Lemmy.World Announcements @lemmy.world Ruud @lemmy.world 1y ago

[Solved] Temporarily closed signups because of spam signups

So some spam signups just happened (all username12345678@gmail.com format e-mail) This caused bounced mail to increase, causing Mailgun to block our domain to prevent it getting blacklisted.

So:

Mail temporarily doesn't work
I closed signups for now
I will ban the spam accounts
I will check how to prevent (maybe approval required again?)

Stay tuned.

Edit: so apparently there is a captcha option which I now enabled. Let's see if this prevents spam. Registrations open again.

Edit2 : Hmm Mailgun isn't that fast in unblocking the domain. Closing signups again because validation mails aren't sent

Edit 3: I convinced Mailgun to lift the block. Signups open again.

61 comments

I ran into the issue on my instance as well, but checking the Captcha option in admin settings, stopped the signups for me.
- Thanks for the tip- I’m having the same issue. How do I ban those accounts? I can’t even tell who my users are
  
  I did it in the database, so if you can access your database I can assist.
How about adding a captcha? I was surprised there was none when I signed up.
- Yes the devs should do that. We're currently discussing the the Lemmy matrix chat.
- Captchas are laughably easy to get around but they do work against dumb script kiddies which seems this attack is originating from.
- I'm down as long as its privacy friendly and doesn't use non-free javascript
  
  And accessible
can't have anything nice nowadays
I love how transparent you are with the management of this instance. Kudos!
- This, Refreshing 😀👍
Sounds frustrating. Thanks for doing what you do and letting us join your server! Hope the captcha works out.
Those usernames are so unimaginative. Who would pick a name like that?
- I know, right? That's the kind of thing an idiot would have on their luggage!
  
  12345 is the code to my luggage
Becareful with this. There's a clear trend of massive amount of bot accounts flooding lemmy as a whole
- Becareful with this. There’s a clear trend of massive amount of bot accounts flooding lemmy as a whole
  
  I am not sure there's anything in that that denotes "massive amount of bot accounts". Seems more like "a lot more people made lemmy accounts than stuck around" which is unsurprising.
  
  Why would a bot account show up in one of your graphs and not the other?
  
  they're waiting to use the bots when the community is large, over a long period of time. This way it'd be hard to detect the bots.
Last time a website I was managing was bombarded with spam signups, I set up a regular expression to check for the incredibly distinctive format the spammers were using... then it reports success but doesn't actually create the account or send an email. Spam problem over.
- Very clever, only problem is it's not a general solution.
I solved this problem once. What you do is have a custom captcha that you code yourself. It can be as simple as "What is 2+3?" and have 10-20 questions that you rotate between. Most spammers will be too lazy to update their spambot.
- Don't just include it as text though. Rather, present the question as text in a picture.
  
  This is very effective but also blocks people who spend on screen readers
- I made one that phrased it as "The sum of 2 and 3". Weeds out bots and less sophisticated people.
- fwiw - there's always an arms race between spammers and people trying to not get spammed. It's often better to use off-the-shelf captcha's or something as there are people who are able to put a LOT MORE resources into it (like Google, who has billions of dollars on the line to prevent ad-fraud and identify bots)
  
  I used a custom captcha for my personal WordPress blog. It eliminated all the spam. (Fun fact: The spammers know how to work around most anti-spam WordPress plugins. If you roll your own, they aren't going to update their spambot for one blog.)
  
  I also used a custom captcha at work. We couldn't use 3rd party filters because it was marking our customers' comments as spam! The custom captcha also eliminated all the spam.
  
  There's also a problem with using 3rd party spam services. You have to give them all your data. You also usually have to pay for it, which can be a problem when you're working for people with a tiny budget.
I was trying to open my account just when lemmy.world was closed earlier. When I pressed the button to create it I only got and enless "charging" animation. But when it reopened, I just started the process again, and was as easy as a breeze and extremely fast. Glad to be here! (and this is my first post)
User on kbin here, just tried to sign up to lemmy.world.. looks like everything crashed and burned when tried to sign up there.
- It was you all along!
I've run into this issue with some of my servers in the past and it's a real PITA to deal with because not only do you have to mitigate the issue, but then you have to make requests to get de-blacklisted, etc. I finally got sick of it all and installed a Barracuda spam firewall in front of the mail server. I have MUCH easier control over IMAP/SMTP now.
Thanks for staying on top of things! Really appreciate your efforts!
Lucky me, I guess, since I use a masked email address that looks fake too (anon addy). I really dislike to give my email address when testing Reddit alternatives.
OK that makes sense, I was trying to sign up and couldn't figure out why everything was timing out. Sorry if my attempts looked like spam.

edit: it still doesn't work for me btw
I got in just in time! For the record, the sign up date seems to be broken. My account is less than a day old and it says I've been here since the 14th. Unless maybe it counts cookies or something?
Make sure you use a strong password for accounts
- I am, it's my social security number, 365-24-7420!
  
  Just kidding, that's not really the number! I wrote it backwards!
  
  This community is getting weirder every day...
The spam battles are heating up!
Thank you for working to get signups working once more!
Wow that was quick, amazing job as always!
Wanna recruit a helper who promises nothing but benevolent assistance?
Same on Geddit.social

Also fixed now!
FYI looks like registration still doesn't work - send button spinning, no request in ff network monitor. Tried ff & chrome, gmail and proton. I went with a different server eventually, but you might wanna do something in case this is not intentional
I am from Lemmy Canada. I have noticed that when I come to a community hosted on Lemmy World I am often signed out. Do I need to sign up here to participate?
FYI 18.0 does not have captcha according to release notes. May want to delay upgrade until 18.1? Or institute a stricter signup like requiring email verification? just wanted to mention it
- Yes, we'll wait for 0.18.1.
- Yeah we use e-mail verification, but the problem was that the spam signups used fake gmail addresses resulting in the mail domain to get blocked. So we'll wait until 0.18.1
Is there a growth target for the community? I see that Lemmy.world is almost equal in size to lemmy.ml. Will this instance remain open indefinitely?
- No target. I will keep this open as long as it's possible. It's up to others to start as many Lemmy instances as possible, and the Lemmy devs to create a better join-lemmy with a rotating 'recommended server' preferring smaller instances. But that's difficult. Because you also don't want 1000 users to land on someone's Raspberry Pi instance without backup which they can just stop if they get bored of it. Same issue goes for Mastodon as well... but that's being worked on.
  
  Tangential question but it’s been on my mind. Should mods be encouraging images to be posted on outside image hosting services (Imgur or something) to reduce the load on Lemmy.world? I actually don’t know how much images affect the server.
  
  I have no technical knowledge or assistance to offer but thanks for what you do

61 comments