Yes, Russia.

I previously said that the Russians are coming. Yes, I meant it.

In the last two weeks, I’ve had registrations from 25 accounts that flagged themselves as bots. Of those, about half went on to post exactly one spammy toot.

Of these, 24 of them had email addresses that were hosted by mxsrv.mailasrvs.pw. That one server itself is hosted by DigitalOcean, an American hosting company. The other email address is from a domain without a designated mailserver (that is, it lacks an MX record).

22 of the users connected to the FreeRadical.zone instance from IP addresses in owned by “QUALITY NETWORK CORP” out of Seychelles. They are in ASNs AS50896 or AS50896, both referring to “Depo Data Center Kaluga”, at “248021, Russia, Kaluga region, Moscow Street 258, office 16”.

2 of the remaining users connected from IP address that are also owned by “QUALITY NETWORK CORP”, but for which whois doesn’t show their ASNs (yay RIPE!).

The 1 other user connected from a netblock with ASN AS61440 owned by “Digital Energy Technologies Chile SpA” out of Santiago, Chile. They still used the mxsrv.mailasrvs.pw mailserver, though.

I’ve been called a “paranoid liberal”, a “fascist”, and “retarded” for saying that I thought that the recent spam flood had ties to Russia. Turns out I underestimated the connection: out of 25 spammers I identified and blocked, 25 are directly tied to hosting accounts in Moscow through at least one means.

Social media managers at companies establish presences on all new social networks. Even if they don’t use them immediately, they plant a stake in the ground in case those networks later become popular. It’s unreasonable to believe that social media engineers from major world governments don’t also do the exact same thing.

Update

The information I worked with to compile those stats is at https://gist.github.com/kstrauser/bb63763363e81fa5f843fc7bcb9f84b4.

The Russians are coming

This updates my last blog post where I said that we’re getting a flood of spambots. Summary: if you’re an admin affected by this, you must act now.

I’ll cut to the chase. It seems that this week’s collection of spammer registrations come from Russia. I think that the spam they’re sending today is a probe to see who will respond to it. My prediction is that instances who don’t act quickly will see those accounts stop posting and drawing attention to themselves. In a few months, say nearing the American mid-term elections, they’ll wake up and start steering the inevitable political conversations in directions that we, the instance admins, had not intended. By that time it will be too late to easily root them out because their numbers will have exploded during the time we were looking the other way and hoping the problem will go away.

I might be wrong, but I don’t think so. And I’ll be damned if I’m going to help Mastodon go down the same path as Facebook and Twitter during the last American election. We have to act to stop this, and we have to do it now.

Short-term actions

The current crop of spam is all origination from the same email server, even though it hosts many email domains. You can block all registrations from it by going to Preferences > Moderation > E-mail blacklist > Add new, and entering mxsrv.mailasrvs.pw. This won’t affect any spambots already registered on your system! It only prevents new ones from registering. It also won’t fix the next wave of spammers that go through a different email server, so this isn’t a “one-and-done” action. It helps for now, though.

Next few months actions

I’ve opened an issue discussing ideas for making Mastodon’s admin tools more helpful for dealing with this. Plus jump in if you have more or better ideas!

The long road

I predict that at some point we’re going to have to consider a federated spam registration network. If “foo@randomdomain” spams on my instance, and “bar@someotherdomain” spams on yours, and we both report it, the network could see that they both came from the same server. Then it could suggest to all participating instances that we collectively block that server. And yes, this will be ripe for abuse and we’ll have to think long and hard about what it means to use automation to block potential Mastodon participants. Maybe we’ll have to add captchas to the registration system, which is bad for our differently-abled friends. Maybe instance will have to go to manual approval systems. Honestly, all of these alternatives suck. But far enough out, if we want to preserve Mastodon’s freedom for legitimate human users, we’re going to have to make some difficult decisions.

FOSTA/SESTA changes nothing

FOSTA – the Allow States and Victims to Fight Online Sex Trafficking Act of 2017 – and SESTA – the Stop Enabling Sex Traffickers Act of 2017 are some likely unconstitutional, certainly unnecessary jackassery. While I agree with the EFF that this is terrible law, I don’t think it’s the end of the world.

FOSTA says:

(Sec. 2) This bill expresses the sense of Congress that section 230 of the Communications Act of 1934 was not intended to provide legal protection to websites that unlawfully promote and facilitate prostitution and websites that facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims. Section 230 limits the legal liability of interactive computer service providers or users for content they publish that was created by others.

By no plausible interpretation is Free Radical a website meant to “unlawfully promote and facilitate prostitution” or “facilitate traffickers in advertising the sale of unlawful sex acts with sex trafficking victims”. I’ve never seen such a post in the fediverse, let alone one that originates on Free Radical, and it’s certainly not meant for that purpose any more than is any other general public forum.

(Sec. 3) The bill amends the federal criminal code to add a new section that imposes penalties—a fine, a prison term of up to 10 years, or both—on a person who, using a facility or means of interstate or foreign commerce, owns, manages, or operates an interactive computer service (or attempts or conspires to do so) to promote or facilitate the prostitution of another person.

Same as above. I have never and would never own, manage, or operate a website to promote or facilitate the prostitution of another person. Regardless of whether prostitution should be illegal in the first place, it’s not something I’m going to directly participate in.

(Sec. 4) The bill amends the Communications Act of 1934 to declare that section 230 does not limit: (1) a federal civil claim for conduct that constitutes sex trafficking, (2) a federal criminal charge for conduct that constitutes sex trafficking, or (3) a state criminal charge for conduct that promotes or facilitates prostitution in violation of this bill.

Again, I’m not going to be promoting or facilitating prostitution. Note that this is different from carrying traffic that may incidentally facilitate illegal activities. For example, I guarantee that people use Gmail to do illegal things. That’s not its designed or advertised for, though.

(Sec. 5) The bill amends the federal criminal code to define a phrase related to the prohibition on sex trafficking. Currently, it a crime to knowingly benefit from participation in a venture that engages in sex trafficking. This bill defines “participation in a venture” to mean knowingly assisting, supporting, or facilitating a sex trafficking violation.

Key word: knowingly. I won’t be knowingly doing any of that stuff. I explicitly don’t read, monitor, analyze, or moderate all traffic flowing through the system. I don’t pretend to. I specifically don’t want to.

I side with the EFF that this is a bad idea and I oppose it. That said, I can’t imagine a plausible scenario where FOSTA/SESTA affects me – an American admin using American hosting resources – in any way. And if some dipshit prosecutor sees it otherwise, I’ll fight it. As an EFF member and friend to many a lawyer, I’m not going anywhere any time soon. These ridiculous bills won’t scare me away.

edit: Upon the excellent suggestion of a friend, I’ve added:

No solicitation of prostitution

to Free Radical’s Code of Conduct.