this post was submitted on 20 Jun 2023
175 points (98.3% liked)

sh.itjust.works Main Community

7701 readers
1 users here now

Home of the sh.itjust.works instance.

Matrix

founded 1 year ago
MODERATORS
 

cross-posted from: https://lemm.ee/post/177673

Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.

For now, it seems that the bots are especially targeting instances that have:

  • Open sign-ups
  • No captcha
  • No e-mail verification

I have put together a spreadsheet of some of the most suspicious cases here.

If this is affecting you, I would highly recommend considering one of the following options:

  1. Close sign-ups entirely
  2. Only allow sign-ups with applications
  3. Enable e-mail verification + captcha for sign-ups

Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!

Please comment below if you have any questions or anything useful to add.

top 32 comments
sorted by: hot top controversial new old
[–] mashhitmyself@lemmy.world 25 points 1 year ago (7 children)

I make fun of conspiracy theorists, but what the actual fuck? Makes me wonder how many real people I've actually interacted with on reddit? Maybe none.

[–] wreel@lemmy.sdf.org 17 points 1 year ago (1 children)

I think I'm a real person. Lemme check

[–] OrangeCorvus@kbin.social 24 points 1 year ago

Definitely bot, he never came back.

[–] bogdugg@sh.itjust.works 12 points 1 year ago

I think you have the wrong idea. These are just sign-ups. It is very easy to automate without precautions in place and is unrelated to bots pretending to be human in comments.

[–] nanoUFO@sh.itjust.works 9 points 1 year ago* (last edited 1 year ago) (2 children)

Dead internet theory but I doubt chatbots are that advanced yet. They can't write compelling and complex comments that depend on convoluted chains of logic, and respond to novels ideas and topics. Eventually.

[–] Gurfaild@feddit.de 7 points 1 year ago (1 children)
[–] snakesnakewhale@sh.itjust.works 2 points 1 year ago* (last edited 1 year ago)

I see no problem. Everyone assumes Skynet is a murderbot because any pragmatism we can imagine for the robots would demand we be removed. What if there's another pragmatic solution, i.e. the xkcd punchline? Just . . . rewire people to be nice.

Even the robots in The Matrix claim to have tried to give us a utopia, but it made our minds melt down.

[–] Fizz@lemmy.nz 3 points 1 year ago (1 children)

There was a video of a guy who let a chatbot loose on 4chan and it had the whole of /pol/ thinking it was a team or feds. That was using gpt3 as a base.

[–] nanoUFO@sh.itjust.works 2 points 1 year ago

I saw that but that was a /pol/ chatbot just regurgitating things people said you don't exactly have to write intelligent comments on /pol/, 90% of the people there write like bots. My guess performance in a slower board like /lit/ or somewhere that requires more knowledge of subject matters and where people write more intelligently it would be called out.

I was messing around with that dudes chatbot OpenAssistant and while interesting it fails the same way all the others do once pressed hard enough (which isn't that hard). These bots seem to do best when you just ask them to regurgitate something from their training library. Which is why non programmers are amazed by it's programming skill (copy pasting from github repo's and stackoverflow) vs devs in the field asking it novel questions and not getting anything interesting out of it.

[–] Eezyville@sh.itjust.works 8 points 1 year ago

Wasn't there a theory on 4chan about how the internet will turn into a network of robots communicating with each other, creating content for other bots, and artificially generating outrage? No actual humans would use the internet because it would be only AI. Controlling the internet, AI controls information and thus humanity.

[–] decisivelyhoodnoises@sh.itjust.works 5 points 1 year ago (1 children)

I liked your comment very much and this made me look into your profile. Amazing content. I would like to add you in my friend list but facebook didn't let me. If you want please send me a friend request and I would love to know you better

Oops wrong platform

[–] random_character_a@lemmy.one 2 points 1 year ago

"Resistance is futile"

In male chorus voice.

[–] snakesnakewhale@sh.itjust.works 2 points 1 year ago* (last edited 1 year ago)

I've been skeptical about every reddit comment I've replied to since the '14 midterms, that felt like the year the bot accounts really became a significant chunk of reddit's numbers. It's been horrible since the '16 general election; I'm really not heartbroken to have left.

[–] Demigodrick@lemmy.zip 22 points 1 year ago (2 children)

This happened to me, although luckily I managed to turn off registration after about 80 signups. I did have email verification enabled but noticed that every single email address was fake/the email bounced, so they havent been able to verify the accounts and post.

I have now enabled applications (along with email verification) - does anyone have any opinion on using captcha instead of applications? I feel like captcha has already been defeated by bots.

