To all Fedi Admins Currently Being hit with a Spam Wave:
This kind of spam is now over! Unmute all the instances no longer on my list!
I've just released v4.0.0 of The UNmute List! I'd be very happy about a small donation because I have very little time and I cannot really justify working on this list with my current schedule :mycomputer:
There is a new type of spam, the same instances are affected as before. Those responsible in Japan are said to have been arrested.
Simply import this list and you'll mute the 47 worst spam instances currently known to me! I've worked on it for multiple weeks, sometimes ~9 hours at a time verifying all lists sent to me manually.
Limit first, defederate only in worst situations!
Consider re-federating with and un-silencing any of the mentioned instances once the spam is mitigated. The admins of some of these may have just been asleep when this all started.
Ban Spam Accounts via their E-Mail Domain
Block the following E-Mail Domain and whatever temp Mail provider it resolves to: chitthi.in
Just to be safe, block these ones too (same provider)
mailto.plus
fexpost.com
fexbox.org
mailbox.in.ua
any.pink
All our spam accounts came from these E-mails.
Since you probably have some of these accounts sleeping:
https://[your-instance.tld]/admin/accounts?email=%25%40chitthi.in there just select all and press “Ban”.
Find Remaining Spammers
I've seen instances that fixed the spam issue but began being hit later again. The spammers might use new E-Mails, so here is a way to find and block them anyway:
These spammers seem to be using the TOR Network as all of their IPs are TOR Exit Node IPs, hence an idea (with some collateral damage if executed) would be to ban all TOR exit node IPs for sign ups. I am personally against this idea as you'd also prevent users who simply wish to stay anonymous online (political refugees, leakers of important documents, etc.) from using your platform. For now, simply banning every user using a particular Spammer IP will not help and will merely ban users that try to stay anonymous! Not necessarily the spammers.
How To Block All Temp E-Mails in the Future
If you want to prevent this from ever happening again, you should block E-Mails from Temporary Mail providers all together:
In future updates on Mastodon, maybe Admins can simply click a button that says “Ban Temp E-Mail Providers” Automagically from the E-Mail Menu? There could be E-Mail categories that can be banned, such as temporary mails.
Why did this happen?
The real reason hundreds of us spent hours of our days during the spam on mitigating it is the following:
We, the moderation and administration of tech.lgbt, are signing the Anti-Meta Fedi Pact in fellowship with our peer communities. (https://vantaa.black/pact)
There is over a decade of precedent that Facebook will not have users' best interests as their guiding principle but rather profit margins, if it joins the Fediverse.
We at tech.lgbt have long held the belief that corporation owned instances are a threat to the core of the Fediverse: freedom for users to be themselves and to be a part of their communities. The 2010s saw the loss of online freedom when the majority of the Web was consolidated into a few destinations, and Facebook entering here could lead us back to centralization. Furthermore, NDAs for server admins will constrain our sovereignty online by binding us legally from disrupting their business.
We are not products. We are people, and we do not welcome Facebook in this space.
There's a lot of shit flying in the #Fediverse lately and a lot of times perspective seems to get lost. Yes, there are things we need to talk about, and yes there are things we will not agree on. And that's okay.
But leave the pitchforks and torches out of this.
Fedi admins put in the hours and effort and emotion into making fedi happen. Sometimes they make decisions we might not agree with. We should criticize, but we should not pile-on.
The reason I'm suggesting this, is because if you are a small/medium instance with open registrations, and spammers find and abuse your instance, I imagine that other instances will limit/suspend your instance without hesitation, given how willing some were to limit/suspend the much larger mastodon.social.
But do note this comment on the PR:
“To give some context to people seeing this: this is an emergency feature backport from Glitch SOC to help mitigating an ongoing spam wave, this feature may not make it in a next release, or with significative changes.”
Edited to add: multiple people have rightly commented on the accessibility concerns with hCaptcha: hCaptcha is really really really bad for blind and visually impaired people.
Please have a look at this excellent reply for more details:
As instance #admin I do NOT want to moderate DMs. The last three spam waves from mastodon.social however were sent as DMs.
I therefore urge @Gargron to make it the default that DMs can only be send between users that have a follow relationship.
The current default is that anyone can send anyone DMs. I consider this to be a loophole that spammers will continue to exploit, causing a lot of extra work for site admins in an area they should keep out of, in the interest of user privacy.
someone on a Japanese hacker forum decided it was a good idea to spam the entire Fediverse because they wanted to cancel a minor that DDoSed a Discord bot which apparently made them lost millions (what?)
