this post was submitted on 22 Jun 2023
60 points (95.5% liked)

Lemmy

13486 readers
79 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 5 years ago
MODERATORS
nutomic@lemmy.ml
60
Please make captchas a default in 0.18 (lemmy.world)
submitted 2 years ago* (last edited 2 years ago) by AlmightySnoo@lemmy.world to c/lemmy@lemmy.ml
17 comments fedilink hide all child comments
 

A dev initially suggested in the Lemmy GitHub to remove captchas from future releases altogether because "they're easy to bypass".

Here's the thing though, the lemmy.world instance avoided the daily 10k+ bot signups per day the other instances are currently experiencing simply by activating captchas.

Yes basic OCR easily bypasses them, but the whole point is that you're forcing the spammer to use it, and it costs CPU resources, meaning that for the same budget the spammer will be able to create LESS bot accounts, or none at all if he doesn't know how to automate the use of an OCR. Compare that with the current situation where anyone who followed a Python crash course can easily write a small script doing tens of thousands of automated signups using just the requests module.

Please enable captchas by default in future releases. You can try out other proposed solutions like hashcash too but IMO focus on the low hanging fruit first and make captchas a default in 0.18 already. One barrier, no matter how weak it is, is much better than no barrier at all.

And to those who maintain websites that list instances and rank them by size, you are also contributing to this problem by adding an incentive for bad actors to inflate their own instances. Please either remove that ranking, or remove the spammy looking instances by hand.

Also, maybe change the user count such that only users having clicked on the verification link are counted.

all 18 comments
sorted by: hot top controversial new old
[–] PenguinLover@lemmy.ml 30 points 2 years ago (2 children)

Completely agree, captcha's aren't gonna make it impossible to make bots, but it makes it more complicated. It will force bad actors to invest more time in it. Wich will turn some part of them away.

On a positive note, I think the fact that we see so many bot signups shows lemmy (the fediverse in general) is growing and matters, otherwise people wouldn't spend so much time and resources to make these bots. All big platforms have these kind of problems and need to learn how to deal with them.

[–] 0xpr03@feddit.de 5 points 2 years ago* (last edited 2 years ago)

yeah it was never about making it impossible, only about making it inconvenient enough that it's manageable

[–] xuu@social.sour.is 12 points 2 years ago (1 children)

Hard agree.. currently of the top 20 fastest growing servers in the fediverse most are instances with less than 10 active users but they are showing 50k - 70k bot accounts.

[–] sparky@lemmy.pt 2 points 2 years ago (1 children)

What? Can’t they get defederated if it’s this obvious?

[–] xuu@social.sour.is 1 points 2 years ago

You can find them in "Top 20 Fastest Growing Servers" on here https://fedidb.org/

and instances can add them to their blacklist. though it probably helpful to reach out to the admins. many are new and are unaware of how it works.

[–] dudeami0@lemmy.dudeami.win 6 points 2 years ago

I'd say setting registrations to closed and having the operator enable/configure which to use is the best default. CAPTCHAs can also be automated, so this won't stop anyone that is ambitious enough. If someone sees value in automating account registrations, they might be willing to pay for the CAPTCHAs to be solved for fraction of a US cent each.

[–] Nitrate55@lemmy.dbzer0.com 5 points 2 years ago (1 children)

Agreed, I'm really concerned about the fact that email verification and captchas are available but off by default. With the state of the internet now they really should be on by default.

[–] fubo@lemmy.world 4 points 2 years ago* (last edited 2 years ago) (1 children)

Bot registrations can also be slowed down by just ... slowing down.

Real users don't need a registration to happen within 250 milliseconds. It's okay to delay it for several seconds just to rate-limit bots.

(This is sometimes described as the "tarpit" approach.)

[–] AlmightySnoo@lemmy.world 2 points 2 years ago (1 children)

Yes, but the point is that and captchas are not exclusive. I hope devs will backtrack on their intention to remove captchas and instead make them a default.

[–] fubo@lemmy.world 2 points 2 years ago

Yep. Successful anti-spam usually relies on a mix of different techniques, not just one!

[–] technically-creative@kbin.social 2 points 2 years ago (1 children)

Arguing against captchas like this is a prime example of letting perfect be the enemy of good.

[–] AlmightySnoo@lemmy.world 1 points 2 years ago* (last edited 2 years ago)

those people probably leave their doors open because even the strongest lock can be broken anyway