Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 04:17:48 JST Kevin Beaumont

   Okay, this made me laugh.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 04:21:53 JST Kevin Beaumont

     in reply to

     The long story short with the Mastodon spam woes this weekend is it’s a deliberate attack exploiting Fediverse and Mastodon issues.

     They’re using Tor exit nodes and everything is automated. I think they can just keep running it, as there is no barrier to stop them.

     To keep it in perspective, though, I don’t think it’s a big deal at present. People should just ignore it.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 04:25:22 JST Kevin Beaumont

     in reply to

     There is a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present. There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.

     IMHO Mastodon admins should enable CAPTCHA for registration - it’s supported out of the box - if they run open sign ups.

     Ideally Mastodon would add easy install third party plugins (a la Wordpress etc) so people could develop optional plugins for anti-spam and anti-malware.

   • Embed this notice
     Allan Chow (grumpasaurus@fosstodon.org)'s status on Sunday, 18-Feb-2024 04:27:33 JST Allan Chow

     in reply to

     @GossiTheDog how many of these instances are instances people set up but then forgot about them

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 04:33:48 JST Kevin Beaumont

     in reply to

     Now, it does become a bigger problem if the current spammers publish their source code and more join in.

     There’s absolutely no effective controls to stop it - here is the Wild West still - so the elephant is the room is anybody can flip the table at present.

     The good news is much of the anti spam and anti phish technologies over the years (Real time Block Lists etc) can be reworked for here. The bad news is that’s a long way off realistically.

   • Embed this notice
     Renaud Chaput (renchap@oisaur.com)'s status on Sunday, 18-Feb-2024 04:35:22 JST Renaud Chaput

     in reply to

     @GossiTheDog here are my plans to tackle this, hopefully we will be able to start on it soon: https://renchap.com/blog/post/evolving_mastodon_trust_and_safety/

   • Embed this notice
     Ben Royce 🇺🇦 (benroyce@mastodon.social)'s status on Sunday, 18-Feb-2024 05:24:25 JST Ben Royce 🇺🇦

     in reply to

     @GossiTheDog "the elephant in the room is that anyone can flip the table at present"

     it's called a mastodon

     🏃♂️

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 05:36:40 JST Kevin Beaumont

     in reply to

     Another knock on impact from the spam run - the pictures of spam in the posts are chewing up disk space if file system without deduping is used, and there’s extra Sidekiq load (it’s the biggest Saturday ever on cyberplace.social).

     Also a bunch of instances have gone to failing in federation admin page, presumably because smaller instance admins got annoyed and switched them off.

   • Embed this notice
     Renaud Chaput (renchap@oisaur.com)'s status on Sunday, 18-Feb-2024 05:43:03 JST Renaud Chaput

     in reply to

     @GossiTheDog or because they are overloaded with the spam + reports

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 20:56:28 JST Kevin Beaumont

     in reply to

     Mastodon has been in deep decline for months (eg active user numbers have halved), but now the metrics are turning around due to one Japanese Discord spammer 🤣

   • Embed this notice
     Sofie :verified_gay: (soupglasses@hachyderm.io)'s status on Sunday, 18-Feb-2024 21:02:04 JST Sofie :verified_gay:

     in reply to

     @GossiTheDog Still -6% tho :blobfoxlaughsweat:

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-Feb-2024 22:06:16 JST Kevin Beaumont

     in reply to

     For context on the spam problem, hundreds of Mastodon servers are chucking out thousands of spam messages.

     One example instance: https://opensimsocial.com/public/local

     It’s all one dude on Discord who has realised they can script spam. Thankfully they haven’t published source code.

     AnthonyJK-Admin, Paul Cantrell and Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     Jordan Biserkov (jbiserkov@mas.to)'s status on Sunday, 18-Feb-2024 22:33:20 JST Jordan Biserkov

     in reply to

     @GossiTheDog How is CAPTCHA the solution? Isn't it trivially defeated with "AI" these days?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 19-Feb-2024 07:49:11 JST Kevin Beaumont

     in reply to

     An update on the Fediverse spam issue:

     - It’s not just Mastodon.

     - Most of the targets receiving the spam use Misskey, and are in Japan.

     - Most Mastodon users aren’t being targeted, so aren’t seeing it.

     - It is a dispute between two people over a social issue, after asking them about it.

     - It is fully automated.

     - The spam continues to be sent and probably won’t stop any time soon, these guys need to star in a BL drama and make up.

