Replies: 34 comments
-
I think right now suspensions are intended to be the nuclear option. Last I checked suspending deleted all the person's content and cleared out their profile as if the account was deleted. Maybe what we need is a "timeout" option for human users we want to temporarily lock out without deleting their account. Basically a lockout that expires automatically after a certain amount of time, and doesn't delete anything. It would need to report to the user that they were in timeout, a reason (provided by the admin), and when the timeout was scheduled to lift. Probably in an email, and on the screen they see when they successfully log in. |
Beta Was this translation helpful? Give feedback.
-
I'd like that a lot. It also means I could go on vacation and still have people unlocked on schedule. Good point about suspensions being nuclear. I think I'd gotten tripped up in the flurry of admin stuff I'd been doing this week. |
Beta Was this translation helpful? Give feedback.
-
The admin interface of Discourse has several of these; I fully recommend copying those ideas. They do not consider suspend the "nuclear option", though, that is the feature called "Delete Spammer". Getting spammers deleted off your user list is absolutely necessary for long term admin sanity. The blocked email list is pretty much the only record we need to keep around (the username is stored unstructured in the admin action log). |
Beta Was this translation helpful? Give feedback.
-
Ooh, I like @riking's ideas very much. I'd lean toward blacklisting the username, but I could be persuaded either way. But mainly, I agree that I want the spammers gone forever. I don't want to have to remember that they ever existed. If I got hit with an influx of 10,000 spambots tonight, it would be a major pain in the neck to do any future admin work because I'd have to sort through the fake accounts to find the much smaller portion of real accounts that I actually care about. |
Beta Was this translation helpful? Give feedback.
-
I think right now, admins can blacklist MX domains by going to mod > email blacklist. The one behind basically all of the current spam is mxsrv.mailasrvs.pw. I do think there should be more and better tools for this, though. riking's suggestion of copying Discourse is a good one, although my only concern would be erroneously blocking shared IPs. |
Beta Was this translation helpful? Give feedback.
-
Blacklisting the MX does little good because they just change them quickly. We need a better way to prevent them from signing up in the first place. |
Beta Was this translation helpful? Give feedback.
-
to my understanding, they change email domains quickly, but not MX
providers.
…On Sat, Aug 4, 2018, 5:46 PM Laurelai ***@***.***> wrote:
Blacklisting the MX does little good because they just change them
quickly. We need a better way to prevent them from signing up in the first
place.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#8122 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAORV6AeA5kLe96UiHNg41pn_ctKy8BLks5uNhZIgaJpZM4VvBj2>
.
|
Beta Was this translation helpful? Give feedback.
-
Ive blocked multiple MX providers already |
Beta Was this translation helpful? Give feedback.
-
@trwnh I don't think blocking the MX domain in the email blacklist of mastodon will solve the problem (check in the code ) But it could be a nice idea to be able to do it (implementing a MX request for the email domain), but the bot creators will probably adapt and change of MX domains. I think we could never block bots from registration, unless restricting registration (only email invite currently), we probably will benefit from better administration and moderation tools, and maybe improvement in the registration process (for example we could imagine admin options to enable a captcha function if the user as not ticked the bot option in the registration form) We could also probably improve the user preferences for messages of bot appearing in timelines. I know this issues and ideas were already discussed in older issues, but this problem definitely shows that we should do something |
Beta Was this translation helpful? Give feedback.
-
… On Sat, Aug 4, 2018, 6:27 PM varenspukis ***@***.***> wrote:
@trwnh <https://github.com/trwnh> I don't think blocking the MX domain in
the email blacklist of mastodon will solve the problem (check in the code
<https://github.com/tootsuite/mastodon/blob/master/app/validators/blacklisted_email_validator.rb>
)
But it could be a nice idea to be able to do it (implementing a MX request
for the email domain), but the bot creators will probably adapt and change
of MX domains.
I think we could never block bots from registration, unless restricting
registration (only email invite currently), we probably will benefit from
better administration and moderation tools, and maybe improvement in the
registration process (for example we could imagine admin options to enable
a captcha function if the user as not ticked the bot option in the
registration form)
We could also probably improve the user preferences for messages of bot
appearing in timelines.
