Hello, lemmings!

I want to write a quick post about the recent wave of spam users on the federated network, and what steps I am taking to protect lemm.ee.

TL;DR:

  • Tens of thousands of bots are signing up on small unprotected Lemmy instances. lemm.ee has not been targeted so far.
  • To protect lemm.ee users from spam, I am going to start defederating such instances immediately.
  • If spam bots start signing up on lemm.ee in the future, I will be (temporarily) closing new sign-ups until we have better tools to deal with bots.

Read on for more details!

Background

In the past few days, the growth of Lemmy user counts across the whole network has increased exponentially:

While there’s no question that this growth includes a big amount of real people coming over from Reddit, unfortunately, there is also a huge amount of automated sign-ups by bots.

For now, lemm.ee has not been affected by automated sign-ups. Bots seem to be avoiding instances which employ some or all of the following protections:

  • E-mail verification
  • Captcha on sign-up
  • Sign-up applications with manual review

Currently, lemm.ee employs e-mail verifiaction and captchas.

There is a large amount of instances out there which don’t employ any of these protections. These are the instances the bots are mainly targeting. Most of these instances seem to be very small and not very active (often having <10 organic users and very few communities or posts). Some of these instances have taken notice of the bots and have begun taking steps to remove the bots and tighten up their sign-ups, but the majority have done nothing to combat the situation.

If you’re interested, I am maintaining a (non-comprehensive) list of most likely affected instances here. I have been updating it every now and then since yesterday in hopes of seeing positive change, but unfortunately, the situation seems to be getting worse.

Up until yesterday, these bots were mostly just quietly sitting there, but as of today, the bots have started posting spam. I have already been moderating several cases of automated spam, but I can only do this reactively.

Current solution: defederating spambot-infested instances

As I have mentioned previously in other threads, I do not really want to defederate any legitimate instances, but I will defederate instances which are actively making Lemmy worse for lemm.ee users. It seems clear in this case that the bots are planning to create a bad experience for all legitimiate users, and that the only way to really limit the effect of these bots is to defederate the instances where they are joining uncontrollably.

This is a lose-lose situation - if we don’t defederate them, then we risk exposing all lemm.ee users and communities to massive amounts of spam, but if we do defederate them, we are cutting off small instances who are clearly already struggling. I really like the idea of federated networks and people being able to curate their own feed from whatever instances they enjoy, so I do not make any defederation decisions lightly. At the end of the day, I can only choose the lesser evil, which at the moment does seem to be defederation.

Going forward, I will be regularly checking for spambot instances. If I detect new ones, I will be defederating lemm.ee from them immediately. Less regularly, I will also be checking to see if any of the instances have taken steps to deal with the bots - if they have, then I am planning to federate with them again. If anybody is interested in getting a cleaned up instance federated again, feel free to contact me over DM (if you’re currently defederated, you can contact me on Matrix: @sunaurus:matrix.org).

What is the criteria for defederation?

While I don’t want to give out the exact details (it would just help spam bots with evading defederation), I can tell you in broad strokes that I am focused on defederating small instances with unnaturally huge user growth. I am currently not planning to defederate any popular instances with large communities and active moderation.

What does defederation mean for me as a lemm.ee user?
  • You will not be able to see any new posts or comments from defederated instances made on ANY instance.
    • You will still be able to see old ones that they made before defederation
  • Users from defederated instances will not be able to post or comment at all in communities hosted on lemm.ee

Future: if lemm.ee gets hit by spam bots, then sign-ups will be (temporarily) closed

While it’s true that we so far have not had a problem with automated sign-ups at lemm.ee, it is for sure possible that the bots in the future will be improved to automate e-mail verification and captcha solving. I do have some additional measures in place already to protect us, but nothing is guaranteed.

If it does happen that lemm.ee sign-ups become a target for spam sign-ups, I am intending to completely close sign-ups until there are better tools to deal with bots. There are several such tools already proposed, and I am planning to start development on one of them next month, so hopefully any potential closing of sign-ups would not last very long!

I want to emphasize that even if we end up closing sign-ups, your communities on lemm.ee will still be able to grow. As always, users from any federated instance will be able to subscribe to your communities and interact in all the ways that a local lemm.ee user would be able to.

To conclude, I really hope that this news does not ruin the experience for any of our users.

It’s honestly a really bad situation and I wish I wouldn’t have to be writing this post right now, but the reality is that things like this happen from time to time. We just have to deal with it in the best ways that we can. If you have any feedback or thoughts about any of this, please leave a comment below!

  • SeeJayEmm
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    So I’ve been messing around with standing up my own instance (mostly as a learning tool) and near as I can tell, even with email verification and registration required it still creates the user, they’re just not enabled. How are you differentiating between servers with a large amount of unverified accounts vs servers with open signups?