this post was submitted on 23 Jun 2023
96 points (91.4% liked)

Lemmy

12546 readers
26 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

Please. Captcha by default. Email domain filters. Auto-block federation from servers that don't respect. By default. Urgent.

meme not so funny

And yes, to refute some comments, this publication is being upvoted by bots. A single computer was needed, not "thousands of dollars" spent.

top 50 comments
sorted by: hot top controversial new old
[–] xtremeownage@lemmyonline.com 23 points 1 year ago* (last edited 1 year ago) (3 children)

Sigh....

All of those ideas are bad.

  1. Captchas are already pretty weak to combat bots. It's why recaptcha and others were invented. The people who run bots, spend lots of money for their bots to.... bot. They have accessed to quite advanced modules for decoding captchas. As well, they pay kids in india and africa pennies to just create accounts on websites.

I am not saying captchas are completely useless, they do block the lowest hanging fruit currently. That- being most of the script kiddies.

  1. Email domain filters.

Issue number one, has already been covered below/above by others. You can use a single gmail account, to basically register an unlimited number of accounts.

Issue number two. Spammers LOVE to use office 365 for spamming. Most of the spam I find, actually comes from *.onmicrosoft.com inboxes. its quick for them to spin it up on a trial, and by the time the trial is over, they have moved to another inbox.

  1. Autoblocking federation for servers who don't follow the above two broken rules

This is how you destroy the platform. When you block legitimate users, the users will think the platform is broken. Because, none of their comments are working. They can't see posts properly.

They don't know this is due to admins defederating servers. All they see, is broken content.

At this time, your best option is for admin approvals, combined with keeping tabs on users.

If you notice an instance is offering spammers. Lets- use my instance for example- I have my contact information right on the side-bar, If you notice there is spam, WORK WITH US, and we will help resolve this issue.

I review my reports. I review spam on my instance. None of us are going to be perfect.

There are very intelligent people who make lots of money creating "bots" and "spam". NOBODY is going to stop all of it.

The only way to resolve this, is to work together, to identify problems, and take action.

Nuking every server that doesn't have captcha enabled, is just going to piss off the users, and ruin this movement.

One possible thing that might help-

Is just to be able to have an easy listing of registered users in a server. I noticed- that actually... doesn't appear to be easily accessible, without hitting rest apis or querying the database.

[–] dessalines@lemmy.ml 9 points 1 year ago (10 children)

This is all 100% correct. People have already written captcha-bypassing bots for lemmy, we know from experience.

The only way to stop bots, is the way that has worked for forums for years: registration applications. At lemmy.ml we historically have blocked any server that doesn't have them turned on, because of the likelihood of bot infiltration from them.

Registration applications have 100% stopped bots here.

[–] eyy@lemm.ee 3 points 1 year ago* (last edited 1 year ago) (1 children)

You're right that captchas can be bypassed, but I disagree that they're useless.

Do you lock your house? Are you aware that most locks can be picked and windows can be smashed?

captchas can be defeated, but that doesn't mean they're useless - they increase the level of friction required to automate malicious activity. Maybe not a lot, but along with other measures, it may make it tricky enough to circumvent that it discourages a good percentage of bot spammers. It's the "Swiss cheese" model of security.

Registration applications stop bots, but it also stops legitimate users. I almost didn't get onto the fediverse because of registration applications. I filled out applications at lemmy.ml and beehaw.org, and then forgot about it. Two days later, I got reminded of the fediverse, and luckily I found this instance that didn't require some sort of application to join.

[–] xtremeownage@lemmyonline.com 2 points 1 year ago

Don't read the first sentence, and then glaze over the rest.

I am not saying captchas are completely useless, they do block the lowest hanging fruit currently. That- being most of the script kiddies.

load more comments (9 replies)
[–] eyy@lemm.ee 1 points 1 year ago

Haven't you heard of the "Swiss cheese" model of security?

The best way to ensure your server is protected is to unplug it from the Internet and put it in an EMF-shielded Faraday cage.

