Hello, lemmings!
I want to write a quick post about the recent wave of spam users on the federated network, and what steps I am taking to protect lemm.ee.
TL;DR:
- Tens of thousands of bots are signing up on small unprotected Lemmy instances. lemm.ee has not been targeted so far.
- To protect lemm.ee users from spam, I am going to start defederating such instances immediately.
- If spam bots start signing up on lemm.ee in the future, I will be (temporarily) closing new sign-ups until we have better tools to deal with bots.
Read on for more details!
Background
In the past few days, the growth of Lemmy user counts across the whole network has increased exponentially:
While there’s no question that this growth includes a big amount of real people coming over from Reddit, unfortunately, there is also a huge amount of automated sign-ups by bots.
For now, lemm.ee has not been affected by automated sign-ups. Bots seem to be avoiding instances which employ some or all of the following protections:
- E-mail verification
- Captcha on sign-up
- Sign-up applications with manual review
Currently, lemm.ee employs e-mail verifiaction and captchas.
There is a large amount of instances out there which don’t employ any of these protections. These are the instances the bots are mainly targeting. Most of these instances seem to be very small and not very active (often having <10 organic users and very few communities or posts). Some of these instances have taken notice of the bots and have begun taking steps to remove the bots and tighten up their sign-ups, but the majority have done nothing to combat the situation.
If you’re interested, I am maintaining a (non-comprehensive) list of most likely affected instances here. I have been updating it every now and then since yesterday in hopes of seeing positive change, but unfortunately, the situation seems to be getting worse.
Up until yesterday, these bots were mostly just quietly sitting there, but as of today, the bots have started posting spam. I have already been moderating several cases of automated spam, but I can only do this reactively.
Current solution: defederating spambot-infested instances
As I have mentioned previously in other threads, I do not really want to defederate any legitimate instances, but I will defederate instances which are actively making Lemmy worse for lemm.ee users. It seems clear in this case that the bots are planning to create a bad experience for all legitimiate users, and that the only way to really limit the effect of these bots is to defederate the instances where they are joining uncontrollably.
This is a lose-lose situation - if we don’t defederate them, then we risk exposing all lemm.ee users and communities to massive amounts of spam, but if we do defederate them, we are cutting off small instances who are clearly already struggling. I really like the idea of federated networks and people being able to curate their own feed from whatever instances they enjoy, so I do not make any defederation decisions lightly. At the end of the day, I can only choose the lesser evil, which at the moment does seem to be defederation.
Going forward, I will be regularly checking for spambot instances. If I detect new ones, I will be defederating lemm.ee from them immediately. Less regularly, I will also be checking to see if any of the instances have taken steps to deal with the bots - if they have, then I am planning to federate with them again.
If anybody is interested in getting a cleaned up instance federated again, feel free to contact me over DM (if you’re currently defederated, you can contact me on Matrix: @sunaurus:matrix.org).
What is the criteria for defederation?
While I don’t want to give out the exact details (it would just help spam bots with evading defederation), I can tell you in broad strokes that I am focused on defederating small instances with unnaturally huge user growth. I am currently not planning to defederate any popular instances with large communities and active moderation.
What does defederation mean for me as a lemm.ee user?
- You will not be able to see any new posts or comments from defederated instances made on ANY instance.
- You will still be able to see old ones that they made before defederation
- Users from defederated instances will not be able to post or comment at all in communities hosted on lemm.ee
Future: if lemm.ee gets hit by spam bots, then sign-ups will be (temporarily) closed
While it’s true that we so far have not had a problem with automated sign-ups at lemm.ee, it is for sure possible that the bots in the future will be improved to automate e-mail verification and captcha solving. I do have some additional measures in place already to protect us, but nothing is guaranteed.
If it does happen that lemm.ee sign-ups become a target for spam sign-ups, I am intending to completely close sign-ups until there are better tools to deal with bots. There are several such tools already proposed, and I am planning to start development on one of them next month, so hopefully any potential closing of sign-ups would not last very long!
I want to emphasize that even if we end up closing sign-ups, your communities on lemm.ee will still be able to grow. As always, users from any federated instance will be able to subscribe to your communities and interact in all the ways that a local lemm.ee user would be able to.
To conclude, I really hope that this news does not ruin the experience for any of our users.
It’s honestly a really bad situation and I wish I wouldn’t have to be writing this post right now, but the reality is that things like this happen from time to time. We just have to deal with it in the best ways that we can. If you have any feedback or thoughts about any of this, please leave a comment below!
I just want to take this opportunity to say - I’m a real person! :)
Let me guess GuyDudeman, you also work in the “business factory” ? How do we know that you aren’t just 3 bots stacked on top of each other in a trench coat?
That’s easy. Robots weigh a lot more than people. And they definitely weigh more than a duck. So if it wieghs the same as a duck… Then GuyDudeman must be a witch. Burn him! Burn him!
