Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to [email protected].
Completely agree, captcha's aren't gonna make it impossible to make bots, but it makes it more complicated. It will force bad actors to invest more time in it. Wich will turn some part of them away.
On a positive note, I think the fact that we see so many bot signups shows lemmy (the fediverse in general) is growing and matters, otherwise people wouldn't spend so much time and resources to make these bots. All big platforms have these kind of problems and need to learn how to deal with them.
yeah it was never about making it impossible, only about making it inconvenient enough that it's manageable
I mean, it's a currently approved PR
There's also an active Issue about replacing captchas (which are often an issue privacy-wise) with a mCaptcha, where you computer does "Bitcoin-Like" useless calculations which the server easily can verify that you did.
So it would be much more costly to make a billion spam accounts
that's awesome but is it a default on new instances?
This is the right move I think.
I'm very skeptical that mCaptcha would actually work besides perhaps temporarily slowing bots down due to being niche. How expensive can you make it without hurting legitimate users? And how expensive does it need to be to discourage bots? Especially when purposefully designed bots can actually do the kinda math we're talking about in optimized software and hardware while legitimate users can't.
Hard agree.. currently of the top 20 fastest growing servers in the fediverse most are instances with less than 10 active users but they are showing 50k - 70k bot accounts.
What? Can’t they get defederated if it’s this obvious?
You can find them in "Top 20 Fastest Growing Servers" on here https://fedidb.org/
and instances can add them to their blacklist. though it probably helpful to reach out to the admins. many are new and are unaware of how it works.
Bot registrations can also be slowed down by just ... slowing down.
Real users don't need a registration to happen within 250 milliseconds. It's okay to delay it for several seconds just to rate-limit bots.
(This is sometimes described as the "tarpit" approach.)
Yes, but the point is that and captchas are not exclusive. I hope devs will backtrack on their intention to remove captchas and instead make them a default.
Yep. Successful anti-spam usually relies on a mix of different techniques, not just one!
I think the commenter you replied tonwas giving an additional suggestion rather than an alternative to your original suggestion
If you add a big delay the botters will just run more requests in parallel. It is a tiny barrier but in a completely different league than even a simple captcha.
And then you respond by limiting access by IP. That degrades the experience a bit for large networks like universities, but if it's limited to logins and signups, it can be acceptable.
And then they respond with bot nets, and then you know you've hit the mainstream.
I'd say setting registrations to closed and having the operator enable/configure which to use is the best default. CAPTCHAs can also be automated, so this won't stop anyone that is ambitious enough. If someone sees value in automating account registrations, they might be willing to pay for the CAPTCHAs to be solved for fraction of a US cent each.
Agreed, I'm really concerned about the fact that email verification and captchas are available but off by default. With the state of the internet now they really should be on by default.
Arguing against captchas like this is a prime example of letting perfect be the enemy of good.
those people probably leave their doors open because even the strongest lock can be broken anyway