Currently sleeping the sleep of the righteous, @andrew was up way too late building tools to fend off the current wave of fedi spam, playing whack-a-mole with bad accounts, and getting fedi friends up and running with their own blocklists.
I’d like to convene a discussion this week or next to do a mini retro on this attack and some #designthinking work around fedi spam fighting tools. If you’re interested in the discussion, @ me your email or send one to spamretro at hypatia dot ca and I’ll loop you in on it 🙏
Would love to have a proper UR/UX person on the call, I’m a mere amateur at that part 😅
Going to add the #mastoadmin and #fediblockmeta tags to this and boost; if you’re seeing this show up on your timeline, @leigh is organizing a mini retro on the spam wave that’s been ongoing here on the fediverse (in the post I’m replying to) and if you’re interested, check it out!
The current spam issue highlights EXACTLY why I made my own server and locked down registration. I don’t have time to actively moderate, anyone on my server I know is pretty chill from dealing with them personally.
If you don’t have the ability to monitor your server 24/7 with a team, don’t leave registration open. Lock it down. Now hundreds of small instances are waking up to headaches cleaning users out or finding they were blocked. #Mastodon#fediblockmeta#cybersecurity#infosec#spam
For Sharkey/Misskey users, update to the latest dev for the email domain block feature. Then copy and paste the temporary/disposable email domain list to Blocked Email Domains in Security under Control Panel.
I would like to congrat all the fuckers who DM me for using fediblock wrong one time since i didn't know the fucking #FediblockMeta existed, great way to communicate guys clearly.
Not even 5 minutes between op and edit but guess that enough to attack another #fediadmin
EDIT: I will start deferating instances at this point, FFS
someone on a Japanese hacker forum decided it was a good idea to spam the entire Fediverse because they wanted to cancel a minor that DDoSed a Discord bot which apparently made them lost millions (what?)
A Discord bot. I can't make this shit up man.
The real culprit seems to be someone who goes by mumei in the ctkpaarr.org forums, whose first post was literally a threat to ap12, that if they don't delete their "Kuroneko Server" Discord bot, they will spam every blog, forum and SNS and cancel him.
This shit is ridiculous.
The ap12 account from mastodon-japan was actually fake, and this dude impersonated a minor to get all of the Fediverse (us) to bully him.
It seems this happens occasionally on #fedi where malicious users decide to take advantage of instances with poor moderation to spam widely.
There are many solutions, but let me offer a simple change that stops spam dead in its tracks:
#nodebb has a post queue built in. If you have 0 reputation, you need your post to be manually approved. You can adjust this as needed, but even the default (allow regular posting after 1 upvote) is sufficient. Stops 👏spam 👏 cold 👏.
Today's attack proved that the Fediverse is unfortunate pretty vulnerable even to just a skid (or maybe OP who warned the skid).
The cause of the attack includes:
insufficient moderation on some servers allowing mass account creation.
no good methods to filter out even just a keyword for an entire instance.
Even though most of us survived the first wave, we have to prepare for the second and future ones:
Servers should enable the equivalent feature in their software that enables moderators to check if an account is ok first before letting them post anything.
Mastodon, Misskey and major software should implement a regex filter that ignores posts from any instances.
Between 5:12am and 6:15am UTC mstdn.plus was hit with 111 registrations that are suspected to be part of the Japanese-language #spam. (They have been intercepted and no spam was resulted.)
The accounts have "$USERNAME@chitthi.in" as email.
They appear to be using Tor exit nodes. Some IPs involved (number of accounts):
There's currently an incident involving some kind of Japanese skids who call themselves the "Kuroneko" organization.
They seem to be attempting to commit DDoS attacks on Misskey servers, constantly creating new accounts on compromised instances and spamming advertisements for their hacking services.
Admins who are federating with these compromised servers, while they might not get compromised themselves, may be affected by the sheer amount of traffic volume from their spam.
Admins are advised to #fediblock or temporarily stop sending requests to affected servers for now, if they don't want to get secondhand DoS'd
IMO I never expected them to be Japanese out of all things, kinda funny. They also host VOICEROID and VOICEVOX TTS bots on their Discord apparently. Kinda a weird flex I guess.
#fediblockmeta I only have a limited view into the discussions regarding that bridge to bluesky, but I already have seen one post calling to block not just the bridge, but also the instance/wordpress blog of its creator.
Is there any good reason to do so, except wanting to punish the creator(s) over a service, that seemingly can be blocked like any other instance (assuming, I can trust them on this).
A big part of getting the world to embrace the open web was just getting people to understand it. That you had to experience it for a while, and maybe even do a little programming or fuck up some settings to wrap your head around it. Only then, could we consider the cultural repercussions. Didn't the term #grok evolve out of that experience?
It's the very early days of decentralized social networks. We have no idea what moderation will look like when everyone is here. #fediverse#fediblockmeta
I don't know that mastodon dot social uses any of those lists, but they are constantly brought up. we've discussed moderation ala gentrification before. I posted a lot on the #fediblockmeta hashtag yesterday.
What if every server made its moderation decisions fully public on a page and as data? In such a way that other servers like fedidb could easily compile and display it in a sortable way. We'd be able to see the endless shit that comes from a few servers targeted at people on other servers (slurs and names redacted) vs complaints about content deemed as "bad" by a few servers that only their followers would ever see. Let admins peruse that in order to make their mod decisions. #fediblockmeta
Moderation on the #fediverse is awesome, but the way it's widely implemented is holding us back. We come off as unwelcoming. There is a sense that we are scolds, telling people how to use it. And while we are built to be as diverse in opinions as the open web, we don't have the same ethic of post whatever you want on your own site. Instead we do the equivalent of trying to block linking to "bad" sites. We should police harassment hard but never go beyond that. Trust our tools. #fediblockmeta