I am one of the people of all time.
Nice try, bot.
It’s pretty darn interesting that instead of an entire site having to deal with spam issues, you can simply cut them off the back of the train before they latch onto you! And the future of Lemmy is easily gonna be based on safe sign-in instances and bots are merely gonna push people to that. All solvable with time and proper responses like this in this changing age.
Looking at it differently, instead of a centralized anti-spam approach, you now depend on numerous instance admins taking anti-spam measures, and/or your instance admin to not only take anti-spam measures on their own instance but evaluate and moderate other instances too.
In my head, I think the future will lead to a bunch of community moderators coming together to create some kinda League of Extraordinary Instances. A place where these moderators gather and keep their sites and those they help look out for in top shape. All community driven. Things might be messy now, but this might eventually set into place… Hell, it may have already happened with just how fast news spread of reddit 3rd party app designers working on Lemmy versions. Exciting messy times we’re in!
I’m sure a captcha would stop all bots. They are robots so they won’t press on the “I’m not a robot” prompt 😎😎😎 easy fix
I agree with this entirely. Defed the instances that are allowing spam to rise. They will bring all the other instances down if no action is taken. This is all part of natural selection.
I’m so glad I chose this instance, keep up the fantastic work.
Thanks for all the hard work your putting on this. Initially I thought that running an instance would pretty much have monetary cost only and not much time invested after things were set up. But looks like this is consuming your time as much as a full time job, all to make our experience better. Thanks a lot
I’ve heard many people lamenting defederation. Mindful defederation is an extremely important tool to prevent abuse, both by malicious actors and by corporate interests (“They’re the same picture”), especially in this time of rapid fediverse expansion. It is important for instance operators to understand that “If you don’t play nice, you will be forced to sit in the corner.” Demonstrating the consequences of “not playing nice” will sort out not only the present issues with bot accounts, but also act as a warning to other instances and potential instances.
Rather than lamenting defederation, I believe that mindful defederation should be applied with some haste, at least for now. As you mentioned, it does not have to be permanent. It’s like a nuclear bomb that you can unexplode.
Important to note that if a user is affected by defederation from a particular instance, they can always make a separate account on an instance with, or federated with, the content/communities they want to interact with. It seems as though defederation creates a gap between unwanted instance interaction, but doesn’t banish a user (unless their individually booted).
Thanks for your work on this matter.
How does one figure out that there are 10,000 bots joining? I am assuming they don’t self identify.
There’s no guaranteed way, but there are some pretty good indications. To be honest, it’s better to not share this info publicly, because bot makers can use it to try and evade detection.
Thank you for always being at the forefront of the fight against problems that affect Lemmt. I’m glad I chose this instance as my home.
Completely unrelated, but lemmys.ee would be a great instance domain name.
Thank you for doing this. I have been watching the user stats, and it’s very clear which instances are being targeted.
Defederation should only be considered when there is a potential for serious damage to the community. Given the volume of spambots (there are a few small instances with >10,000 new “users”), defederation is the right solution in these cases. No amount of extra mods can help delete comments from tens of thousands of spambots. If it’s a more manageable number of bad actors, then defederation should not be used (looking at you, beehaw).
I don’t know if you want to comment publicly, but I remember seeing some discussion with the lemmy devs over implementation of captcha. Was that resolved?
There are now plans for an improved captcha & it seems like the existing weak captcha (which was previously removed for 0.18) is being re-added into the code as a temporary solution!
Can we have a public, continuously updated list of communities we are defederated from?
when you’re on the lemm.ee instance, scroll to the very bottom of the page and click on the “instances” link. that page shows “linked” instances on the left column and “blocked” instances on the right column. “linked” are the instances we’re federated with(grows naturally), and “blocked” are the instances that sunaurus elected to defederate with. you can go to any instance and look at their lists too, even without an account, so they are very publicly visible.
is that what you’re looking for?
side-note: before today our blocked instances list was empty every time i checked, which i do fairly often.
As a newcomer, I’d also be interested in a bit more than just the instance’s linked/allow/block list but also having some sort of insight as to the reasons that brought said
defenestration(kinda like this typo actually) defederation.
I’m still getting my bearings, maybe our admin already has a community or thread somewhere about that.
I feel like a link to that from the instance’s sidebar would be a nice thing to have.Edit:missing word
i like your concept. i think that something like that would be a convenient/useful feature.
That’s awesome, thanks for the info. I didn’t realize that existed
Sounds sensible. Lemmy is going to have a rough time as reddit burns, if people come on mass the current growth rate is only going to look small by comparison. Using the tools federation gives you seems to be the right way to handle it.
Spam has long been the corrosion eating away at internet services. It killed Usenet, and nearly did email.
I think this is a good idea… Some instances don’t seem to take action and are growing quickly!
I’m gonna do the same on Geddit to be sure 👌🏻🥰
