That’s what I log about you

I deliberately log as little as possible about my users. My nginx logrotate config is configured to store one week’s worth of access and error logs:

/var/log/nginx/*.log {
    rotate 7

As of this moment, that looks like:

-rw-r-----  1 www-data adm     443615 Jan  5 08:29
-rw-r-----  1 www-data adm    5405613 Jan  5 06:25
-rw-r-----  1 www-data adm     395094 Jan  4 06:24
-rw-r-----  1 www-data adm     407455 Jan  3 06:24
-rw-r-----  1 www-data adm     375444 Jan  2 06:24
-rw-r-----  1 www-data adm     474143 Jan  1 06:24
-rw-r-----  1 www-data adm     344550 Dec 31 06:25
-rw-r-----  1 www-data adm     452215 Dec 30 06:25
-rw-r-----  1 www-data adm          0 Jan  5 06:25
-rw-r-----  1 www-data adm       1461 Jan  4 23:10
-rw-r-----  1 www-data adm        349 Jan  3 18:43
-rw-r-----  1 www-data adm        458 Jan  3 03:35
-rw-r-----  1 www-data adm        314 Jan  1 13:49
-rw-r-----  1 www-data adm        428 Dec 30 16:01
-rw-r-----  1 www-data adm        409 Dec 29 18:01
-rw-r-----  1 www-data adm        387 Dec 29 05:47

To be explicit: these are not usually processed in any way and are never used for analytics or tracking. I’ll occasionally (but rarely) use standard local Unix commands (grep, awk, etc.) to examine them directly on the server for troubleshooting, but that is their sole use and the only time they’re ever accessed.

Mastodon itself records a timestamp of each user’s most recent activity and IP address. I never access this information except in the course of investigating reports.

I have not enabled logging in S3, so I have no specific record of what media assets a user might have accessed. Amazon provides some aggregate statistics (“this many objects were accessed”, “we’ve served this many gigabytes of images”, “you owe us six bucks”, and so on) but nothing more granular.

Suspending domain

One of my users complained that they received spam from, whose timeline currently looks like: spam

It turns out this whole instance is screaming with spam red flags:

  • It doesn’t verify email addresses1,
  • The site that the spambot is advertising,, is a redirect to (which is on the same domain as the Mastodon instance2), and
  • The bot’s source has the same name (“vinayaka”) as the subdomain it’s spamming ads for.

I conclude that this instance is specifically deployed to allow and assist spamming, and as such, I’m suspending the domain effective immediately.

  1. Thanks to for pointing this out! 
  2. Thanks to for pointing this out! 

Our harassment policy

The Free Radical policy on harassment is pretty simple: I will not allow anyone Рlocal or federated Рto let a guest feel unsafe. This is my living room and no one can come here and harass my friends.

My general guideline is to take the minimum action necessary to address a problem. If a guest can themselves silence an annoying person and that fixes it, awesome. If the problem escalates and requires dropping the banhammer on a whole instance, then so be it.

I wholeheartedly support other instances that do what it takes to protect their users.