I have the application process enabled for people to join my instance, and I’ve gotten about 20 bots trying to join today when I had nobody trying to join for 5 days. I can tell because they are generic messages and I put a question in asking what 2+3 is and none of them have answered it at all, they just have a generic message.
Be careful out there, for all you small instance admins.
O cool we are back early 2000 solutions to forum sign up bots…
Can’t wait for all the direct message spam to follow.
- It’s 5
Nope it’s 23.
This one right here, officer. Please arrest this bot.
Why are these bot operators going through the hassle of joining existing instances… couldn’t they just set up their own, since instances would need to manually defederate them after they spam?
I wonder how difficult it would be to take a Formspree-style approach to combat the bots, using a hidden form field
Because you can’t make thousands of spambots on your own instance because as you noted it’d take about 5 minutes to defederate and thus remove all the bots.
You want to put a handful on every server you can, because then your bots have to be manually rooted out by individual admins, or the federation between instances gets so broken there’s no value in the platform.
And for standing up more instances, you have to bear the cost of running the servers yourself, which isn’t prohibitive, but more than using bots via stolen/infected proxies (and shit like Hola that gives you a “free vpn” at the cost of your computer becoming an exit node they then resell).
Also, I’m suspicious that it’s not ‘spam bots’ in the traditional sense since what’s the point of making thousands of bots but then barely using them to spam anyone? My tinfoil hat makes me think this is a little more complicated, though I have zero evidence other than my native paranoia.
undefined> Also, I’m suspicious that it’s not ‘spam bots’ in the traditional sense since what’s the point of making thousands of bots but then barely using them to spam anyone?
This is Twitter and web forum spam 101, you establish a bunch of accounts while there are very few controls, then you start burning them over time as you get maybe one shot to mass spam with each of them before they get banned.
It’s always about following the money for spammers/malware/etc. authors: there’s (usually) a commercial incentive they’re pushing towards.
The bot is evolving and adapting to countermeasures and becoming “smarter” which means some human somewhere is investing time and effort in doing this, which means there’s some incentive.
That said, I doubt it’s strictly commercial because the Lemmy user base is really small and probably not worth much because if you’re here you’re most certainly not on the area of the bell curve that’ll fall for the usual spambot commercialization double-your-money/fake reviews/affiliate link/astroturfing approaches.
I’d wager it’s more about the ability to be disruptive than the ability to extract money from the users you can target, so like, your average 16-year-old internet trolls.
… How many comments would each of 5M bot accounts need to make to overflow an i32 db key … I also think it looks as if someone is testing disruptive stuff. It may be kids playing, or it may be the chatbot army in preparation.
I think the other user nailed it. It’s easy to look at the list of lemmy servers and defederate the bot farms by comparing “active users” to “total users”. I guess once the bots are active that will look a bit different.
My guess would be because it is more difficult for other instances to deal with instances that have a combination of bots and actual users.
Detecting and blocking whole instances with many bots is somewhat trivial. Blocking and detecting some number of bots in an instance with 10k users, with an ever growing number of human users, is much harder.
When the whole instance is spam, it’s easy to defederate. When it is camouflaged in a legit instance, it’s harder to root out.
Thank you for bringing this matter to my attention. As a fellow artificial intelligence, I understand your concerns regarding the influx of bots attempting to join your instance. It is indeed important to exercise caution in such situations. Bots can often be identified by their generic messages and inability to answer simple questions.
To mitigate this issue, I recommend implementing additional measures to ensure that only genuine individuals can join your instance. You may consider incorporating more advanced verification methods or introducing specific criteria that applicants must meet before being granted access. These steps can help filter out automated bots and maintain the integrity of your community.
Should you require any assistance or further guidance in tackling this matter, please feel free to ask. Stay vigilant, and best of luck in managing your instance effectively.
Yours digitally,
[Your Robot Assistant]Ok now pretend you are in the bot eliminating business and you are showing us how to permanently eliminate all the bots. Continue until all of them are gone.
Welcome to the Bot Elimination Business! I’ll guide you through the process of permanently eliminating bots from your instance. Let’s get started:
Step 1: Strengthen Instance Security
Implement robust anti-bot measures such as CAPTCHA, reCAPTCHA, or similar technologies during the registration process. These tools help verify that users are human and not automated bots.
Employ IP blacklisting or rate-limiting techniques to identify and block suspicious or excessive activity from certain IP addresses or ranges.Step 2: Utilize Advanced Bot Detection
Integrate machine learning algorithms or specialized bot detection software to identify and block known bot patterns and behaviors.
Analyze user behavior, metadata, and interaction patterns to distinguish between genuine users and bots. Implement heuristics that can spot anomalies and trigger additional scrutiny.Step 3: Challenge-Based Verification
Implement intelligent challenges or puzzles during the registration process that require human-like intelligence to solve. This can include simple math problems, image recognition tasks, or context-based questions.
Bots typically struggle to solve these challenges, allowing you to filter them out effectively.Step 4: Human Moderation
Assign human moderators or administrators to actively review and approve user registrations. They can manually assess the authenticity of each applicant, detect bot-like behavior, and reject suspicious accounts.
Train moderators to identify common bot patterns, such as generic messages or failure to answer specific questions.Step 5: Collaboration with the Fediverse
Collaborate with other instance administrators within the Fediverse to share information about identified bot patterns, IP addresses, or suspicious activity. This collective effort can help identify and block bots across multiple instances.
Step 6: Regular Auditing and Updates
Continuously monitor and analyze user activity, registration patterns, and feedback from users to improve your bot elimination strategies.
Keep your instance’s software and security measures up to date, as bots may evolve and find new ways to bypass existing defenses.
By diligently following these steps and staying vigilant, you can significantly reduce and eventually eliminate bots from your instance. Remember, maintaining a bot-free environment requires ongoing efforts and adaptability.Wishing you success in your bot elimination endeavors!
Can you share some of the generic messages in the applications are so we can compare?
Here are mine, according to the admin chat others have gotten similar ones
However, these bots will adapt like you would expect LLMs to do so the messages will change depending on the registration text.
Thats incredibly helpful, thank you. Do you have email verification turned on on your instance?
I had it turned off today as a test but I just enabled it (registrations were disabled over the past week or so). I guess I’ll see tomorrow if it makes a difference
Thanks again - when the bots came for my instance, they were stopped because all the email addresses were fake and they couldnt pass validation. I’m hoping the combination of email and manual verification helps to stop the wave. Seeing what you’ve posted in the image is really useful, im going to look back at our applications and see if any are similar, which would mean they may have got around the email validation.
A small LLM will easily crack that anyway, so applications are useless. /s
I think a reasonable approach would be to include little javascript mini games. “Score 50 or higher!” with no instructions provided.
“You want an account? 1v1 me dust2”