A Discord bot. I can't make this shit up man.
The real culprit seems to be someone who goes by mumei in the ctkpaarr.org forums, whose first post was literally a threat to ap12, that if they don't delete their "Kuroneko Server" Discord bot, they will spam every blog, forum and SNS and cancel him.
This shit is ridiculous.
The ap12 account from mastodon-japan was actually fake, and this dude impersonated a minor to get all of the Fediverse (us) to bully him.
#FediblockMeta
Most SM platforms lack capacity to handle reports that refer to anti-Indigenous abuse or behaviour. So, some tips for #FediAdmin and mods when receiving reports about racism and harassment targeted at #Indigenous people - from an Indigenous mod from so-called Australia with both lived and professional experience:
In addition to universal slurs & offensive terms used against Indigenous people, there's also geographical terms. If in doubt, ask for advice.
Non-Indigenous people questioning an Indigenous person's identity, culture, connections, lived experiences etc is racist. It doesn't matter if there was "good intent".
The above behaviour is often gaslighting or DARVO. It's a tactic used to silence Indigenous people, and discredit them.
Non-Indigenous people using blood quantum or light skin appearance to silence, question or harass an Indigenous person is highly racist. And is another tactic anti-Indigenous racists use.
[In so-called Australia, non-Indigenous people weaponising/discussing BQ and appearance of Indigenous people is highly offensive, as it was an eugenic tool used to excuse genocide]
Racism against Indigenous people, especially from centralists or leftists, is often masked by paternalism, sealioning, race-based micro-aggressions, and whitesplaining.
6 Things bystanders/racist apologists do that make it worse - a) offering support to the abusers. b) replying to Indigenous people who are being racially attacked with comments such as: "I didn't see any racism" "You're the racist" "Get help for your trauma" "They're always nice to me" "They're an ally, so be nicer to them".
Indigenous peoples are not an homogeneous group. So you can't always apply local information you know to reports. If in doubt, reach out to someone from that region with experience.
Outspoken Indigenous people, or those with a public profile (ie journalists, authors, actors, politicians, activists, academics, large followings), are commonly racially abused on social media platforms. Believe us when we make reports or speak up, as we are familiar with all the tactics racists use.
There are very few Indigenous mods on Mastodon, and even less Indigenous mods. But we all want to see anti-Indigenous abuse and behaviour addressed. If in doubt, reach out to us.
Please don't hesitate to take action when anti-Indigenous racism & behaviour is reported. Let's not duplicate the problems of other social media platforms. Be #AntiRacist - always
I want to warn all admins of an instance that is specifically for PEDOPHILES. I just had to deal with finding childlove.space, I hope none of your users will have to see that.
PLEASE defederate with childlove.space.
I would encourage everyone to either make a post of their own about this, or boost for visibility.
If you're creating custom emoji, remember to fill in the section marked "Shortcode" with a short text description of the emoji. Blind people's screen reader software will be able to read the shortcode aloud so that they can hear what the emoji is.
If the emoji's shortcode includes multiple words, split them up with underscores like_this or CamelCase, so that screen readers will be able to read each word correctly.
If you notice a new account on your instance has a seemingly "real" name attached to their account, it might seem strange at first, but do yourself and Fedi a favor and google that name.
There's some here that are scammers trying to impersonate famous people from somewhat niche entertainment media. Just this morning there was an account registered on a small instance with the name of a professional wrestler.
Thankfully this person had the misfortune of grabbing my attention (wrestling fan) immediately in my timeline and I notified the admin of the potential scam and we were able to mitigate any real harm.
You may not be so fortunate as this in the future.
Some even go so far as to attempt to impersonate lesser known athletes from other professional sports and try to get gullible fans of the team or sport to give them money.
Be safe out there and do your due diligence. It just might save you, your users, or other Fedi users from getting scammed out of their hard earned money.
Thanks for coming to my FED talk. PLEASE boost for reach. This is important.
Tangled Threads: How #Mastodon admins should respond to #Meta and #Threads in a way that protects our users best. Tip: It's not through proactive defederation.
You might have heard of fedi.monster, a self-titled "anarcho-communist collective"
These people help 140 instances (including mine) operate by providing managed hosting to people who don't have the technical backing (or in my case, spoons) to run an instance by themselves.
