this post was submitted on 24 Jun 2023
170 points (96.2% liked)

Lemmy

12506 readers
35 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

See THIS POST

Notice- the 2,000 upvotes?

https://gist.github.com/XtremeOwnageDotCom/19422927a5225228c53517652847a76b

It's mostly bot traffic.

Important Note

The OP of that post did admit, to purposely using bots for that demonstration.

I am not making this post, specifically for that post. Rather- we need to collectively organize, and find a method.

Defederation is a nuke from orbit approach, which WILL cause more harm then good, over the long run.

Having admins proactively monitor their content and communities helps- as does enabling new user approvals, captchas, email verification, etc. But, this does not solve the problem.

The REAL problem

But, the real problem- The fediverse is so open, there is NOTHING stopping dedicated bot owners and spammers from...

  1. Creating new instances for hosting bots, and then federating with other servers. (Everything can be fully automated to completely spin up a new instance, in UNDER 15 seconds)
  2. Hiring kids in africa and india to create accounts for 2 cents an hour. NEWS POST 1 POST TWO
  3. Lemmy is EXTREMELY trusting. For example, go look at the stats for my instance online.... (lemmyonline.com) I can assure you, I don't have 30k users and 1.2 million comments.
  4. There is no built-in "real-time" methods for admins via the UI to identify suspicious activity from their users, I am only able to fetch this data directly from the database. I don't think it is even exposed through the rest api.

What can happen if we don't identify a solution.

We know meta wants to infiltrate the fediverse. We know reddits wants the fediverse to fail.

If, a single user, with limited technical resources can manipulate that content, as was proven above-

What is going to happen when big-corpo wants to swing their fist around?

Edits

  1. Removed most of the images containing instances. Some of those issues have already been taken care of. As well, I don't want to distract from the ACTUAL problem.
  2. Cleaned up post.
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 31 points 1 year ago* (last edited 1 year ago) (4 children)
What, corrective courses of action shall we seek?
I sent messages to these users, notifying them to come to this thread.
  1. https://startrek.website/u/ValueSubtracted (startek.website)
  2. https://oceanbreeze.earth/u/windocean (oceanbreeze.earth)
  3. https://normalcity.life/u/EuphoricPenguin22 (normalcity.life)
I blocked / defederated these instances:
  1. https://lemmy.dekay.se/ (appears to just be a spambot server)
[–] [email protected] 16 points 1 year ago* (last edited 1 year ago) (1 children)

Just wanted to point out that according to your stats, unless I don't understand them well, only 26 bots come from lemmy.world (which has open sign-ups, and uses the "easy to break" (/s) captcha) and 16 from lemmy.ml (which doesn't have open sign-ups and relies on manual approvals).

For some perspective, lemmy.world has almost 48k users right now. Speaking of "corrective action" is a bit of a stretch IMO.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (1 children)

This post isn't about lemmy.world, nor am I blaming lemmy.world!

I am trying to drag in the admins of the big instances, to come up with a collective plan to address this issue.

There isn't a single instance causing this problems. The bots are distributed amongst normal users, in normal instances.

WIth- the exception of a instance or two with nothing but bot traffic.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago) (1 children)

I'm just saying that context and scale matter. If an anti-spam solution is 99% effective, then chances are that on an instance with 100k users you are still going to have around 1k bots that have bypassed it.

[–] [email protected] 6 points 1 year ago (3 children)

Your right- But, the problem is-

At a fediverse-level, we don't really have ANY spam prevention currently.

Lets assume, at an instance level, all admins do their part, enable applicant approvals, enable captchas, email verification, and EVERY TOOL they have at their disposal.

There is NOTHING stopping these bots from just creating new instances, and using those.

Keep focused on the problem- the problem, is platform-wide lack of the ability to prevent bots.

I don't agree with the beehaw approach, of bulk-defederation, as such, a better solution is needed.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

The beehaw approach wasn't "bulk defederation". They blocked two Lemmy instances they were having trouble with. The bulk of their block list are Mastodon and Pleroma instances well known for trolling other sites and stirring up shit.

Edit: Autocomplete refuses to accept that I talk a lot about federation and defederating, and is desperately trying to convince me I'm talking about anything else that states with "de".

