I ended up messaging the admins at the 16 instances show in the attached image. I pointed out their wild user numbers, and referenced the lemmy.ninja post detailing how that instance scrubbed suspicious accounts from their user database.
6 admins responded. They had all noticed the odd accounts and either thought the numbers were wrong, or weren't sure how to purge the suspicious accounts without nuking their databases. In the end they managed to delete a combined total of about 338k dormant accounts from their instances. (One of the instances seems to have gone down since then.)
I never received a reply from the other 10 instance admins, though 8 of those 10 instances appear to be down (as of 27 July 2023). 2 instances are still up and unchanged.
Between the actively removed accounts and the downed instances, this represents a loss of 930,004 inactive Lemmy accounts!
You can see the drop in the graphs on The Federation. The total number of Lemmy accounts has been cut in half over the past 3 weeks, from a peak of 2.18M to today's 1.09M. The change is mostly from these 16 instances.
I have to admit, I did not expect such a large change when I started this! Hopefully this bodes well for Lemmy's future as a place where actual humans interact, rather than a cesspool of automated comments and upvote/downvote brigading.
That's all I have for now. Keep your stick on the ice; we're all in this together.
I want to celebrate two things. 1. Your awareness of the potential dangers looming over the fediverse. 2. Your proactive attitude curtailing the problem at its root. From one human to another, thank you!
Thank you for your efforts to keep this place clean and civil, and especially for the transparency in describing how you've dealt with such annoyances. You have my respect.
That's actually really interesting. What's the purpose of so many inactive accounts at once?
Seems to be enough to have a few of them, and not a million accounts since it clearly will rise suspicion... :)
Very good that you found them. Fascinating.
Maybe an attempt to try and make the fediverse look more active than it was back then, to get headlines about how it has explosive growth etc. It was June and everything really took off then.
Suggestion: what if there was a lemmy instance solely for reporting malicious lemmy/fediverse servers? I've read some stuff about FBI crackdown and mastodon instances containing questionable material. Wouldn't it be gret to have some kind of federated "registry" of all the bad actors out there? I am pretty clueless, but would that help?
Well done. I for one appreciate the effort you're putting into making this a better place by keeping the bots out.
Any thoughts on what can be done to keep bots from signing up to begin with or is the plan to continuously purge inactive accounts? I know from experience that a lot of these bad actors are going to pivot and redouble their efforts. This is unfortunately a cat and mouse game that will continually need to be addressed.
But, again, thank you for your work on this!
What are qualifications for being an active account? I didn't see any details in the other thread about it either, just the graphs. Is it just post/comment creation? Is it page views? Log ins? Does voting up or down register an account as Active?
If it's only post/comments then you're possibly deleting a bunch of lurkers too.
Does Lemmy have a way to link to a post that anyone can use?
I can click the links up there, but it takes me to sh.itjust.works and that's not where I am in the Fediverse, so when I get there I'm no longer logged in.
And if so, can we have it so "wrong" links are corrected into the right format?
Should the instances that responded to you be refederrated? I’m pretty sure I saw some of them on lemmy.world’s block list. I think it would be sad for these small servers to not realize they are, in fact, not connected to the greater fediverse. On the other hand, if you’re an admin, and you don’t know what you’re doing to the point of not knowing your server was infected by hundreds of thousands of bots, maybe it’s too dangerous to refed.
When an account is signed up, is there information such as client ip address that could also be used to spot more inauthentic activity? And more generally, sign up should probably be made resistant to automated bots by randomizing HTML layout & ids and using captchas so it's not so easy to drive sign up through scripts.
How did those accounts get created in the 1st place? Arent there captchas? Or are there ways around that? Strong captcha system should he implemented in lemmy by default
Dude wtf, there are relatively many fucking servers which have well over thousands of inactive users. I checked some and it seems the mods of them are just posting under 5 posts on some other servers and than creating some communities in their own server and then leave quietly. Thats too sus... It may be too much paranoiac to think that there is more going about those servers but I just cant stop thinking it is too absurd