The recent spam wave which was somewhat easily mitigated encouraged a lot of discussion on the distributed Mastodon moderation and sign-up process.
Solutions like CAPTCHAs and rate limiting sign-ups have been suggested, typically with an implicit idea that we need to find a one-size-fits-all security solution which every Mastodon instance can deploy.
We actually don't. It's better if some Mastodon instances use one CAPTCHA, some another, so at least the work needed to get through one of them doesn't lead to a golden treasure trove of access to all Mastodon instances.
CAPTCHAs are easily subverted nowadays. ChatGPT can solve most of them without any tuning. Additionally, these CAPTCHA services are often free because they track people and sell their browsing information.
My instance holds a policy of accepting memberships only from people I know personally. This is obviously hyper-resistant to spam, but being a micro-instance makes it a bit difficult to build trust among other instances as far as that is required for federation. Can't have it both ways. Also, if every instance did this, new joiners would have difficulty in finding an instance which accepts them as members. So, this isn't a one-size-fits-all policy.
Regardless, if we have a lot of micro-instances with vetted memberships, they take some pressure off of generalist instances, so they can make their intake rates more manageable.
It is not the purpose of a Mastodon instance to take in as many users as possible.
As an ecosystem, we are more robust and less exploitable if we do things differently from one another, and only take in as many new users as we can moderate. One-size-fits-all solutions make us more fragile and more easily exploitable.
