mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

17K
active users

@rysiek Spam has nothing to do with the size of the instance. They might as well run distributed attacks.

@pkreissel spam is a moderation issue and as such has everything to do with instance size.

If I am a spammer, I *know* that if I set up an account on huge, popular instance, it will be easier for me to spam a lot of people fast. I also know that admins of other instances will have a tough nut to crack with the question: defederate or not?

If I go with a smaller instance, the admin might notice me sooner, and if not, other instances defederate sooner.

@rysiek@mstdn.social @pkreissel@chaos.social This is exactly why a spam attack from a 10k MAU sized server would be so much worse. Those instances dont have 24/7 mod support, so its easy to hit the attack when mods are not available. And other admins will indeed choose defederate way quicker instead of mute, which will irreversibly sever all follow connections.

Im really not sure why you're so excited about the possibility of earlier/easier defederation.

@rysiek@mstdn.social @pkreissel@chaos.social like, to make this very practical and concrete: mstdn.social has 1 admin and 2 mods, all publicly known, and all very easy to find out which overlapping timezones they operate in. It also has open signups, so you can execute the exact same crypto spam attack as is happening now.

Having other admins go like 'oh this is a smaller server, so we can defederate, its fine', would suck pretty bad.

I think there is a lot of criticism to be had that there is not better tooling to deal with spam (see Matt Blaze about DM's for example). I just dont see how criticizing m.s. would actually solve the spam issue as it would just move to the next biggest open signup server.

@laurenshof @pkreissel and yet that crypto spam attack happened from mastodon.social, three times over ten days.

> I just dont see how criticizing m.s. would actually solve the spam issue as it would just move to the next biggest open signup server.

Solving a problem one step at a time is a legitimate way of solving a problem.

@rysiek @laurenshof you cannot solve spam attacks unless you do some sort of control at the entrance. That’s the only way to stop it. Instance size has nothing to do with it. That Mastodon.Social was targeted first is probably due to it being well known.

@pkreissel @laurenshof the size matters as well. If I am a spammer, why would I attack a tiny instance that is likely not well connected and would be quickly silenced/defederated from if admins fail to act fast, if I can attack a huge instance that is extremely well connected and much more unlikely to be defederated from or silenced by admins of other instaces?..

@rysiek@mstdn.social @pkreissel@chaos.social I'm confused with what you mean by a tiny instance not being well connected. As soon if you have an instance that follows 1 person on each of the top 10 instances you are extremely well connected, especially from the perspective of a spammer.

It also ignores game theory: if the perspective is that instances should be defederated pretty quickly if they dont respond within an hour, it becomes very unattractive to sign up for a smaller instances that is less likely to have perfect 24/7 mod coverage. Instead people opt for the servers with the largest mod team, which is often the largest servers.

Also, to reiterate: I dont want to excuse/apologize for Eugen here. I just think that the critique is misdirected by talking about m.s. size (which has certainly its own issues), when instead I think there should be more criticism that better mod tools for DM spam have not been build yet.

@rysiek@mstdn.social @pkreissel@chaos.social think so too. Like, I'm legitimately worried about the spam attacks, but reading during the last spam attack that someone accidentally blocked instead of muted m.s. also freaked me out. Building decentralized shit is just really hard :(

@laurenshof @rysiek@mstdn.social @pkreissel@chaos.social Could it be that the new easier sign up procedure is more readily exploitable by bots?

@emma @rysiek@mstdn.social @pkreissel@chaos.social no, that only affects the apps and joinmastodon.org. Spammers go directly to the signup page (or use the API)

@laurenshof @rysiek @pkreissel The smaller instances generally have manual approval for setup (something that is not manageable on an instance the size of m.s), and therefore the mass spam accounts never get created in the first place. There's nothing to moderate.

@joepie91 @laurenshof @rysiek how do you „manually“ see which accounts are spam and which are not? Believe me, with very little effort you can generate millions of spam accounts, that are indistinguishable from the real thing.

@pkreissel @laurenshof @rysiek The point of manual approval is not to identify 100% of the spam accounts upfront. It's to make it non-viable to hit-and-run a thousand disposable spam accounts.

Writing credible applications for an account costs time. That doesn't make sense in spammer economics, it will significantly reduce the amount of attempts that are even made, and therefore the amount of moderation load.

The mass-spammer problem disappears entirely because of aforementioned economics.

@pkreissel @laurenshof @rysiek Or to put it differently: you cannot automate apply-for-account applications without it *looking* automated.

@pkreissel @laurenshof @rysiek Yes, and those all follow the same format/tone, and are therefore easy to identify in bulk.

@pkreissel @laurenshof @rysiek Please consider that a large amount of instances have already been successfully doing this for years in exactly the way described.

@joepie91 @laurenshof @rysiek 1. there was no generative AI then. 2. the more people are on mastodon in total the more interesting this will be for bad actors. Manual work won’t cut it.

@rysiek

They need to screen new accounts. Bare minimum.

@ericdano @rysiek What would/could that screening look like?

@codesmith @ericdano every registration would need to be confirmed by an admin before the account can post at all.