     Haelwenn /элвэн/ :triskell: and narcolepsy and alcoholism :flag: like this.
     Puniko ?, Jacek Wesołowski, Matthew Lyon and Tim Chambers repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 19-Feb-2024 07:55:32 JST Kevin Beaumont

     in reply to

     If anybody wants another hilarious online dispute issue, back in 2016 two teens had a dispute over Minecraft, so one DDoS’d the Minecraft server’s DNS server - that broke Dyn, which took down internet access across the US East Coast as they were such a key supplier.

     I had to do a radio show on NPR about that one and the presenter kept asking me if it was Putin — and I was like, no, it’s teenagers. Advanced Persistent Teenagers.

     Puniko ? likes this.
     Tim Chambers repeated this.
   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Monday, 19-Feb-2024 08:45:56 JST Wolf480pl

     in reply to

     @GossiTheDog captchas might work for this spam bot, but I wouldn't count on them for the long term.

     Outside of fedi, I've seen captcha-solving spambots years ago. Also they took their time, slowly registering sleeper accounts over the span of a year, before using them to send any spam.

   • Embed this notice
     Wolf480pl (wolf480pl@mstdn.io)'s status on Monday, 19-Feb-2024 09:05:51 JST Wolf480pl

     @GossiTheDog yeah what I'm saying is, my concern are the bots that we might see in a year or two.

   • Embed this notice
     katrintheresa (katrintheresa@cyberplace.social)'s status on Monday, 19-Feb-2024 10:56:17 JST katrintheresa

     in reply to

     @GossiTheDog 👀

   • Embed this notice
     Juno Jove (jupiter@mastodon.gamedev.place)'s status on Monday, 19-Feb-2024 19:05:43 JST Juno Jove

     in reply to

     @GossiTheDog

     Sooo it's not possible to just reject federation from any misskey instances?

     Do mastodon instances not have a user agent equivalent when federating content? (*goes to read the spec*)

     Again, this isn't about killing the infection, it's about getting people isolated until enough masks and vaccines are available. As a species, we should have internalized this by now.

     Oh. Wait.

   • Embed this notice
     Anarchic Teapot 🌹⚧️ (anarchic_teapot@lingo.lol)'s status on Monday, 19-Feb-2024 19:44:13 JST Anarchic Teapot 🌹⚧️

     in reply to

     @GossiTheDog Typos in the last paragraph, should read:
     "To keep it in perspective, though, I don’t think. People should just ignore me."

   • Embed this notice
     Anarchic Teapot 🌹⚧️ (anarchic_teapot@lingo.lol)'s status on Monday, 19-Feb-2024 19:45:42 JST Anarchic Teapot 🌹⚧️

     @GossiTheDog Statement of fact, laugh that off.

   • Embed this notice
     Deborah Hartmann Preuss, pcc 🇨🇦 (deborahh@mstdn.ca)'s status on Monday, 19-Feb-2024 22:12:54 JST Deborah Hartmann Preuss, pcc 🇨🇦

     in reply to

     @GossiTheDog ok, so they are fighting.

     Why, then, are they messing with our servers?

   • Embed this notice
     narcolepsy and alcoholism :flag: (hj@shigusegubu.club)'s status on Tuesday, 20-Feb-2024 03:56:43 JST narcolepsy and alcoholism :flag:

     in reply to
     @GossiTheDog - Most of the targets receiving the spam use Misskey, and are in Japan.
     
     I guess Finland is truly Honorary Japan. Not sure what it says about Pleroma tho...
   • Embed this notice
     cybik :deifirev: (root@sms.cybik.moe)'s status on Tuesday, 20-Feb-2024 03:59:41 JST cybik :deifirev:

     in reply to

     @GossiTheDog "technology falls to the dick-measuring contest of two teenagers" is a time-honored tradition at this point.

   • Embed this notice
     Marie :verifiedtrans: (marie@transfem.social)'s status on Tuesday, 20-Feb-2024 04:27:49 JST Marie :verifiedtrans:

     in reply to

     @GossiTheDog@cyberplace.social Actually point two is more so
     
     "Most of the targets receiving the spam use Misskey or a fork of Misskey and communicated at least once with a Japanese user or mentioned a big japanese instance (mostly misskey.io)"

   • Embed this notice
     spv (spv@mastodon.spv.sh)'s status on Tuesday, 20-Feb-2024 17:22:04 JST spv

     in reply to

     @GossiTheDog THAT is why DYN went down???????

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-Feb-2024 20:12:19 JST Kevin Beaumont

     in reply to

     If anybody wants an update on the Fediverse spam issue - the groups did a ceasefire 5 hours ago (3PM JST).

     Tim Chambers repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-Feb-2024 20:40:12 JST Kevin Beaumont

     in reply to

     Also, yes, it was a beef over access to a Discord.