[–] [email protected] 0 points 1 year ago (1 children)

https://beehaw.org/instances

While- the majority of their instances do appear to be potentially quite noisy/potentially bad- there are quite a few, very large, well known instances on their defederation list.

For example- a percentage of the individual IN THIS THREAD, are on instances defederated from beehaw.

[–] [email protected] 4 points 1 year ago

I didn't say they blocked few people. I said they blocked few websites.

Lemmygrad is full of agitators, and Lemmy.world and SJW have, from my experiences, a disproportionate number of people who reject communal solutions to communal issues, while still feeling entitled to access to communal spaces.

Meanwhile, other large sites, like Lemmy.ml and kbin.social, and smaller regional sites, such as Midwest.social, Lemmy.ca, and feddit.uk, are federation with them just fine.

That doesn't sound like mass defederating to me.

That sounds targeted.

[–] [email protected] 6 points 1 year ago

Some older federated services, like IRC, had to drop open federation early in their history to prevent abusive instances from cropping up constantly, and instead became multiple different federations with different policies.

That's one way this service might develop. Not necessarily, but it's gotta be on the table.

[–] o_o 5 points 1 year ago (1 children)

There is NOTHING stopping these bots from just creating new instances, and using those.

I read somewhere that mastodon prevents this by requiring a real domain to federate with. This would make it costly for bots to spin up their own instances in bulk. This solution could be expanded to require domains of a certain “status” to allow federation. For example, newly created domains might be blacklisted by default.

[–] [email protected] -1 points 1 year ago* (last edited 1 year ago) (1 children)

I read somewhere that mastodon prevents this by requiring a real domain to federate with.

I remember back in the days of playing world of warcraft- The botters / gold sellers would be banned pretty often.

However- they would be back the next day botting again, despite having to buy another 50$ account.

The problem was- the profits they were able to make, far outweighed the 50$ price of entry.

Likewise- playing minecraft, with trolls/griefers/etc- the same thing would occur. You could ban somebody, and they would just show up with a new account for an hour earlier. In this case- there wasn't even the option of financial gain- just a dedicated troll

Do note, also, domains are very cheap. Some of the more obscure TLDs are less then 5$. lemmyonline.com, costed me 12$, a week ago.

For example, newly created domains might be blacklisted by default.

I think that might help- but, I don't think that would be the end-all, be-all solution. Especially since many scammers/bot owners already have dozens, if not HUNDREDs of domains sitting aside of nefarious purposes.

[–] o_o 1 points 1 year ago (1 children)

If “botters” are willing to spend >$5 per bot on established instances, then I don’t believe this is a solveable problem. For the fediverse, or for ANY platform, Reddit included. I am perfectly human, and would be hard-pressed to decline a >$150/hour “job” to create accounts on someone’s behalf.

Like any other online community, constant vigilant moderation is the only way to resolve this. I don’t see how Lemmy is in any worse position than Reddit so I don’t think we need to be all “doom and gloom” quite yet.

As for botters creating their own instances…

For example, newly created domains might be blacklisted by default.

This is just a start. Federation allows for many techniques to solve this. Perhaps even a “Fediverse Universal Whitelist” with an application process. I’m excited for the possibilities, but again I don’t think it’s quite time to be overly concerned yet. These are solvable problems.

[–] [email protected] 1 points 1 year ago

I don’t see how Lemmy is in any worse position than Reddit so I don’t think we need to be all “doom and gloom” quite yet.

The downside we have on lemmy, compared to reddit-

In reddit, all accounts go through a single sign-up method. They have one advantage of being able to block based on IP, Email TLD, and other methods.

While- none of those methods are absolute, and all can be easily circumvented- they do have a central location for studying the data to determine how to better prevent the issues in the future.

Here in lemmy-land, that isn't the case. As a instance admin, I can block you. I can block your email. I can block your IP. I can block your entire countries IP ranges, and ASNs. But- there is nothing stopping you from turning around, and doing the same thing on any of the other instances, as they have no idea of the actions I just performed.

This is just a start. Federation allows for many techniques to solve this. Perhaps even a “Fediverse Universal Whitelist” with an application process.

db0 has a project he has been working on, which appears might fill this gap. LINK TO HIS COMMENT

I think this would be a good start.

