Hi everyone. I wanted to share some Lemmy-related activism I’ve been up to. I got really interested in the apparent surge of bot accounts that happened in June. Recently, I was able to play a small part in removing some of them. Hopefully by getting the word out we can ensure Lemmy is a place for actual human users and not legions of spam bots.
First some background. This won’t be new to many of you, but I’ll include it anyway. During the week of June 18 to June 25, as the Reddit migration to Lemmy was in full swing, there was a surge of suspicious account creation on Lemmy instances that had open registration and no captcha or email verification. Hundreds of thousands of accounts appeared and then sat inactive. We can only guess what they’re for, but I assume they are being planted for future malicious use (spamming ads, subversive electioneering, influencing upvotes to drive content to our front pages, etc.)
If you look at the stats on The Federation you might notice that even the shape of the Total Users graphs are the same across many instances. User numbers ramped up on June 18, grew almost linearly throughout the week, and peaked on June 24. (I’m puzzled by the slight drop at the end. I assume it’s due to some smoothing or rate-sensitive averaging that The Federation uses for the graphs?)
Here are total user graphs for a few representative instances showing the typical shape:
Clearly this is suspicious, and I wasn’t the only one to notice. Lemmy.ninja documented how they discovered and removed suspicious accounts from this time period: (https://lemmy.ninja/post/30492). Several other posts detailed how admins were trying to purge suspicious accounts. From June 24 to June 30 The Federation showed a drop in the total number of Lemmy users from 1,822,313 to 1,589,412. That’s 232,901 suspicious accounts removed! Great success! Right?
Well, no, not yet. There are still dozens of instances with wildly suspicious user numbers. I took data from The Federation and compared total users to active users on all listed instances. The instances in the screenshot below collectively have 1.22 million accounts but only 46 active users. These look like small self-hosted instances that have been infected by swarms of bot accounts.
As of this writing The Federation shows approximately 1.9 million total Lemmy accounts. That means the majority of all Lemmy accounts are sitting dormant on these instances, potentially to be used for future abuse.
This bothers me. I want Lemmy to be a place where actual humans interact. I don’t want it to become another cesspool of spam bots and manipulative shenanigans. The internet has enough places like that already.
So, after stewing on it for a few days, I decided to do something. I started messaging admins at some of these instances, pointing out their odd account numbers and referencing the lemmy.ninja post above. I suggested they consider removing the suspicious accounts. Then I waited.
And they responded! Some admins were simply unaware of their inflated user counts. Some had noticed but assumed it was a bug causing Lemmy to report an incorrect number. Others weren’t sure how to purge the suspicious accounts without nuking their instances and starting over. In any case, several instance admins checked their databases, agreed the accounts were suspicious, and managed to delete them. I’m told that the lemmy.ninja post was very helpful.
Check out these early results!
Awesome! Another 144k suspicious accounts are gone. A few other admins have said they are working on doing the same on their instances. I plan to message the admins at all the instances where the total accounts to active users ratio is above 10,000. Maybe, just maybe, scrubbing these suspected bot accounts will reduce future abuse and prevent this place from becoming the next internet cesspool.
That’s all for now. Thanks for reading! Also, special thanks to the following people:
good job, and well done! this, of course, will require constant vigilance, not merely one single effort. hopefully, a common protocol can be developed - perhaps a set of maintenance tools for instance admins - to help manage large numbers of inactive and otherwise suspicious accounts, especially making it easier and more straightforward for those instance owners with less experience managing large user databases.
in the meantime, perhaps it would be useful to create more extensive documentation and guides for instance admins on the subject?
Counterpoint: I registered early with one of those no-email instances but could not log in due to it being overwhelmed. I gave up and registered with .world. I suspect a large number of early adopters are in the same situation.
yep. they’re real people work real lives that can’t spend all their time looking at that shit. THANKS FOR REACHING OUT TO REAL PEOPLE AND CREATING A REAL COMMUNITY
I cross-posted that lemmy.ninja post to the small local lemmy instance I had signed up on. The admin nuked the whole instance later that day including all accounts. I don’t know for sure if it was related to that post or not. I haven’t signed up there again, but it seems like it’s just dormant now with no users. 🤷
I wanted a small, geographically close server, but I guess I’ll stick with /kbin.
Im concerned about how many folks tryin to push extremely broad rules onto the whole fediverse. Like, any kind of automated posting? Or heck, any kind of inactive account apparently. Make whatever rules you want for your own instance or community. If I want a bot that posts whenever the creator of whatever fandom community Im in posts some news somewhere, don’t make rules for my community.
It’s possible to flag an account you own as being a bot. A bot account that doesn’t enable this flag is suspicious in my view, but clearly marked bots should be ok
I’m surprised by the opinions of people here given the whole reddit protest was about the API and all the useful apps strapped onto it that made reddit work.
It would be nice if, rather than the only option being defederation - if lemmy would allow instance owners to place requirements that users be verified before being allowed to participate in federated communities. Then, rather than threaten (or go through with) defederation from instances who did or do still allow open registration, they could just deny that set of unverified open registered users.
You can game verification pretty easily as a spammer. Spin up an instance, mark accounts as “verified” in the DB with a script and a junk email address. As lemmy stands now, they should show up as “verified” on other instances.
Hell, you could do it on instances you dont run with your own mailserver. Use that to autoclick any registered emails that come into it with some coding. With relay services like mozilla relay or paid “10minutemail” throwaway style accounts, you could randomize the email address too, so even shared lists of spammers between servers wouldnt catch it. Its more work, but doable.
Random admins means random skill and attention paid to security in the face of dedicated attackers. Defedeation is necessary to counteract this.
I hope as we progress there will be lists allowed for the federation menu, so we could run an email style “rbl” blocklist or allowlist. You could parse allowed/blocked based on secuirty practices/reports/scans of instances.
