that lets you solve Recaptcha with one click:
https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver/

it automatically switches to the alternative accessibility option, which is based on typing in words that you hear, and uses speech recognition software to solve it. I'm fairly sure it could be automated quite easily.

[–] [email protected] 4 points 1 year ago

Still way better than nothing at all