The spam attacks that affected open source Over the past few days, attackers have targeted the small Mastodon server by leveraging open registration to automate the creation of spam accounts. Mastodon founder and CEO Eugen Roszko acknowledged the attack in a post over the weekend, and to address the issue, Mastodon's server administrators switched registrations to approval mode and discarded email providers. It added that it is necessary to block.
Rochko points out that this is not the first spam attack to affect Fediverse, but previously only large servers like Mastodon.social were targeted. Because that server is run by Mastodon's own team, they were able to mitigate those attacks themselves. The difference this time is that spammers were targeting smaller or abandoned servers that offered open registration, allowing attackers to quickly create accounts and generate spam. .
Image credits: Eugen Roszko speaks on Mastodon
As reported by Mastodon, this particular attack was fully automated when the attackers realized they could script spam, resulting in a dispute between two sides on Discord, with one side attacking the other. This happened because someone was trying to get the Discord server banned. (Learn more here.) Many of the spammers' other targets were not just Mastodon, but Misskey as well. (Misskey, like Mastodon, Pixelfed, PeerTube, etc., is an open source decentralized blogging platform that uses the ActivityPub protocol and allows users to interact with users on other federated social platforms.) Japan Even in the forum, many of the targets were in Japan.
This spam attack highlighted one of the weaknesses in Fediverse's structure. Mastodon is open source software that anyone can install on their own server, essentially allowing them to establish their own instance or node that utilizes the ActivityPub protocol to connect with other federated social networking servers.
Mastodon's small servers are often hobbyist projects run by hobbyists, so they were vulnerable to this type of attack. If your server administrator doesn't pay attention to your server on a daily basis and suggests open registration, you may be a victim of spam.
Or as one server administrator @Chris@mastodon.cosmicnation.co put it: “Some instance administrators were reminded that they had instances. And we also learned that there were many abandoned instances, with the door wide open for unauthorized registration.”
Over the past few days, server administrators have worked together to create an ongoing list of abandoned instances that other administrators can use as the basis for blocklists to protect their users from spam attacks. Administrators decided it was easiest to wait out attacks or abandon Mastodon altogether, so many servers were simply shut down.
Tapbots' popular third-party Mastodon app Ivory now has a custom filter called “Potential Spam” that allows users to mute mentions of spam.[フィルター]We have released an emergency update to add to the tab. The company said that while affected users could turn on the filter to catch most spam, it did not stop them from receiving spam push notifications.
As of this morning, the attacks appear to be subsiding. Technologist and researcher Tim Chambers (@tchambers@indieweb.social) said today, for the first time in four days, that his 40 spam accounts should be suspended on servers he manages. said that it was less than Mastodon told TechCrunch that Mastodon has multiple tools on active servers with a reactive moderation team to prevent automated account registration, including approval mode, CAPTCHAs, and various blocking tools. As a result, the attacker was dealt with very quickly. He also pointed out that the spam attacks are ending now that the two hacker groups have apparently reconciled.
Some saw the experience as a positive for the social network and the wider Fediverse, as it revealed weaknesses that could now be discussed and addressed, but they were angered by the experience and Lochko's lack of response in the early stages of the attack. There were also people.
“This has ruined my Mastodon experience. It makes me want to walk away and give up,” wrote one Mastodon server administrator sam@urbanists.social. “And Mr. Eugen's continued silence on this issue does not help that,” they said.
Renaud Chape, Mastodon's chief technology officer, said the attack forced the company to improve its software.
“Currently, there are no good built-in tools to handle this, as this is a complex problem. Federated networks are not easy — but there are many ways to improve our ability to fight spam and fraud.” I have an idea,” he said. “These are things we will be working on over the next few months. We are always working to improve our software (our last release introduced optional capture support). The workaround is to toggle the settings on new instances so that they don't default to wide open, and add a banner that notifies administrators that fully open instances should be actively moderated. Therefore, this requires a careful decision by management,” Chaput added.
Since the introduction of Instagram Threads, another Twitter/X competitor, which also plans to federate using ActivityPub, the use of Mastodon has been on the decline.
Last October, Mastodon's monthly active users had grown to about 1.8 million. By the time Threads was released to the public, that number had dropped to 1.5 million. This month, with the public launch of Bluesky, another decentralized social network based on a different protocol (i.e. not part of the same Fediverse, at least until a bridge is built), Mastodon usage will be active for the month The number of users has decreased to 1 million.
According to the company's website, Mastodon is still in use there. The broader Fediverse, which includes Mastodon and other apps, has about 2.9 million monthly active users. While Thread's entry into this space dwarfs other Mastodon servers and may provide Meta's technical expertise in areas such as spam prevention, many believe that Meta's ultimate goal is , is concerned that by becoming the default client of choice for users and using its service, they are essentially hijacking the Fediverse. Essential resources for expanding your app adoption in Meta.
February 20th, updated at 1:31pm on the 24th to add comments from Mastodon CTO.