They've just moved to using OpenCollective for their funding to be upfront about their finances.
Their one sysadmin is looking to take a permanent break and they're aiming to hire people to fill the role; if you know of people with those talents, and who are looking for some work - please get in touch with them at hello@fedi.monster
Otherwise, if you can spare money and want to donate to keep fedi.monster going; you can do that on their OpenCollective page here:
It's been really liberating being able to have my own little corner on the internet and not having to worry & faff with all the associated costs that come with running a Mastodon server.
I really appreciate the work of the people at FediMonster and I hope that they can keep going and providing such a valuable service to the community 💙
After speaking with my co-admin, I've signed the Anti-Meta Fedi Pact (https://fedipact.online). Car Free dot City will not federate with any instance operated by Meta/Facebook.
If you're an admin of a mastodon/fediverse instance you should update your robots.txt to block "GPTBot", the crawler made by OpenAI to feed their machine learning models such as ChatGPT.
This is the easiest way right now to prevent public content from being crawled and fed into their datasets, and due to the nature of federation it works better the more instances that do it.
If you're wanting to prevent the hashtag usage, and just flat-out reject incoming status creations that contain hashtags that are marked as unusable on your server, then this one line patch to #Mastodon will have you covered.
This allows you to dynamically adapt to the hashtags being used for spam, as you can just find them in the admin panel (admin/tags/:id) and uncheck the first checkbox (see image)
Hallo alle Fedi-Admins die Probleme mit Spam haben!
Die Mute-Liste 2.2.2
Ich habe die Spam-Liste aktualisiert und ~104 zusätzliche Instanzen gefunden, die weiterhin spammen! Ich habe, mit viel Hilfe von anderen Fedi Admins, die Instanzen in einer Liste zusammengestellt, die sie stumm schaltet und nicht von ihnen deföderiert!
Ich würde mich sehr über eine kleine Spende hier freuen, da Ich wirklich hart und lange an der Erstellung dieser Liste gearbeitet habe, was Ich angesichts meines aktuellen Zeitplans kaum rechtfertigen kann! Dankeschön!
Es gibt eine neue Art von Spam, die gleichen Instanzen sind betroffen wie vorher. Die Verantwortlichen in Japan sollen verhaftet worden sein.
Ist diese Liste importiert ist ein Großteil des Spams vorbei. Das ganze ist für euch leicht, geht mit einem klick! Zudem wird keinerlei Instanz für immer geblockt, keinerlei Follower etc. zerstört oder deföderiert, sondern nur stummgeschaltet. Das ist sehr leicht umkehrbar.
Ihr könnet diese Liste einfach importieren, indem ihr auf https://yourinstance.tld/admin/export_domain_blocks/new geht und yourinstance.tld durch die Domain derer Instanz ersetzt, von der ihr der Administrator seid!
Alternativ könnt ihr auch auf Einstellungen => Moderation => Föderation => Importieren drücken, um diese Liste zu importieren.
Beachtet, dass zwar alle Instanzen mit einem Klick importiert werden können, dass aber diese Instanzen einzeln entfernt werden müssen, wenn der Spam vorbei ist.
Beachtet auch, dass es nur Sinn ergibt, diese Liste zu importieren und die Spam-Instanzen stumm zu schalten, wenn ihr euren Spam lokal und nachhaltig blockiert habt, wie hier beschrieben.
Hello all Fedi Admins who have problems with spam!
The Mute List 2.2.2
I have been updating the spam list and found ~104 additional instances that continued spamming! I, with lots of help of other Fedi Admins, have compiled the instances into a list which mutes them, and does not defederate from them!
I'd highly appreciate a small donation here as I've worked really hard and long on creating this, which given my current schedule I can hardly justify! Thanks!
There is a new type of spam, the same instances are affected as before. Those responsible in Japan are said to have been arrested.
Once this list is imported, most of the spam is gone. The whole thing is easy for you, with just one click! In addition, no instance is blocked forever, no followers etc. are destroyed or unfollowed, only muted.
You can simply import this list by going to https://yourinstance.tld/admin/export_domain_blocks/new and replacing yourinstance.tld with the domain of the instance you are the administrator of!
Alternatively, you can also click on Settings => Moderation => Federation => Import to import this list.
Note that although all instances can be imported with one click, these instances must be removed individually when the spam is over.
Also note that it only makes sense to import this list and mute the spam instances if you have blocked your spam locally and permanently, as described here.