Conversation

Notices

1. Embed this notice
   K. Ryabitsev ???? (monsieuricon@social.kernel.org)'s status on Sunday, 18-Feb-2024 06:21:16 JST K. Ryabitsev ????
   FYI, the Fedi spam problem is only starting out. It won't take much effort for someone to write a payload running on random compromised webservers to send copious amounts of spam via activitypub, making blocklists ineffective.
   
   We will basically need to implement all the same anti-abuse stuff we're already doing for email in order to cope with it on the fediverse -- greylisting, dnsbl, domain authentication, etc.
   
   Sadly, the only way this won't happen is if ActivityPub stays sufficiently niche to make other targets more popular for spammers.
   • clacke likes this.
   • Embed this notice
     clacke (clacke@libranet.de)'s status on Sunday, 18-Feb-2024 06:21:19 JST clacke

     in reply to

     • marius
     @mariusor @monsieuricon Implement a Fedi server on the compromised web server.
   • Embed this notice
     marius (mariusor@metalhead.club)'s status on Sunday, 18-Feb-2024 06:21:20 JST marius

     in reply to

     > It won't take much effort for someone to write a payload running on random compromised webservers

     @monsieuricon that's not true because generally servers don't accept incoming payloads if they don't have a valid HTTP Signature.

     So a random compromised machine also needs access to a random compromised fediverse actor (in order to have access to its private key) so it can generate a valid signature/digest.

     It's not much harder, but still.

   • Embed this notice
     Hex Batch (hexbatch@mastodon.online)'s status on Sunday, 18-Feb-2024 06:21:23 JST Hex Batch

     in reply to

     • marius

     @mariusor @monsieuricon what happens if I or someone else registers thousands of new instances? Is this not hard to do? And what stops me from making tens of thousands each and day and flooding all the servers with advertisements? Each would have different and valid credentials. What if I had access to hundreds of thousands of ips from a botnet?

     clacke likes this.
   • Embed this notice
     clacke (clacke@libranet.de)'s status on Sunday, 18-Feb-2024 06:21:25 JST clacke

     in reply to

     • marius
     • Hex Batch
     @hexbatch @mariusor Yes. At some point servers will have to require explicit admin approval to fully federate with newly discovered servers.
   • Embed this notice
     Hex Batch (hexbatch@mastodon.online)'s status on Sunday, 18-Feb-2024 06:21:26 JST Hex Batch

     in reply to

     • marius
     • Hex Batch

     @mariusor @hexbatch so eventually someone, or many, will try as the fediverse expands. There are hundreds of people and groups who do much what I describe weekly on the web to run advertisements and spam. it’s just blind luck nobody tried yet?

   • Embed this notice
     marius (mariusor@metalhead.club)'s status on Sunday, 18-Feb-2024 06:21:27 JST marius

     in reply to

     • Hex Batch

     @hexbatch yes