If I am the admin and I see an account like "AI Doge" with a bunch of numberse in the username, I know something fishy is going on, and will at *least* closely monitor it (if I let it through at all).

@rysiek @codesmith @ericdano they will simply disguise spam accounts more effectively. Now they are just following the path of least resistance, which doesn't call for being subtle, because obviously they get away with it.

I think mastodon.social needs to stop accepting more users than they can effectively moderate.

@nirro @rysiek @codesmith @ericdano that’s the answer - don’t accept more users than the humans behind it can manage. Spammers are adept at overcoming account setup checks, they’ve been doing it for many many years. If the prize if juicy enough they’ll put in the effort. This isa somewhat inevitable challenge with fedi growing in popularity.

@codesmith @rysiek

Looking for funny user names, like tiwinloolas192135245246. Look for funny email domains. Perhaps their first post/message needs to be approved by an admin at their instance before letting them freely post.

@ericdano @rysiek last I saw, they are adding about 3000 accounts per day

@jerry @ericdano yeah, nothing wrong with that. I'm sure they have the manpower to screen them and block any bad actors proactively.

🙄

@rysiek @jerry @ericdano

Maybe 5% of Mastodon instances have the personnel for that, if I’d like to be generous.

@szbalint sure, but if this happens from smaller instances, people can defederate and be done with it. That's a way more difficult decision with m.s.

@jerry @ericdano

@rysiek @jerry @ericdano sounds quite a bad move to defederate from smaller instances just because they got hit by a one-time spam wave.

@szbalint @rysiek @jerry

Depends on how long it takes their admins to act, and how sever the spamming. I haven't really heard of any instance that was banned for outright spamming. They mostly get spammed for hate speech, transphobia, etc, etc.

@szbalint sure, but it is an option. Which makes admins of these smaller instances more willing to engage with the rest of fedi and talk through some solutions. Maybe close registrations if you don't have enough manpower to properly screen them? Maybe get more moderators on board?

Mastodon.social is notoriously bad at engaging with the rest of fedi. And they can get away with it because of the size.

@jerry @ericdano

@rysiek @szbalint @jerry

Yeah, but if other instances are spending time on cleaning up mastodon.social's lax moderation and screening, they are going to find themselves limited or suspended by a lot of instances.

There are already instances that have limited mastodon.social today over this.

If you are the BIGGEST you should also have the moderation force to police the instance.

@ericdano @rysiek @jerry again, you're assuming that other instances have the moderation personnel. They mostly don’t.

Abuse in general is not a solved problem in the Fediverse, at least not with users on the scale of the last 6 months

@szbalint my point is: mastodon.social being as big as it is and still having registrations open is not helping to solve that problem. It's actively making it worse.

@ericdano @jerry

@rysiek @szbalint @jerry

Agreed. They need to change something. It's not working right now.

@ericdano @rysiek @szbalint it’s a fair amount of hassle and work. I and our mods just got flooded with hundreds of reports. We divide and conquer, but this is the 3rd time in maybe two weeks? And they seem to be getting bigger

@jerry I asked my case if it slept well and let's just say it is very well rested!

@ericdano @szbalint

@rysiek @jerry @ericdano @szbalint

I had my concerns when Eugen made his honeymoon announcement (it mostly concentrated on new features and very little about the actual moderation resources that m.s has, and he's also openly admitting he will be away from the instance for a few days). I'm MS does have more than just one mod, but you never really get to hear who they are (or even that they exit) compared to who is working on dev stuff/new features...

@vfrmedia @rysiek @ericdano @szbalint I am going to leave m.s limited/silenced for a while till this issue gets sorted.

@jerry does silencing an instance mean that people on your instance who get @-mentioned by a spammer on the silenced instance do not get a notification?

@vfrmedia @ericdano @szbalint

@rysiek that’s correct. Unless the person on my instance follows the account on m.s @vfrmedia @ericdano @szbalint

@rysiek @jerry @ericdano

Better way to formulate would be “so far”.

Look, I’m in the select group of people who have dealt with spam/abuse on a large ecommerce scale and some rando using m.s to spam is just really the beginning if Mastodon usage continues to increase (if - there is not that much problem with only a few million active users).

@szbalint oh, we agree. I am just really miffed that m.s is making it so hard to deal with that first stage even.

@jerry @ericdano

@rysiek @jerry @ericdano I would have expected a post-mortem from m.s not just Eugen saying “cleaned up”.

@szbalint that would be the adult way to deal with this, yes.

Which makes me expect that it's not going to happen.

@jerry @ericdano

@rysiek @jerry @ericdano

(Post-mortems should just be done automatically after incidents but that’s not the point)

I mean it’s not even related to maturity, but in terms of pure outcomes post-mortems are just a way to take stock, learn and improve.

@szbalint Which is exactly what the other instance I'm on did when they had problems with growth and moderation. There were missteps and conflicts but the admins were transparent about it. I appreciated that. I don't think everything should or has to be a smooth slick corporate experience, I'm okay with some human failure and glitches as long as they're being dealt with in good faith and with transparency. Mistakes are inevitable, it's how we deal with them that counts

@rysiek @jerry @ericdano