Hello Mastodon admins. I'm looking for input on how to prevent spam. We were overrun during the holidays when I was distracted by other things. I have anti-spam turned on but it doesn't seem to do anything. What do you do (besides active moderation)?
@leo we go with invite only, which probably doesn’t fit your model very well.
But approvals would slow them down significantly, and is far less labor intensive.
@leo masto.host did a post recently about what they're trying https://masto.host/testing-custom-code-to-fight-spam-registration-on-mastodon/
Personally this was part of the reason I switched my instance to invite only and basically gave up running it as open sign-up
@chidgey @leo I feel like since my instance already has users (though almost all are inactive) I should maintain the instance as-is for those already here. But yeah if I could go back in time I'd probably do single-user. Resource-wise the db is ~400mb at this point and my digital ocean VPS is having memory issues even with this user count almost entirely inactive
Past the spam issue I got nervous about a possible influx of shady characters and the prospect of moderating questionable material.
@leo This may not work for you, but I ended up requiring approval for new signups. Still get a few spam applications but the mostly get caught by the filters and I don't notice until later.
Additionally if you're getting a lot of spam signups from the same mail server you can block the mailserver domain at /admin/email_domain_blocks
@hugh Thanks for the advice. I've turned on registration approval required and I'm sure that will take care of it. And it gives me a good reason to logon every day!
@leo for my instance, I have Registration Mode in Site Settings set to 'Approval required'. I have included a paragraph in the 'Server Rules' stating that new users must enter something in the 'Why do you want to join?' field at sign-up. However, I have UNchecked 'Require new users to enter a reason to join' in Site Settings. This helps me to spot genuine sign-ups (who read the rules) and more easily see the bots (who either ignore the "optional" text field or will fill it with spammy nonsense).
@leo you're welcome! Another tactic is to keep an eye on the email addresses on new accounts (or the requests if you go that route). If you're getting a lot of new accounts registered to addresses all coming from the same (usually sketchy looking) root domain then just add it to the 'Blocked Email Domains' list for a couple of days.
@leo We get right-wing attacks sometimes on our activism and campaign instances. We remove the accounts when the cross the line and turn on moderation for sign up so people have to type a resion spammers and right-wing nutters have limited attention spans so this stops it for a while but the issues do come back.
sysadmin help filtering spam
@leo You should be able to filter e-mail domains from registration, that helps a little if you can see a pattern from the accounts trying to register. I would also recommend requiring a message during registration so you can at least filter out anyone who doesn't read your CoC or ToS. Additionally, I would recommend requiring administrator / moderator approval for registrations, that way even if you get a lot of registration applications, they won't immediately become accounts.
On my end, I went ahead and disabled registration altogether. You could do this and then still enable registration invites for administrators / moderators, then set up a 3rd party way of sending registrations so that spam bots don't just use the API or template HTML pages to fill out registration froms. Hope that all helps.
A Mastodon instance dedicated to TWiT listeners. Think of a Twitter just for geeks, sharing content with other Mastodon servers all over the world. If you're a TWiT fan, consider this your home! Our TWiT Forums live at TWiT Community. Post conversation starters there. TWiT.social is for quick thoughts, fun pictures, and other ephemera. Keep it clean, keep it friendly. Looking forward to your Toots!