Maybe even an opt-in secure agent running on the servers ala crowdsec that would update the list in realtime about who is actually maintaining their infa.
How would you verify that an instance actually verified its users? Someone could spin up their own malicious instance, create 1000s of users, and just mark them as verified in the database, and then I don’t think instances receiving updates from it would have any way to know? One instance basically has to trust another instance that it’s telling the truth.
I do still think some sort of circle-of-trust type of thing could help, but I’d be worried about that getting abused too.
Impressive work. It’s a little ironic, actually, but if you think about it, one of the main issues that we have here in the Fediverse is simply one of communication. A tale as old as time I suppose. Still though, you’d think it’d be less an issue. lol
I have been more active on Lemmy these last few weeks than I have been the prior 10 years precisely because I feel like I am interacting with humans again.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
A community to talk about the Fediverse and all it’s related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to [email protected]!
Rules
Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
We are going to need more server and mod tools in the near future as Reddit diggs it’s grave… Just like Digg did.
Hopefully someone builds a BotDefence type bot to add as a mod.
Yes. Some tools from Reddit would be great. And automod.
I’m looking into BotDefence but finishing up a couple of bots I’m working on to bring reddit content to Lemmy for some communities I’m in.
Going to need support for wiki pages first.
😆 literally
Great job, 👍
Good job! Thank you so much for your hard work
good job, and well done! this, of course, will require constant vigilance, not merely one single effort. hopefully, a common protocol can be developed - perhaps a set of maintenance tools for instance admins - to help manage large numbers of inactive and otherwise suspicious accounts, especially making it easier and more straightforward for those instance owners with less experience managing large user databases.
in the meantime, perhaps it would be useful to create more extensive documentation and guides for instance admins on the subject?
I’ve simply put a script on a cron to run once an hour and wipe any unverified account.
Counterpoint: I registered early with one of those no-email instances but could not log in due to it being overwhelmed. I gave up and registered with .world. I suspect a large number of early adopters are in the same situation.
Good point. There could definitely be some abandoned accounts from early adopters mixed in there.
That’s awesome
I also really want this to be a place where people can interact as people without being manipulated
yep. they’re real people work real lives that can’t spend all their time looking at that shit. THANKS FOR REACHING OUT TO REAL PEOPLE AND CREATING A REAL COMMUNITY
Great news! Excellent work :)
I cross-posted that lemmy.ninja post to the small local lemmy instance I had signed up on. The admin nuked the whole instance later that day including all accounts. I don’t know for sure if it was related to that post or not. I haven’t signed up there again, but it seems like it’s just dormant now with no users. 🤷
I wanted a small, geographically close server, but I guess I’ll stick with /kbin.
Bot beater! ACTIVATE!
Im concerned about how many folks tryin to push extremely broad rules onto the whole fediverse. Like, any kind of automated posting? Or heck, any kind of inactive account apparently. Make whatever rules you want for your own instance or community. If I want a bot that posts whenever the creator of whatever fandom community Im in posts some news somewhere, don’t make rules for my community.
It’s possible to flag an account you own as being a bot. A bot account that doesn’t enable this flag is suspicious in my view, but clearly marked bots should be ok
Too bad that distinction doesnt exist for these people
I’m surprised by the opinions of people here given the whole reddit protest was about the API and all the useful apps strapped onto it that made reddit work.
It would be nice if, rather than the only option being defederation - if lemmy would allow instance owners to place requirements that users be verified before being allowed to participate in federated communities. Then, rather than threaten (or go through with) defederation from instances who did or do still allow open registration, they could just deny that set of unverified open registered users.
You can game verification pretty easily as a spammer. Spin up an instance, mark accounts as “verified” in the DB with a script and a junk email address. As lemmy stands now, they should show up as “verified” on other instances.
Hell, you could do it on instances you dont run with your own mailserver. Use that to autoclick any registered emails that come into it with some coding. With relay services like mozilla relay or paid “10minutemail” throwaway style accounts, you could randomize the email address too, so even shared lists of spammers between servers wouldnt catch it. Its more work, but doable.
Random admins means random skill and attention paid to security in the face of dedicated attackers. Defedeation is necessary to counteract this.
as the platform grows whitelisting instances will likely become necessary when bad actors start setting up malicious instances with mass bots
I hope as we progress there will be lists allowed for the federation menu, so we could run an email style “rbl” blocklist or allowlist. You could parse allowed/blocked based on secuirty practices/reports/scans of instances.
Maybe even an opt-in secure agent running on the servers ala crowdsec that would update the list in realtime about who is actually maintaining their infa.
A technical question regarding federation:
Why not leave it up to the individual users to federate with an instance or not?
So everything is accessible from everywhere else, but little subgroups form over time. When trolls find a space, those groups can block them out.
That would be too easy for people with an ideological vendetta. In this case, leftists.
Spoken like someone with an ideological vendetta.
I believe if your instance is federated with another it caches the content in the instance if you are subscribed to an external community.
How would you verify that an instance actually verified its users? Someone could spin up their own malicious instance, create 1000s of users, and just mark them as verified in the database, and then I don’t think instances receiving updates from it would have any way to know? One instance basically has to trust another instance that it’s telling the truth.
I do still think some sort of circle-of-trust type of thing could help, but I’d be worried about that getting abused too.
Impressive work. It’s a little ironic, actually, but if you think about it, one of the main issues that we have here in the Fediverse is simply one of communication. A tale as old as time I suppose. Still though, you’d think it’d be less an issue. lol
WoW. Thanks for the write up
I have been more active on Lemmy these last few weeks than I have been the prior 10 years precisely because I feel like I am interacting with humans again.
Thank you for what you’re doing!