[–] blayde@lemmy.blahaj.zone 11 points 1 year ago (1 children)

Fwiw the captcha support in lemmy is probably going away soon. It needs to be reimplemented into another database table (or something like that) anyway. Given that it is too hard for many humans, too easy for many bots, and devs are slammed with work, makes more sense to delete as a first step

[–] hoshikarakitaridia@lemmy.fmhy.ml 3 points 1 year ago* (last edited 1 year ago)

I don't have the time right now but someone should double check if captcha rework is in the GitHub issues as well so that they not only remove it but keep track of redoing it later as well...

[–] imaqtpie@sh.itjust.works 9 points 1 year ago (1 children)

Captcha is seemingly what is protecting this instance. Although it is bypassable in theory, it's working for us right now.

As the other commenters mentioned they are planning to remove Captcha in the next update but also other people have created an issue on GitHub to keep Captcha.

Bypassing captcha is technically possible but very hard, hard enough that it doesn't make sense financially to do it. Keeping it is a must. If they do end up removing it, we need to add it back in (actually not that hard to do)

[–] nanoUFO@sh.itjust.works 14 points 1 year ago* (last edited 1 year ago) (1 children)

One of those servers has 30k users but no posts or communities. Makes me think if I was a bad actor other then creating bot account on normal instances I would make my own instance and fill it with bots. If it's federated it can still interact with other instances.

[–] CowsLookLikeMaps@sh.itjust.works 7 points 1 year ago (1 children)

Wouldn't it just make it easier to avoid the bots because all instances would quickly unfederate with them? Vs creating bot accounts on established instance it makes it harder to deal with since you have to play whack a mole.

[–] nanoUFO@sh.itjust.works 5 points 1 year ago* (last edited 1 year ago) (1 children)

It would but it looks like when a new instance is spun up it's just auto federated? Looking at https://sh.itjust.works/instances we see only one instance that has been blocked and that was our favorite and just admin blocking it. So someone creates and instance and can just spam a thousand other instances before everyone wises up and blocks them? I could be wrong but that's what it looks like to me.

I see what you're saying. So even the creation of instances could be spammed in theory.

[–] BlueEther@no.lastname.nz 10 points 1 year ago

Yeah, I caught (at the same time as lemmy.nz) the bit signups in time. I only had about 20 and @Dave@lemmy.nz had about 100. We both have captcha enabled now.

Interestingly none of the 20 I had had email address but username of nnn where lemmy.nz all had obvious spam email address.

[–] Master@sh.itjust.works 7 points 1 year ago

https://beehaw.org/post/662481

https://lemmy.world/post/296344

https://lemm.ee/post/177673

Some cross posts. The bot army is going to be an issue in the next few weeks. .18 drops captcha all together so any server that upgrades is going to be a target. Though a lot of servers dont run captcha, question or email verification anyways so they are already targets. Pretty sure sh.itjust.works didnt either when I signed up.

Not sure how much damage bots can do at this point other than skew the narrative and try to make these places unwelcoming but I am sure we will see first hand how bad it gets.

[–] SJ_Zero@lemmy.fbxl.net 6 points 1 year ago (1 children)

I've got sign ups with applications and a hard captcha set up. My other sites had the same issues, random spam bots. Surprisingly well behaved tbh but I don't care they're not welcome.

[–] enoqe@kbin.social 9 points 1 year ago (1 children)

Well behaved for now, but most likely not indefinitely. They’re either trying to steer signups to particular instance(s), or just paving the way for future astroturfing.

[–] Ghost33313@kbin.social 2 points 1 year ago

Just trying to build karma and influence, they did it on reddit all the time.

[–] bdonvr@thelemmy.club 3 points 1 year ago (1 children)

I've not seen any yet here. Only doing captcha for now but I know emails do work if needed.

[–] imaqtpie@sh.itjust.works 4 points 1 year ago (1 children)

Yeah it seems like many of the older instances are already protecting themselves.

https://fedidb.org/current-events/threadiverse

If you go to the top 20 fastest growing servers, they are all empty, bot filled servers as far as I can tell.

https://the-federation.info/platform/73#drawer-opened

This site seems to be doing a better job of ignoring the bot accounts, and you can see all the original active instances have only grown a modest amount in the past couple days.

[–] DivergentHarmonics@sopuli.xyz 3 points 1 year ago

Wow, that's hundreds of thousands of "users" within two days. It could be software testing or preparing a massive blow.

[–] knova@links.dartboard.social 2 points 1 year ago

Thanks, I am an instance admin and I realized I did not previously have captcha on. That’s been rectified now.

Not that I get a ton of signups anyway. Ever since the join-Lemmy page of instances was reworked, I’m not popular enough to be listed :(

load more comments
view more: next ›