The Russians are coming

This updates my last blog post where I said that we’re getting a flood of spambots. Summary: if you’re an admin affected by this, you must act now.

I’ll cut to the chase. It seems that this week’s collection of spammer registrations come from Russia. I think that the spam they’re sending today is a probe to see who will respond to it. My prediction is that instances who don’t act quickly will see those accounts stop posting and drawing attention to themselves. In a few months, say nearing the American mid-term elections, they’ll wake up and start steering the inevitable political conversations in directions that we, the instance admins, had not intended. By that time it will be too late to easily root them out because their numbers will have exploded during the time we were looking the other way and hoping the problem will go away.

I might be wrong, but I don’t think so. And I’ll be damned if I’m going to help Mastodon go down the same path as Facebook and Twitter during the last American election. We have to act to stop this, and we have to do it now.

Short-term actions

The current crop of spam is all origination from the same email server, even though it hosts many email domains. You can block all registrations from it by going to Preferences > Moderation > E-mail blacklist > Add new, and entering mxsrv.mailasrvs.pw. This won’t affect any spambots already registered on your system! It only prevents new ones from registering. It also won’t fix the next wave of spammers that go through a different email server, so this isn’t a “one-and-done” action. It helps for now, though.

Next few months actions

I’ve opened an issue discussing ideas for making Mastodon’s admin tools more helpful for dealing with this. Plus jump in if you have more or better ideas!

The long road

I predict that at some point we’re going to have to consider a federated spam registration network. If “foo@randomdomain” spams on my instance, and “bar@someotherdomain” spams on yours, and we both report it, the network could see that they both came from the same server. Then it could suggest to all participating instances that we collectively block that server. And yes, this will be ripe for abuse and we’ll have to think long and hard about what it means to use automation to block potential Mastodon participants. Maybe we’ll have to add captchas to the registration system, which is bad for our differently-abled friends. Maybe instance will have to go to manual approval systems. Honestly, all of these alternatives suck. But far enough out, if we want to preserve Mastodon’s freedom for legitimate human users, we’re going to have to make some difficult decisions.

Deleted some spam accounts

Admins of Mastodon:

I’ve deleted four bot accounts that were spamming movie streaming links, with captions like:

  • Tickling Giants Film Gomovies Super Streaming keine Anmeldung putlockers
  • Kostenloser Stream Attack on Titan Season 3 tamilisch Ganzer Film Youtube Ohne Anmeldung Sonnenfilme
  • Movie The Insanity of God Film complet 720px pas de login Youtube putlockers
  • Movie Stream Little Shop of Horrors: The Director’s Cut 123movies Without Signing Up Watch Here putlockers in Hindi
  • En el Septimo Dia (On the Seventh Day) Regarder gratuitement double audio en hindi gostream gomovies pas d’inscription

Not on my instance. You might want to keep a lookout, too.

Suspending domain 2.distsn.org

One of my users complained that they received spam from @mastodon_user_matching@2.distsn.org, whose timeline currently looks like:

@mastodon_user_matching@2.distsn.org spam

It turns out this whole instance is screaming with spam red flags:

  • It doesn’t verify email addresses1,
  • The site that the spambot is advertising, MastodonUserMatching.tk, is a redirect to vinayaka.distsn.org (which is on the same domain as the Mastodon instance2), and
  • The bot’s source has the same name (“vinayaka”) as the subdomain it’s spamming ads for.

I conclude that this instance is specifically deployed to allow and assist spamming, and as such, I’m suspending the 2.distsn.org domain effective immediately.


  1. Thanks to @kaniini@mastodon.dereferenced.org for pointing this out! 
  2. Thanks to @href@soc.ialis.me for pointing this out!