Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
Update: on lemm.ee, I have defederated the most suspicious spambot-infested instances.
To clarify: this means small instances with an unnaturally fast explosion in user counts over the past day and very little organic activity. I plan to federate again if any of these instances get cleaned up. I have heard that other instances are planning (or already doing) this as well.
It’s not a decision I took lightly, but I think protecting users from spam is a very important task for admins. Full info here: https://lemm.ee/post/197715
If you’re an admin of an instance that’s defederated from lemm.ee but wish to DM me, you can find me on Matrix: @sunaurus:matrix.org
Any tips on how to get rid of all the spam accounts? I have been affected by this as well and thankfully captcha stopped them, but about 100 bots signed up before I could stop.
Normally i’d just look through all the accounts and pick out the 4 or so users that are real. But there is no apparent way to view every user account as an admin.
Edit: There is a relevant issue open on the lemmy-ui repo, for those interested: https://github.com/LemmyNet/lemmy-ui/issues/456
Fun fact, they’re removing Captcha in the next release.
I won’t be upgrading and I anticipate I’ll be defederating with any instance that upgrades to v0.18.
Source - https://github.com/LemmyNet/lemmy/issues/2922
That is true, but because of the recent spam wave there is also an issue to re-add captcha. https://github.com/LemmyNet/lemmy/issues/3200
We’ll just have to see how it all shakes out.
Sure, but as it stands v.0.18 WILL ship with captcha removed. (They’re already in the Release Candidate phase).
Unless the maintainers mark this issue as a priority I recommend that we ALL stay away from that release.
Did you figure out how to clean it up? You can see a list of users in your
local_user
table.I did manage to get a list of all users without a verified email using a postgress command, but sadly no, I can not figure out how to use the PurgePerson or AdminPurgePerson endpoints that are “described” in the documentation. I ended up just writing a small python script to ban all of them for now until I can figure out how to purge them.
It’s extra tough because user management in Lemmy is tied to posts and comments right now. Since none of the spam accounts have made posts, there’s no way in the UI to purge their accounts.
I’ll try to help you out in DMs in a minute, hang tight!