I know this issues and ideas were already discussed in older issues, but
this problem definitely shows that we should do something
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8122 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAORV0-Heo0DJ2PFF0tTj6BZ-66IyEyEks5uNh_LgaJpZM4VvBj2>
.
|
Beta Was this translation helpful? Give feedback.
-
@Laurelai okay. it's possible we're seeing different waves of spam, too. |
Beta Was this translation helpful? Give feedback.
-
What about VisualCaptcha? It's open source, it has ruby integration. Can it be integrated into Mastodon as an optional service? It of course requires some sort of server side service too but instance admins that care about spam would have no issue with that. |
Beta Was this translation helpful? Give feedback.
-
visualcaptcha and other captcha services are trivially broken by modern
spammers (either by using easy machine vision or by using mturk)
…On Sun, Aug 5, 2018, 5:36 PM Stefan Midjich ***@***.***> wrote:
What about VisualCaptcha? It's open source, it has ruby integration. Can
it be integrated into Mastodon as an optional service? It of course
requires some sort of server side service too but instance admins that care
about spam would have no issue with that.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8122 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAORVyH3hF2eWOz6BeNKlZPii8vpw9Sxks5uN2VpgaJpZM4VvBj2>
.
|
Beta Was this translation helpful? Give feedback.
-
@nightpool yes I've seen this argument used but I still think a captcha would block a lot of less sophisticated bot networks. And I don't believe captchas are as worthless as people make them out to be, why else would reCaptcha still be in business and used by services such as Cloudflare for example? |
Beta Was this translation helpful? Give feedback.
-
Another way for the bot is:
|
Beta Was this translation helpful? Give feedback.
-
@stemid I undersand your point. The instance I run could be considered more on the medium-size, even though it's a small one if we consider the active users. Mine is also a nationally localized instance and think it does diminish the interest of more global schemes of spam. I do have another which is not nationally localized and that one has also been free of spam after the MX trick, at least for now. And I know that screening is a pain, I do check the profile of newly subscribed people of both instances once a day for some time before getting my peace of mind, but I'm no .social and the number of new subscriptions on both hovers around 1~5 new instances per day. (Except when there's new user waves, which already made it reach 20+ new sign ups and me closing registration because even with a moderation of 4 people and totally legitimate users, we couldn't keep up with moderation and reaching out to new users for support and in some cases rule violations). In the end, my point is that while I think captchas are a valid offload of the responsability on the admin, personally, I prefer to transform this into a moderation duty, which I can share with other active users I trust than automatizing this somehow, because even so I will still have to keep a close eye on new users anyway for rule violations and other such behaviors. That being said, for me it's a question of priority: I'm not against implementing captchas, I just think that solutions like open instances with screening in the software should get more attention since it's already an old request of several admins that have to do that through other ways. |
Beta Was this translation helpful? Give feedback.
-
I've had to make mastodon.me.uk invite-only because of this problem, which is sad. Some sort of humanity check on signup would be great, speaking as a time-poor server admin :) |
Beta Was this translation helpful? Give feedback.
-
RE: CAPTCHA being "trivially broken" by machine vision This is absolutely NOT true. CAPTCHAs like Google's reCAPTCHA are well aware of what is possible in the machine vision space and adjust to keep ahead of the curve. They've switched from "recognize the letters" (which, indeed, the state of the art has all but solved with ConvNets in the early 2010s) to "recognize images belonging to categories" which still has an error rate that's high enough to use it as a filtering mechanism. RE: CAPTCHA being "trivially broken" by mTurk This is actually another benefit you get by outsourcing CAPTCHA to a big provider like Google: You're also outsourcing the sweatshop-detection. They have all kinds of pageload/interaction data they can use to sniff out CAPTCHA-solving sweatshops better than you ever will. And no matter what method you choose, mTurkers can attack it cheaply. Even the manual approval method is subject to this. The task simply shifts from "Click/type what you see" to "Write a short blurb pretending you're a legitimate user". mTurkers do all kinds of crazy things for just a few cents. If you made me write a whole essay to sign up I could still attack your site for 50 bucks. There is no magic bullet. Ever. The only legitimate goal is to stem the tide to the smallest trickle you can. RE: Visually-impaired users The attack on reCAPTCHA from last year that claimed an 85% rate against audio challenges no longer works. Like I said, they keep moving the goalpost to keep it slightly ahead of the state of the art. And it's not like you can't have manual verification as an absolute last-resort fallback. But a lot of the time reCAPTCHA isn't even trying to give you the image or audio captcha; you just click the "I'm not a robot" button, and it's designed to be screen-reader compatible. Using a polished, battle-tested solution that has already figured these things out is a lot more fair to users with disabilities than using any old CAPTCHA someone made as a weekend project and threw onto Github (Case in point. visualCAPTCHA on Github is now just a Readme.md that says it's no longer actively maintained) tl;dr: reCAPTCHA is the devil you know, and it's one of the best defense mechanisms you're gonna get, and screened registration and CAPTCHA make sense as two complementary options with admins being able to choose either one/both/none |
Beta Was this translation helpful? Give feedback.
