Sunny Garden Hub

The Sunny Gardener - February 2024

Mastodon Security Patches

February was a big month for Mastodon security patches.


A spam campaign began on Feb 16 and lasted for almost a week. The spammers appeared to be a group of Japanese kids who were upset with a different group of Japanese kids on Discord, and launched the spam campaign to stir up trouble.

The campaign targetted Misskey and Mastodon servers with open registration, allowing them to use automated scripts to rapidly create new accounts with random names to spam from. Many of the affected servers were small and not being actively monitored by their admins.

The Mastodon patch v4.2.8 was a direct response to this campaign, changing the default settings for the server software to closed registrations, and additionally, will close registrations automatically if no moderators or admins have logged in during the past week. While this would have little immediate or direct effect on the current spam wave, it does support more sensible behaviour going forward.

This update changes registrations to be closed by default.

Running a social media platform where anyone can sign up without active moderation is dangerous.

In particular, even though many of the servers being exploited to send spam appear unmonitored by their owners, many of those are also running on Mastodon specific hosting services. When those services apply updates to their systems, all of the Mastodon servers they host are also automatically upgraded. So even if a server is not being maintained by it’s owner, many of them will still get automatically upgraded to this new patch by their hosting companies, which will close registrations if they are not being monitored.

After several days, the kids running the spam operation seemed to have reached a ceasefire and/or gotten tired of it. A bit more spam was observed over the next few days, but doesn’t seem to have lasted much longer, and the affected servers either shut down registrations or ended up widely blocked.


After last month’s lull in reports, it’s probably a new record number this month due to the spam. A few unfortunate accounts ended up being the ones getting all of the spam directed at them, so thanks for the patience of that handful of users and for sending in the reports so we could get the sources blocked.

There was also a noticeable jump in registrations this month, no doubt partly driven by the CEO of both Tumblr and having a privacy-violating transphobic meltdown on social media, as well as making deals to share user’s data with OpenAI and Midjourney.

75 new users, 517 active users, 58k interactions, 57 reports opened, 57 reports resolved

Hosting Costs

This is the first monthly bill including the new upgraded server, and the monthly expenses will now be about $30 higher as a result.

Cost spreadsheet, text follows.

Expand Hosting Costs 2024-02-01
Main Server 8-16GB-160GB -$68
Media Storage 351GB/mo. -$13
Media Bandwidth Free $0
Backups 95GB/mo. -$16
Domain Name $35/yr -$3
Email Server -$5
Donations One-Time $15
Donations Recurring $54
Monthly Totals
Previous Balance $101
Total Expenses -$105
Total Donations $69
Balance $65

Canadian Dollars

As always, thank you to everyone that has donated on ko-fi, and to those who have recently added new contributions to support the upgraded server!

There’s no obligation or expectation that you donate in order to use the server, and I’m still able to cover any shortfall myself if needed.

– Brook