Spam Comes To The Fediverse

2023-05-17

What’s up with the spam lately?

Spam wasn’t unheard of on the fediverse in the past, but the past couple of weeks have seen several notable waves of spam coming from mastodon.social, on May 4, May 12, May 14, and still continuing.

Open Registration Servers

mastodon.social is one of many servers that have open registration: anyone can create an account and immediately start using it. While each account requires a valid email address, these recent spammers have automated tools needed to quickly create hundreds/thousands of registered accounts using free email address providers like hotmail and gmail, as well as using botnets to register from hundreds of different IP addresses in order to avoid easily being blocked.

When I started writing this post, I was going to say something like soon we’ll probably see the spammers move to other open registration servers, especially as mastodon.social gets better at blocking them … and this has in fact already happened between the time I started writing the post and finishing it, including at least mstdn.social and mastodon.world, and will presumably continue to other smaller servers.

Many servers require that each sign-up to be approved by a moderator. This is for multiple reasons, but preventing the mass-creation of spam accounts is one of them.

Limited Spam Prevention Tooling

Mastodon has little in the way of spam prevention tools by default.

Some servers which have the technical resources to do so have created their own spam prevention scripts and modifications to the Mastodon base software, but these are usually private or in their infancy. These will take additional technical time and skill to put into place, and are not yet widespread.

What can users do?

Report spam messages

Reporting spam messages will alert your server’s admin/mods to the problem. This is particularly important with Direct Message spam, because these messages aren’t otherwise visible to admins/mods.

Using the built in report functionality (click the ... menu at the bottom of the post you’d like to report) also allows the moderation system to count reports and strikes against a particular server for future reference.

… and forward the report

When filing a report you’ll be given the option to forward the report anonymously to the server that the spam came from. Doing this alerts the admins/mods of the spammer’s server to the problem.

Block DM’s from people you don’t follow

This is one option for users if you want to cut out Direct Message spam.

Be warned… other users will not be able to tell if you have this setting enabled. A user that you don’t follow can send you messages, but you won’t receive it, and they won’t be notified that their message was silently discarded.

This may leave anyone you don’t follow wondering why you aren’t responding to their direct messages.

You can find this option by logging into your server’s website, under Preferences > Notifications > Block direct messages from people you don’t follow

Screenshot of account Preferences screen, under Notifications “Block direct messages from people you don’t follow” is highlighted at the bottom.

What can admins do?

Mastodon admins don’t have a lot of control or options to deal with spam coming from a remote server. Basically the choice is play whack-a-mole and block individual spam accounts as they are discovered, or block the entire remote server. However the word “block” needs clarification…

Types of Blocks

When people mention one server blocking another server, it’s really important to know which kind of block is being put in place, because there are two main options with very different results:

Limit (sometimes referred to as Silence)

users will see messages only from people they follow
existing follow relationships are left unaffected
all follow requests require approval regardless of user settings
fully reversible

Suspend

no communication is possible between the servers
all posts and media from the remote server are removed
all follow relationships are removed
removing the suspension will not restore follow relationships

When somebody mentions de-federating a server, that usually means the server is being suspended, and no communication is possible, but it’s important to be aware there is confusion among users and admins alike about what these terms mean, and it’s quite common that people use them incorrectly, without understanding which type of block is being discussed, or even that there is more than one type.

The official documentation is not exactly clear on the effects of suspension, and as a result of this spam wave I’ve seen at least two other servers suspend mastodon.social without realizing that all follow relationships with their server would be removed.

For spam coming via direct messages, limiting the remote server the spam is coming from should be sufficient. Limits can be removed once the problem has been addressed, without any lasting consequences on the connections between the two servers.

What can the Mastodon project do?

Recent attacks will likely increase the focus and priority of efforts to improve spam prevention features in Mastodon, but what those features will end up looking like remains to be seen.

Features requested or proposed on the official Mastodon Discord channels include things like implementing CAPTCHAs into the sign-up flow, or imposing rate limits which automatically close new account registration if too many are created too quickly.

As with other forms of spam on forums, email, etc… spam prevention is ultimately a long term arms race, which usually includes some form of collaborative effort to share where spam is currently coming from and what it currently looks like.

Time will tell to what extent these tools come from built-in Mastodon features or third party solutions as they mature and gain widespread adoption among admins.