cross-posted from: https://lemm.ee/post/177673

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.

    • bogdugg@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      12
      ·
      1 year ago

      I think you have the wrong idea. These are just sign-ups. It is very easy to automate without precautions in place and is unrelated to bots pretending to be human in comments.

    • nanoUFO@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      9
      ·
      edit-2
      1 year ago

      Dead internet theory but I doubt chatbots are that advanced yet. They can’t write compelling and complex comments that depend on convoluted chains of logic, and respond to novels ideas and topics. Eventually.

        • baker@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 year ago

          I see no problem. Everyone assumes Skynet is a murderbot because any pragmatism we can imagine for the robots would demand we be removed. What if there’s another pragmatic solution, i.e. the xkcd punchline? Just . . . rewire people to be nice.

          Even the robots in The Matrix claim to have tried to give us a utopia, but it made our minds melt down.

      • Fizz@lemmy.nz
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        There was a video of a guy who let a chatbot loose on 4chan and it had the whole of /pol/ thinking it was a team or feds. That was using gpt3 as a base.

        • nanoUFO@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I saw that but that was a /pol/ chatbot just regurgitating things people said you don’t exactly have to write intelligent comments on /pol/, 90% of the people there write like bots. My guess performance in a slower board like /lit/ or somewhere that requires more knowledge of subject matters and where people write more intelligently it would be called out.

          I was messing around with that dudes chatbot OpenAssistant and while interesting it fails the same way all the others do once pressed hard enough (which isn’t that hard). These bots seem to do best when you just ask them to regurgitate something from their training library. Which is why non programmers are amazed by it’s programming skill (copy pasting from github repo’s and stackoverflow) vs devs in the field asking it novel questions and not getting anything interesting out of it.

    • Eezyville@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      Wasn’t there a theory on 4chan about how the internet will turn into a network of robots communicating with each other, creating content for other bots, and artificially generating outrage? No actual humans would use the internet because it would be only AI. Controlling the internet, AI controls information and thus humanity.

    • decisivelyhoodnoises@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I liked your comment very much and this made me look into your profile. Amazing content. I would like to add you in my friend list but facebook didn’t let me. If you want please send me a friend request and I would love to know you better

    • baker@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      I’ve been skeptical about every reddit comment I’ve replied to since the '14 midterms, that felt like the year the bot accounts really became a significant chunk of reddit’s numbers. It’s been horrible since the '16 general election; I’m really not heartbroken to have left.

  • Demigodrick@lemmy.zip
    link
    fedilink
    English
    arrow-up
    22
    ·
    1 year ago

    This happened to me, although luckily I managed to turn off registration after about 80 signups. I did have email verification enabled but noticed that every single email address was fake/the email bounced, so they havent been able to verify the accounts and post.

    I have now enabled applications (along with email verification) - does anyone have any opinion on using captcha instead of applications? I feel like captcha has already been defeated by bots.

    • blayde@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      Fwiw the captcha support in lemmy is probably going away soon. It needs to be reimplemented into another database table (or something like that) anyway. Given that it is too hard for many humans, too easy for many bots, and devs are slammed with work, makes more sense to delete as a first step

      • hoshikarakitaridia@lemmy.fmhy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        I don’t have the time right now but someone should double check if captcha rework is in the GitHub issues as well so that they not only remove it but keep track of redoing it later as well…

    • imaqtpie@sh.itjust.worksM
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      1 year ago

      Captcha is seemingly what is protecting this instance. Although it is bypassable in theory, it’s working for us right now.

      As the other commenters mentioned they are planning to remove Captcha in the next update but also other people have created an issue on GitHub to keep Captcha.

      • themoonisacheese@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        Bypassing captcha is technically possible but very hard, hard enough that it doesn’t make sense financially to do it. Keeping it is a must. If they do end up removing it, we need to add it back in (actually not that hard to do)

  • nanoUFO@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    14
    ·
    edit-2
    1 year ago

    One of those servers has 30k users but no posts or communities. Makes me think if I was a bad actor other then creating bot account on normal instances I would make my own instance and fill it with bots. If it’s federated it can still interact with other instances.

    • Cows Look Like Maps@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      Wouldn’t it just make it easier to avoid the bots because all instances would quickly unfederate with them? Vs creating bot accounts on established instance it makes it harder to deal with since you have to play whack a mole.

      • nanoUFO@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        It would but it looks like when a new instance is spun up it’s just auto federated? Looking at https://sh.itjust.works/instances we see only one instance that has been blocked and that was our favorite and just admin blocking it. So someone creates and instance and can just spam a thousand other instances before everyone wises up and blocks them? I could be wrong but that’s what it looks like to me.

  • BlueÆther@no.lastname.nz
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Yeah, I caught (at the same time as lemmy.nz) the bit signups in time. I only had about 20 and @Dave@lemmy.nz had about 100. We both have captcha enabled now.

    Interestingly none of the 20 I had had email address but username of <word>nnn where lemmy.nz all had obvious spam email address.

  • Master@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    https://beehaw.org/post/662481

    https://lemmy.world/post/296344

    https://lemm.ee/post/177673

    Some cross posts. The bot army is going to be an issue in the next few weeks. .18 drops captcha all together so any server that upgrades is going to be a target. Though a lot of servers dont run captcha, question or email verification anyways so they are already targets. Pretty sure sh.itjust.works didnt either when I signed up.

    Not sure how much damage bots can do at this point other than skew the narrative and try to make these places unwelcoming but I am sure we will see first hand how bad it gets.

  • SJ_Zero@lemmy.fbxl.net
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    I’ve got sign ups with applications and a hard captcha set up. My other sites had the same issues, random spam bots. Surprisingly well behaved tbh but I don’t care they’re not welcome.

    • enoqe@kbin.social
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      Well behaved for now, but most likely not indefinitely. They’re either trying to steer signups to particular instance(s), or just paving the way for future astroturfing.

  • bdonvr@thelemmy.club
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I’ve not seen any yet here. Only doing captcha for now but I know emails do work if needed.

  • KNova@links.dartboard.social
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Thanks, I am an instance admin and I realized I did not previously have captcha on. That’s been rectified now.

    Not that I get a ton of signups anyway. Ever since the join-Lemmy page of instances was reworked, I’m not popular enough to be listed :(