@mjf_pro @erlend @tchambers @Mastodon @codinghorror @how I don’t understand how that helps. Wouldn’t a spammer just create an account, wait X+1 days, and then spam?
My favorite web host, NearlyFreeSpeech, uses a different approach to control people who send email. A “bucket” fills at a certain rate — slowly at first, faster as you become trusted. The number currently in the bucket represents how many messages you can send. (Sending decrements.) Also game-able, but better than just “days.”
@michaell @mjf_pro @erlend @tchambers @Mastodon @codinghorror @how@s10y.eu Spam accounts that wait have a bigger chance of being caught before they do damage, especially considering a lot of spam accounts are somewhat obvious. Plus, bumping that up during the warmup period, if you notice you're in a spam wave, might also reset or extend the warmup for those already waiting (good against spammers, bad for people). One-per-account admin notifications could be sent if someone tries.
@blake @michaell @mjf_pro @erlend @tchambers @Mastodon @codinghorror @how this doesn't necessarily work as in more sophisticated attacks, accounts are setup years before and run in an semi-automated fashion interacting and posting news stories before finally activating for misinformation or spam.
A classic spam filter, especially for mentioned-only posts, would likely handle our spam problem better. As would controls on from whom we accept mentioned-only posts.
@thisismissem @blake @michaell @mjf_pro @erlend @tchambers @Mastodon @how that's quite sophisticated and would require substantial resources and planning
@codinghorror @blake @michaell @mjf_pro @erlend @tchambers @Mastodon @how we've already been seeing that happening.
@thisismissem @blake @michaell @mjf_pro @tchambers @Mastodon @codinghorror @how
Would the latest spam wave be considered a ‘sophisticated attack’? Afaik, doesn’t seem like it. I believe Trust Levels could have mitigated this event in a pretty major way with strict rate-limiting on new/unused accounts.
@erlend it was sophisticated in that it wasn't just one server being hit, but many, usually ~60-100 at a time, exploiting open registration & in many ways using the fediverse to do a volumetric attack against targets, and the speed at which the attack evolved around mitigation efforts.
@thisismissem gotcha. That type of sophistication however doesn’t bypass the limits on open registration that are built into Trust Levels, so it still seems to me like a powerful mitigation for the exact scenario that’s playing out.
As in, strictly rate-limit users until:
* they’ve been around for a while
* they’ve had their posts engaged with (boost, fav, reply) by a handful of trusted (TL1+) members
@erlend that doesn't really work due to the nature of the fedi, you'd have to have the failure on the send attempt but can't enforce it
@thisismissem if you mean it cannot protect against incoming, that’s right. I’m just saying we can already prevent a lot of abuse by making sure individual instances have stronger limits on *outgoing*.
@erlend right, but well moderated instances will have that. The problem was poorly configured servers that weren't actively moderated 24x7