There's always a tradeoff between security, usability and cost.

captchas can be defeated, but that doesn't mean they're useless - they increase the level of friction required to automate malicious activity. Maybe not a lot, but along with other measures, it may make it tricky enough to circumvent that it discourages a good percentage of bot spammers.

load more comments (1 replies)
[–] 2xsaiko@discuss.tchncs.de 21 points 1 year ago (4 children)

As someone with his own email domain, screw you for even thinking about suggesting domain filters.

[–] TWeaK@lemm.ee 10 points 1 year ago

Blacklist domain filters are fine, it's whitelist domain filters that get small personal domains.

[–] Illecors@lemmy.cafe 2 points 1 year ago

Thank you for voicing this out! Was literally my first reaction as well

This. Domain whitelist are the worse thing you can do.

load more comments (1 replies)
[–] Aux@lemmy.world 12 points 1 year ago (7 children)

Lemmy is just getting started and way too many people are talking about defederation for any reason possible. What is even the point of a federated platform if everyone's trying to defederate? If you don't like federation so much, go use Facebook or something.

[–] Nerd02@forum.basedcount.com 2 points 1 year ago (24 children)

This. Defed is not the magic weapon that will solve all your problems. Captcha and email filters should be on by default though.

load more comments (24 replies)
[–] Greenskye@lemmy.world 2 points 1 year ago

My understanding from the beehaw defed is that more surgical moderation tools just don't exist right now (and likely won't for awhile unless the two Lemmy devs get some major help). Admins only really have a singular nuclear option to deal with other instances that aren't able to tackle the bot problem.

Personally I don't see defederating as a bad thing. People and instances are working through who they want to be in their social network. The well managed servers will eventually rise to the top with the bot infested and draconian ones eventually falling into irrelevance.

As a user this will result in some growing pains since Lemmy currently doesn't offer a way to migrate your account. Personally I already have 3 Lemmy accounts. A good app front end that minimizes the friction from account switching would greatly help these growing pains.

load more comments (5 replies)
[–] BornVolcano@lemmy.world 4 points 1 year ago

Image Transcription: Meme


['Man vs. Giant' - Dramatic artwork depicting 'Yhorm the Giant' from 'Dark Souls 3' towering over the protagonist from 'Dark Souls 3', 'Ashen One'. The giant figure holds a massive sword that is planted in the ground with both hands, while the comparitively tiny 'Ashen One' holds a regular sized sword in his right hand and adopts a fighting stance. Text placed over the stomach of the giant character, and over the smaller protagonist figure, reads as follows]

BOTS

LEMMY


^I'm a human volunteer transcribing posts in a format compatible with screen readers, for blind and visually impaired users!^

[–] draughtcyclist@programming.dev 3 points 1 year ago (1 children)

Everyone is talking about how these things won't work. And they're right, they won't work 100% of the time.

However, they work 80-90% of the time and help keep the numbers under control. Most importantly, they're available now. This keeps Lemmy from being a known easy target. It gives us some time to come up with a better solution.

This will take some time to sort out. Take care of the low hanging fruit first.

[–] InfiniteFlow@lemmy.world 1 points 1 year ago

Plus, if this becomes the "bot wild west" at such an early stage, the credibility hit will be a serious hindrance to future growth...

[–] jollyroger@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago) (3 children)

The admin https://lemmy.dbzer0.com/u/db0 from the lemmy.dbzer0.com instance possibly made a solution that uses a chain of trust system between instances to whitelist each other and build larger whitelists to contain the spam/bot problem. Instead of constantly blacklisting. For admins and mods maybe take a look at their blog post explaining it in more detail. https://dbzer0.com/blog/overseer-a-fediverse-chain-of-trust/

[–] star_boar@lemmy.ml 2 points 1 year ago (1 children)

db0 probably knows what they're talking about, but the idea that there would be an "Overseer Control Plane" managed by one single person sounds like a recipe for disaster

[–] jollyroger@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago)