     藤井太洋, Taiyo Fujii repeated this.
   • Embed this notice
     Jonly (jonly@mastodon.social)'s status on Tuesday, 20-Feb-2024 21:06:14 JST Jonly

     in reply to

     @GossiTheDog still fail to see how the spam aided in that?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-Feb-2024 04:26:35 JST Kevin Beaumont

     in reply to

     Mastodon change coming where new servers have open registration disabled by default: https://github.com/mastodon/mastodon/pull/29280

     Mastodon team have been all over behind the scenes btw.

   • Embed this notice
     Luc (luc@chaos.social)'s status on Wednesday, 21-Feb-2024 06:35:57 JST Luc

     in reply to

     @GossiTheDog what's a JST? Jordan? Japan? Java?
     *tries to think really hard about other geographical regions' names starting with J*

     This is why I like UTC/GMT offsets...

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-Feb-2024 21:58:21 JST Kevin Beaumont

     in reply to

     • Ivory by Tapbots :emoji_wink:

     Good news everybody, the Fediverse spammer is back! @ivory client filtering it all out for me.

     Bø!rge repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 22-Feb-2024 20:03:39 JST Kevin Beaumont

     in reply to

     Mastodon change incoming in next release, if no mod logs into a server for a week open registrations will close. Will probably take a few weeks but should solve the current spam issue largely. https://github.com/mastodon/mastodon/pull/29318

   • Embed this notice
     Bø!rge (forteller@tutoteket.no)'s status on Thursday, 22-Feb-2024 20:24:53 JST Bø!rge

     in reply to

     • Glyn Moody

     @GossiTheDog @glynmoody Good change!

   • Embed this notice
     propapanda :verified: (panda@pandas.social)'s status on Thursday, 22-Feb-2024 20:34:05 JST propapanda :verified:

     in reply to

     @GossiTheDog

     I thought most of the servers of the current spam wave run outdated software, so updates will not hit these servers any time soon or at all

   • Embed this notice
     Cathy YesCT (yesct@mastodon.social)'s status on Thursday, 22-Feb-2024 22:06:42 JST Cathy YesCT

     • propapanda :verified:

     @GossiTheDog @panda I don't understand. How will the update effect already existing servers?

   • Embed this notice
     Cathy YesCT (yesct@mastodon.social)'s status on Thursday, 22-Feb-2024 22:12:50 JST Cathy YesCT

     • propapanda :verified:

     @GossiTheDog @panda ah, ok. I think that's what panda was saying.

   • Embed this notice
     jlo (jlo@glib.social)'s status on Friday, 23-Feb-2024 00:26:06 JST jlo

     in reply to

     @GossiTheDog Now I may be a known idiot but this would require a version update yes?

     If so, that would mean whatever % don’t update would still be a possible zombie *IF* Open Registration is still open on it?

   • Embed this notice
     dracoling (dracoling@firetribe.org)'s status on Friday, 23-Feb-2024 00:28:01 JST dracoling

     in reply to

     @GossiTheDog@cyberplace.social While I love this change for future installations, updating to the new version with this patch requires interaction, which is exactly what's missing from the servers doing the spamming now!

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 18:43:34 JST Aral Balkan

     in reply to

     • patter

     @patterfloof @GossiTheDog That is a very good question.

   • Embed this notice
     patter (patterfloof@meow.social)'s status on Friday, 23-Feb-2024 18:43:35 JST patter

     in reply to

     @GossiTheDog silly question, but if mods haven't logged in for a week, how are those servers going to be upgraded to the version with this feature?

   • Embed this notice
     patter (patterfloof@meow.social)'s status on Friday, 23-Feb-2024 20:26:55 JST patter

     in reply to

     • Aral Balkan

     @aral @GossiTheDog I guess there could be version numbers in the protocol & newer servers block feeds that aren't the right version

     but this is me, a programmer spitballing without info

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 21:59:30 JST Aral Balkan

     • patter

     @GossiTheDog @patterfloof Mastodon, however, could still very easily stop accepting traffic from Mastodon servers that are X versions behind. This would be good for the health of the network in general. And when/if those servers upgraded, it could start accepting traffic from them again.

   • Embed this notice
     Aral Balkan (aral@mastodon.ar.al)'s status on Friday, 23-Feb-2024 22:10:13 JST Aral Balkan

     • patter

     @GossiTheDog @patterfloof Not my circus, not my monkeys. Sadly, I don’t have time in the day enough to contribute to every codebase on the planet. But I’ll keep the idea in mind as a possible feature that we could implement in Small Web apps to ensure we don’t run into the same problem. (Small Web apps auto update anyway but it’ll be a good check to have in case someone has disabled that for their server.)