[–] [email protected] 7 points 1 year ago

Thanks will keep an eye on this thread.

[–] [email protected] 4 points 1 year ago (2 children)

It looks like the OP is responsible for the upvote bots (inferred from his edit?). Maybe to prove the original point?

[–] [email protected] 5 points 1 year ago

That is correct- Please see my revised post. I removed lots of the data and parts, to help point out the bigger problem we need to solve.

[–] [email protected] 0 points 1 year ago

That is likely true- and my goal of this post, isn't to look at that one post.

Its to discuss what sorts of solutions we can apply to help squad this problem.

Ideally, solutions that doesn't involve mass-defederation.

[–] [email protected] 1 points 1 year ago (3 children)

You may also want to block lemmit.online

[–] [email protected] 3 points 1 year ago (2 children)

Eh- its not really a spam instance.

They are very straightforward with what their instance does- It crossposts reddit to lemmy, in that instance's communities.

In that case, its as simple as don't subscribe to it. Don't subscribe, and it won't popup on your feed.

[–] [email protected] 1 points 1 year ago (1 children)

Yeah, but the problem is that you don't have to subscribe yourself, once someone else from your instance interacts with communities from that instance it will flood the "new" feed on your instance making this feed useless.

[–] [email protected] 1 points 1 year ago (2 children)

My viewpoint-

If the users of my instance want to view reddit data redistributed to lemmy- that is their choice.

A plus side- lemmy allows you to set the defaults to only show subscribed content too.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I guess some people may like those posts but it's just mindless posting dependant on reddit and posting on those bot instances will get you buried by the rest of post made by bots. I don't see how using bots for posting stuff would help to build an active community but if people really need all of the posts regardless of quality from some subreddits then it's fine.

[–] [email protected] 1 points 1 year ago (1 children)

I am in agreeance with you, regarding the usefulness of the posts. However- I am looking at it from an administrative perspective.

Going back to my stance- I do not limit the content my users wish to see, UNLESS, it involves illegal, or extremist/hateful content.

It's not my cup of tea- but, I am also running an instance for people who may share different viewpoints, and I do not wish to limit what they are able to do.

[–] [email protected] 1 points 1 year ago
[–] [email protected] 1 points 1 year ago

Have a nice day/night, I'm going to sleep now.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Comments under this post describe the problems with something like that pretty well.

https://lemmy.fmhy.ml/comment/378514

[–] [email protected] 1 points 1 year ago

last I checked, they use a single bot to repost communities from reddit. meaning that you can just block that single user and get rid of all the lemmy.online content that's in your feed.

[–] [email protected] 0 points 1 year ago (1 children)

I hope you mean a user can block it if they don't want it.

Generally though: I don't understand this logic. Like I want content, I subscribe over there to pull some content from reddit. Not all bots are bad.

It's kind of weird how the fediverse kind of seems like a bubble of anti bot, anti big companies and constant self-political squabbles.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah, moving some content is fine but posts on this instance are straight up spam IMO. There's no quality to the content.

[–] [email protected] 1 points 1 year ago (1 children)

For clarity: When you say 'this' .. which instance are you referring to?

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago (1 children)

I don't understand. That server is mostly just reddit cross posting. What spam are you talking about? Like I'm genuinely confused what your definition of spam is here. To me its content that I enjoy.

If you don't like it: then block the bot account that posts it. I would not at all recommend defederation or anything like that with it.

[–] [email protected] 1 points 1 year ago (1 children)

Like I said, the content is not quality controled, it reposts posts made by users on reddit so op won't respond to you, there's sonmuch content pumped out at once everywhere that there's no point in engaging in those communities because noone will respond to you on topic. Another problem is that once someone interacts with some of the communities on the instance the posts will flood your "all" feed worsening it's qualiy significantly.

[–] [email protected] 1 points 1 year ago

It's a user preference. If you don't like it.. block it yourself. Don't ruin it for other people that may like it. I'd rather have reddit content as part of my 'all' feed at least until content naturally comes over here.

I like it especially for communities that haven't (and probably won't) move from reddit. I've even requested some communities previously since content is still lacking in the fediverse. This bot is very good for my lemmy enjoyment.