47
submitted 1 year ago by stux@geddit.social to c/geddit@geddit.social

As you can see, there is a massive spam wave going on on Lemmey based instances.

This can be avoided by enabling CAPTCHA with signup and also LIMIT the registers per X seconds!

Currently the accounts are idle but this can change soon.. Please take action NOW!

top 16 comments
sorted by: hot top controversial new old
[-] stux@geddit.social 8 points 1 year ago

Here you can find more info: https://fedidb.org/software/lemmy

The amounts of new accounts compared to the monthly active or even posts doesn't match one bit and has only one explaination

[-] stux@geddit.social 5 points 1 year ago

Holy shit.

A quick "head count" came around ~100K spam accounts over many instances it seems..

[-] th3raid0r@tucson.social 4 points 1 year ago

@stux@geddit.social - We need to also share that as of next version Captcha's will be removed entirely:

Source - https://github.com/LemmyNet/lemmy/issues/2922

Please, if you haven't already, make your disapproval known on that discussion. Everyone reading this should go and let them know how dumb of a decision that is and to not release v0.18 without captcha support.

tucson.social will not be upgrading to v.0.18 due to this and we will likely defederate with any instance that does upgrade.

[-] stux@geddit.social 2 points 1 year ago

Oh this is bad...

Even a simple captcha or Hcaptcha is better than nothing at all.. Geddit will also not upgrade if it's removed

[-] th3raid0r@tucson.social 3 points 1 year ago

Are you able to make a comment on that issue thread? We really need more instance admins to weigh in, and if half as many admins who've complained about this did so, they might reverse course. But right now these threads are just giving Devs support to remove "imperfect methods" anyways.

It's critical and crucial that we admins stay engaged with the project or else this all goes to crap.

[-] cjerrington@geddit.social 2 points 1 year ago

Also is there a 2FA option that can be enabled for users?

[-] stux@geddit.social 8 points 1 year ago

Within the next release! Finally! ๐Ÿ‘Œ๐Ÿป

[-] zwiebel@krassestegang.social 2 points 1 year ago

@stux Oh wow, what a mess. ๐Ÿค–

[-] sfunk1x@tusk.sfunk1x.com 2 points 1 year ago

@stux Hol up - is there no email verification? I haven't setup Lemmy or kbin (?) yet.

[-] stux@geddit.social 5 points 1 year ago

By default no, and it can be even optional.. So a sitting duck for spam hunters :(

[-] rimu@kbin.social 1 points 1 year ago
[-] maltfield@monero.town 1 points 1 year ago

This can be avoided by enabling CAPTCHA

Sorry, this is misinformation. Graphical CAPTCHAS can be trivially defeated by bots, as the lemmy devs have said.

If you want to slow the bots down, a hashcash implementation like mCAPTCHA would actually work and the lemmy devs already said they'd accept a PR for this.

[-] stux@geddit.social 3 points 1 year ago

Ofc there are bot nets that can defeat it but it should always be an option since the "cheaper ones" cannot and beat in term some spam

The rate limit for signup is a way better option and should also be explored

[-] stux@geddit.social 1 points 1 year ago

I'm curious to see how Hashcash it would handle though

[-] fatboy93@kbin.social 2 points 1 year ago

Makes sense! Back when we had covid vaccinations in India, you needed to solve captcha to book and people used to bot it to h'll.

This is a good approach to solving the captcha: https://github.com/janghaludu/cowin-captcha

[-] CoderKat@kbin.social 1 points 1 year ago* (last edited 1 year ago)

I gotta be honest, I don't see why they're pushing mCaptcha so hard. Honestly, any form of captcha will stop the vast majority of bots (I found this out myself when running an old school forum ages ago).

For the remaining bots, I don't see why a proof of work captcha would do any better than an image captcha. If anything, it seems like proof of work captchas are guaranteed and trivially solvable by machines. The only catch for bots is that they must expend a bit more computational power to do so. I don't think you can possibly limit bots (which can optimize their hardware) by a significant amount without very negatively impacting legitimate users.

I'm not sure how that is more effective than an image that many bots struggle with automatically solving. They seem to especially struggle with the "select all the traffic lights" style problems (which is why those are used -- despite being admittedly kinda annoying).

To go a step further, this feels like a proof of work (crypto) fan looking for a problem to solve. Is there any evidence it works? Cause I googled "mcaptcha effectiveness" and there isn't really any results. I'm very skeptical that it works by any means other than seemingly being niche enough that bot writers likely aren't targeting it.

load more comments
view more: next โ€บ
this post was submitted on 20 Jun 2023
47 points (100.0% liked)

Geddit

1 readers
1 users here now

Geddit

We are a friendly community that runs on free open source software.

Basic community rules:

founded 1 year ago
MODERATORS