I hear you. For what it's worth it is mentioned in the end of the blog post, the project is open source, people can run their own overseer API and create less strict or more strict whitelists, instances can also be registered to multiple chains. Don't mistake my enthousiasm for self run open social media platforms for trying to promote a single tool as the the be-all and end-all solution. Under the swiss cheese security model/idea, this could be another tool in the toolbox to curb the annoyance to a point where spam or bots become less effective. Edit: *The be-all and end-all *not be and end all solution

load more comments (2 replies)
[–] vapeloki@lemmy.ml 2 points 1 year ago

First of all: I'm posting this from my .ml alt. Because i can not do it from my .world main. That i can't do it, i found out just because i was waiting for a response on a comment where is was sure that the OP would respond. After searching, i found out that my comment and my DM's never where federated to .ml.

So, that said: I'm all for defederating bad instances, i'm all for separation where it makes sense. BUT:

  • If an instance is listed on join-lemmy, this should work as the normal user would expect
  • We are not ready for this yet. We are missing features (more details below)
  • Even instances that officialy require applications, can be spam instances (admins can do what ever they want), so we would need protection against this anyways. Hell, one could just implement spam bots that talk directly federation protocol, and wouldn't even need lemmy for this ...

Minimal features we need:

  • Show users that the community they try to interact with is on a server that defederated the users instance
  • Forbid sending DM's to servers that are not fully federated

Currently, all we do is: Make lemmy look broken

And before someone starts with: "Then help!", i do. I do in my field of expertice. I'm a PostgreSQL Professional. So i have build a setup to messure the lemmy SQL performance, usage patterns, and will contribute everything i can to make lemmy better.

(I tried rust, but i'm to much C++ guy to bring something usefull to the table beyond database stuff, sry :( )

[–] fubo@lemmy.world 2 points 1 year ago* (last edited 1 year ago) (2 children)

Look up the origins of IRC's EFNet, which was created specifically to exclude a server that allowed too-easy federation and thus became an abuse magnet.

load more comments (2 replies)
[–] Juliie@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

We need a distributed decentralized curated whitelist that new servers will apply to be on it and hopefully get a quick week max response after some kind of precisely defined anti spam/bot audit. Also then periodic checks of existing servers.

Like crypto has transaction ledger confirmed some kind of notabot confirmation ledger chain.

Weak side if bot servers get on whitelist somehow in enough numbers they can poison it

Mind you this whitelist chain has nothing to do with content itself just whether it is AI/spam/bots or human

load more comments (1 replies)
[–] cyclohexane@lemmy.ml 1 points 1 year ago* (last edited 1 year ago) (3 children)

Auto-block federation from servers that don't respect.

NO! Do NOT defederate due to how an instance chooses to operate internally. It is not your concern. You should only defederate if this instance causes you repeated trouble offenses. Do not issue pre-emprive blanket blocks.

[–] anteaters@feddit.de 2 points 1 year ago (1 children)

If they choose not to take measures against bots defederation is the only way to keep that wave out of your own instance.

load more comments (1 replies)
load more comments (2 replies)
[–] archchan@lemmy.ml 1 points 1 year ago (4 children)

I'm against email domain whitelists and captchas (at the very least Google's captchas).

load more comments (4 replies)
[–] boonhet@lemm.ee 1 points 1 year ago (1 children)

Email domain filters

Okay, gmail should definitely be blacklisted, because it's extremely easy to abuse. Microsoft email domains too. What domains should be allowed then?

[–] Lev_Astov@lemmy.world 1 points 1 year ago

Email domain filtering makes no sense when it is easy enough to just set up your own email server for bots. It will only hinder legit users and low level bad actors, not the real threat of major bot farms.

[–] tyfi@wirebase.org 1 points 1 year ago

Mine got blown up a day or two ago before I had enabled Captch. About 100 accounts were created before I started getting rate-limited (or similar) by Google.

Better admin tools are definitely needed to handle the scale. We need a pane of glass to see signups and other user details. Hopefully it’s in the works.

load more comments
view more: next ›