fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

@mjf_pro @erlend @tchambers @Mastodon @codinghorror @how I don’t understand how that helps. Wouldn’t a spammer just create an account, wait X+1 days, and then spam?

My favorite web host, NearlyFreeSpeech, uses a different approach to control people who send email. A “bucket” fills at a certain rate — slowly at first, faster as you become trusted. The number currently in the bucket represents how many messages you can send. (Sending decrements.) Also game-able, but better than just “days.”

Blake Leonard

@michaell @mjf_pro @erlend @tchambers @Mastodon @codinghorror @how@s10y.eu Spam accounts that wait have a bigger chance of being caught before they do damage, especially considering a lot of spam accounts are somewhat obvious. Plus, bumping that up during the warmup period, if you notice you're in a spam wave, might also reset or extend the warmup for those already waiting (good against spammers, bad for people). One-per-account admin notifications could be sent if someone tries.

@blake @michaell @mjf_pro @erlend @tchambers @Mastodon @codinghorror @how this doesn't necessarily work as in more sophisticated attacks, accounts are setup years before and run in an semi-automated fashion interacting and posting news stories before finally activating for misinformation or spam.

A classic spam filter, especially for mentioned-only posts, would likely handle our spam problem better. As would controls on from whom we accept mentioned-only posts.

@thisismissem @blake @michaell @mjf_pro @erlend @tchambers @Mastodon @how that's quite sophisticated and would require substantial resources and planning

@thisismissem @blake @michaell @mjf_pro @tchambers @Mastodon @codinghorror @how

Would the latest spam wave be considered a ‘sophisticated attack’? Afaik, doesn’t seem like it. I believe Trust Levels could have mitigated this event in a pretty major way with strict rate-limiting on new/unused accounts.

@erlend it was sophisticated in that it wasn't just one server being hit, but many, usually ~60-100 at a time, exploiting open registration & in many ways using the fediverse to do a volumetric attack against targets, and the speed at which the attack evolved around mitigation efforts.

@thisismissem gotcha. That type of sophistication however doesn’t bypass the limits on open registration that are built into Trust Levels, so it still seems to me like a powerful mitigation for the exact scenario that’s playing out.

As in, strictly rate-limit users until:
* they’ve been around for a while
* they’ve had their posts engaged with (boost, fav, reply) by a handful of trusted (TL1+) members

@erlend that doesn't really work due to the nature of the fedi, you'd have to have the failure on the send attempt but can't enforce it

@thisismissem if you mean it cannot protect against incoming, that’s right. I’m just saying we can already prevent a lot of abuse by making sure individual instances have stronger limits on *outgoing*.

@erlend right, but well moderated instances will have that. The problem was poorly configured servers that weren't actively moderated 24x7