-
@BillyWM Today I learned. Thanks for weighing in! |
Beta Was this translation helpful? Give feedback.
-
my post was specifically about visualcaptcha. the old recaptcha had very poor sweatshop detection. thee modern "Click to prove you're not a bot" challenges are probably a lot better, but I don't have any direct experience with them so I can't say for sure. but it's important to recognize that spam detection is ALWAYS easier with domain knowledge, so a one size fits all solution like google captcha isn't necessarily going to be good at catching the types of spam we care about |
Beta Was this translation helpful? Give feedback.
-
I wanted to chime in too since I just got done suspending a bunch of accounts. I run a Mastodon node to contribute to the decentralized network, but can't really commit to doing this type of spam control. I implemented reCaptcha at my work last week with the most permissive setting possible. It allows everything through that doesn't look suspicious. Our spam submissions have gone down to 0 since then. I think allowing admins to select from at least a few anti-spam measures would be very beneficial. We know that there are effective tools available, it's only (hah) a matter of building the integration. |
Beta Was this translation helpful? Give feedback.
-
I just started getting hit today with the what looks like the same MO - a rash of account signups, with vaguely anime-ish avatars, self identifying as bots, which only follow my admin account and don't follow anyone else. So I'm pretty sure soon they'll start up with the spam. I notice that none of the suggestions in the OP seem to have been implemented. Like a way of searching / sorting in the admin Account section for "bots", identifying / filtering "already suspended", or CAPTCHA on account signup, or link to the admin account page from the front end hamburger menu, etc. I have a feeling now I'm on the radar for these asshats, it's going to rapidly become a problem. They've been signing up steadily at the rate of one every 30 minutes all day. @kstrauser - did they continue to be a problem for you? |
Beta Was this translation helpful? Give feedback.
-
Same here. I've got the same bots that started to be reported as spam. Maybe it would be nice to use ActivityPub to share a common list of known spammer domain/IP to blacklist (with some failsafe of course). |
Beta Was this translation helpful? Give feedback.
-
Another 20 or so overnight. This is going to become a very tedious part of life. Dealing with them is a very labor intensive process. |
Beta Was this translation helpful? Give feedback.
-
Same here overnight on mastodon.me.uk. Looks like someone wrote a new script and hit a bunch of us. |
Beta Was this translation helpful? Give feedback.
-
I ended up banning two AS : https://ipinfo.io/AS200557 & https://ipinfo.io/AS50896 |
Beta Was this translation helpful? Give feedback.
-
Can you block an AS in Masto? |
Beta Was this translation helpful? Give feedback.
-
Nope, directly with the nginx :
|
Beta Was this translation helpful? Give feedback.
-
@PoGo606 No, they eventually went away. I had a recent much smaller wave of bots but it was manageable. It would be nice to have some helpful tooling for the inevitable next wave, though. |
Beta Was this translation helpful? Give feedback.
-
Sources of ip addresses that possibly should not be allowed to register at least more then once by default: |
Beta Was this translation helpful? Give feedback.
-
My local timeline has been filling up with spam recently. Here's what happens each time:
Here are a few things that would make this workflow a lot easier:
/admin/accounts/[...]
).master
(If you're a user, don't worry about this).Beta Was this translation helpful? Give feedback.
All reactions