cross-posted from: https://lemm.ee/post/177673
Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
I make fun of conspiracy theorists, but what the actual fuck? Makes me wonder how many real people I’ve actually interacted with on reddit? Maybe none.
I liked your comment very much and this made me look into your profile. Amazing content. I would like to add you in my friend list but facebook didn’t let me. If you want please send me a friend request and I would love to know you better
Oops wrong platform
Wasn’t there a theory on 4chan about how the internet will turn into a network of robots communicating with each other, creating content for other bots, and artificially generating outrage? No actual humans would use the internet because it would be only AI. Controlling the internet, AI controls information and thus humanity.
Dead internet theory but I doubt chatbots are that advanced yet. They can’t write compelling and complex comments that depend on convoluted chains of logic, and respond to novels ideas and topics. Eventually.
There was a video of a guy who let a chatbot loose on 4chan and it had the whole of /pol/ thinking it was a team or feds. That was using gpt3 as a base.
I saw that but that was a /pol/ chatbot just regurgitating things people said you don’t exactly have to write intelligent comments on /pol/, 90% of the people there write like bots. My guess performance in a slower board like /lit/ or somewhere that requires more knowledge of subject matters and where people write more intelligently it would be called out.
I was messing around with that dudes chatbot OpenAssistant and while interesting it fails the same way all the others do once pressed hard enough (which isn’t that hard). These bots seem to do best when you just ask them to regurgitate something from their training library. Which is why non programmers are amazed by it’s programming skill (copy pasting from github repo’s and stackoverflow) vs devs in the field asking it novel questions and not getting anything interesting out of it.
I see no problem. Everyone assumes Skynet is a murderbot because any pragmatism we can imagine for the robots would demand we be removed. What if there’s another pragmatic solution, i.e. the xkcd punchline? Just . . . rewire people to be nice.
Even the robots in The Matrix claim to have tried to give us a utopia, but it made our minds melt down.
I’ve been skeptical about every reddit comment I’ve replied to since the '14 midterms, that felt like the year the bot accounts really became a significant chunk of reddit’s numbers. It’s been horrible since the '16 general election; I’m really not heartbroken to have left.
I think I’m a real person. Lemme check
Definitely bot, he never came back.
I think you have the wrong idea. These are just sign-ups. It is very easy to automate without precautions in place and is unrelated to bots pretending to be human in comments.
“Resistance is futile”
In male chorus voice.
Yeah, I caught (at the same time as lemmy.nz) the bit signups in time. I only had about 20 and @Dave@lemmy.nz had about 100. We both have captcha enabled now.
Interestingly none of the 20 I had had email address but username of <word>nnn where lemmy.nz all had obvious spam email address.
https://beehaw.org/post/662481
https://lemmy.world/post/296344
Some cross posts. The bot army is going to be an issue in the next few weeks. .18 drops captcha all together so any server that upgrades is going to be a target. Though a lot of servers dont run captcha, question or email verification anyways so they are already targets. Pretty sure sh.itjust.works didnt either when I signed up.
Not sure how much damage bots can do at this point other than skew the narrative and try to make these places unwelcoming but I am sure we will see first hand how bad it gets.
This happened to me, although luckily I managed to turn off registration after about 80 signups. I did have email verification enabled but noticed that every single email address was fake/the email bounced, so they havent been able to verify the accounts and post.
I have now enabled applications (along with email verification) - does anyone have any opinion on using captcha instead of applications? I feel like captcha has already been defeated by bots.
Captcha is seemingly what is protecting this instance. Although it is bypassable in theory, it’s working for us right now.
As the other commenters mentioned they are planning to remove Captcha in the next update but also other people have created an issue on GitHub to keep Captcha.
Bypassing captcha is technically possible but very hard, hard enough that it doesn’t make sense financially to do it. Keeping it is a must. If they do end up removing it, we need to add it back in (actually not that hard to do)
Fwiw the captcha support in lemmy is probably going away soon. It needs to be reimplemented into another database table (or something like that) anyway. Given that it is too hard for many humans, too easy for many bots, and devs are slammed with work, makes more sense to delete as a first step
I don’t have the time right now but someone should double check if captcha rework is in the GitHub issues as well so that they not only remove it but keep track of redoing it later as well…
One of those servers has 30k users but no posts or communities. Makes me think if I was a bad actor other then creating bot account on normal instances I would make my own instance and fill it with bots. If it’s federated it can still interact with other instances.
Wouldn’t it just make it easier to avoid the bots because all instances would quickly unfederate with them? Vs creating bot accounts on established instance it makes it harder to deal with since you have to play whack a mole.
It would but it looks like when a new instance is spun up it’s just auto federated? Looking at https://sh.itjust.works/instances we see only one instance that has been blocked and that was our favorite and just admin blocking it. So someone creates and instance and can just spam a thousand other instances before everyone wises up and blocks them? I could be wrong but that’s what it looks like to me.
I see what you’re saying. So even the creation of instances could be spammed in theory.
I’ve got sign ups with applications and a hard captcha set up. My other sites had the same issues, random spam bots. Surprisingly well behaved tbh but I don’t care they’re not welcome.
Well behaved for now, but most likely not indefinitely. They’re either trying to steer signups to particular instance(s), or just paving the way for future astroturfing.
Just trying to build karma and influence, they did it on reddit all the time.
Thanks, I am an instance admin and I realized I did not previously have captcha on. That’s been rectified now.
Not that I get a ton of signups anyway. Ever since the join-Lemmy page of instances was reworked, I’m not popular enough to be listed :(
I’ve not seen any yet here. Only doing captcha for now but I know emails do work if needed.
Yeah it seems like many of the older instances are already protecting themselves.
https://fedidb.org/current-events/threadiverse
If you go to the top 20 fastest growing servers, they are all empty, bot filled servers as far as I can tell.
https://the-federation.info/platform/73#drawer-opened
This site seems to be doing a better job of ignoring the bot accounts, and you can see all the original active instances have only grown a modest amount in the past couple days.
Wow, that’s hundreds of thousands of “users” within two days. It could be software testing or preparing a massive blow.