The Russians are coming

This updates my last blog post where I said that we’re getting a flood of spambots. Summary: if you’re an admin affected by this, you must act now.

I’ll cut to the chase. It seems that this week’s collection of spammer registrations come from Russia. I think that the spam they’re sending today is a probe to see who will respond to it. My prediction is that instances who don’t act quickly will see those accounts stop posting and drawing attention to themselves. In a few months, say nearing the American mid-term elections, they’ll wake up and start steering the inevitable political conversations in directions that we, the instance admins, had not intended. By that time it will be too late to easily root them out because their numbers will have exploded during the time we were looking the other way and hoping the problem will go away.

I might be wrong, but I don’t think so. And I’ll be damned if I’m going to help Mastodon go down the same path as Facebook and Twitter during the last American election. We have to act to stop this, and we have to do it now.

Short-term actions

The current crop of spam is all origination from the same email server, even though it hosts many email domains. You can block all registrations from it by going to Preferences > Moderation > E-mail blacklist > Add new, and entering mxsrv.mailasrvs.pw. This won’t affect any spambots already registered on your system! It only prevents new ones from registering. It also won’t fix the next wave of spammers that go through a different email server, so this isn’t a “one-and-done” action. It helps for now, though.

Next few months actions

I’ve opened an issue discussing ideas for making Mastodon’s admin tools more helpful for dealing with this. Plus jump in if you have more or better ideas!

The long road

I predict that at some point we’re going to have to consider a federated spam registration network. If “foo@randomdomain” spams on my instance, and “bar@someotherdomain” spams on yours, and we both report it, the network could see that they both came from the same server. Then it could suggest to all participating instances that we collectively block that server. And yes, this will be ripe for abuse and we’ll have to think long and hard about what it means to use automation to block potential Mastodon participants. Maybe we’ll have to add captchas to the registration system, which is bad for our differently-abled friends. Maybe instance will have to go to manual approval systems. Honestly, all of these alternatives suck. But far enough out, if we want to preserve Mastodon’s freedom for legitimate human users, we’re going to have to make some difficult decisions.