Yes, Russia.

I previously said that the Russians are coming. Yes, I meant it.

In the last two weeks, I’ve had registrations from 25 accounts that flagged themselves as bots. Of those, about half went on to post exactly one spammy toot.

Of these, 24 of them had email addresses that were hosted by That one server itself is hosted by DigitalOcean, an American hosting company. The other email address is from a domain without a designated mailserver (that is, it lacks an MX record).

22 of the users connected to the instance from IP addresses in owned by “QUALITY NETWORK CORP” out of Seychelles. They are in ASNs AS50896 or AS50896, both referring to “Depo Data Center Kaluga”, at “248021, Russia, Kaluga region, Moscow Street 258, office 16”.

2 of the remaining users connected from IP address that are also owned by “QUALITY NETWORK CORP”, but for which whois doesn’t show their ASNs (yay RIPE!).

The 1 other user connected from a netblock with ASN AS61440 owned by “Digital Energy Technologies Chile SpA” out of Santiago, Chile. They still used the mailserver, though.

I’ve been called a “paranoid liberal”, a “fascist”, and “retarded” for saying that I thought that the recent spam flood had ties to Russia. Turns out I underestimated the connection: out of 25 spammers I identified and blocked, 25 are directly tied to hosting accounts in Moscow through at least one means.

Social media managers at companies establish presences on all new social networks. Even if they don’t use them immediately, they plant a stake in the ground in case those networks later become popular. It’s unreasonable to believe that social media engineers from major world governments don’t also do the exact same thing.


The information I worked with to compile those stats is at

The Russians are coming

This updates my last blog post where I said that we’re getting a flood of spambots. Summary: if you’re an admin affected by this, you must act now.

I’ll cut to the chase. It seems that this week’s collection of spammer registrations come from Russia. I think that the spam they’re sending today is a probe to see who will respond to it. My prediction is that instances who don’t act quickly will see those accounts stop posting and drawing attention to themselves. In a few months, say nearing the American mid-term elections, they’ll wake up and start steering the inevitable political conversations in directions that we, the instance admins, had not intended. By that time it will be too late to easily root them out because their numbers will have exploded during the time we were looking the other way and hoping the problem will go away.

I might be wrong, but I don’t think so. And I’ll be damned if I’m going to help Mastodon go down the same path as Facebook and Twitter during the last American election. We have to act to stop this, and we have to do it now.

Short-term actions

The current crop of spam is all origination from the same email server, even though it hosts many email domains. You can block all registrations from it by going to Preferences > Moderation > E-mail blacklist > Add new, and entering This won’t affect any spambots already registered on your system! It only prevents new ones from registering. It also won’t fix the next wave of spammers that go through a different email server, so this isn’t a “one-and-done” action. It helps for now, though.

Next few months actions

I’ve opened an issue discussing ideas for making Mastodon’s admin tools more helpful for dealing with this. Plus jump in if you have more or better ideas!

The long road

I predict that at some point we’re going to have to consider a federated spam registration network. If “foo@randomdomain” spams on my instance, and “bar@someotherdomain” spams on yours, and we both report it, the network could see that they both came from the same server. Then it could suggest to all participating instances that we collectively block that server. And yes, this will be ripe for abuse and we’ll have to think long and hard about what it means to use automation to block potential Mastodon participants. Maybe we’ll have to add captchas to the registration system, which is bad for our differently-abled friends. Maybe instance will have to go to manual approval systems. Honestly, all of these alternatives suck. But far enough out, if we want to preserve Mastodon’s freedom for legitimate human users, we’re going to have to make some difficult decisions.