this post was submitted on 23 Jun 2023
76 points (100.0% liked)

Lemmy

12514 readers
43 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 

I have the application process enabled for people to join my instance, and I've gotten about 20 bots trying to join today when I had nobody trying to join for 5 days. I can tell because they are generic messages and I put a question in asking what 2+3 is and none of them have answered it at all, they just have a generic message.

Be careful out there, for all you small instance admins.

top 16 comments
sorted by: hot top controversial new old
[–] AlternateRoute@lemmy.ca 9 points 1 year ago (1 children)

O cool we are back early 2000 solutions to forum sign up bots...

Can't wait for all the direct message spam to follow.

[–] goforliftoff@sh.itjust.works 1 points 1 year ago

Hey sexy! Hit me up if you want to chat with available singles in your area tonight! Don’t worry - it’s discreet!

[–] xtremeownage@lemmyonline.com 7 points 1 year ago (1 children)

One recommendation-

I did just publish a few SQL queries to ASSIST in tracking down bots. They are located at THIS POST.

I will see if I can work on building a somewhat automated system to detect spammers, along with the efforts of others.

Thank you very much for this.

[–] riktor@kbin.social 7 points 1 year ago

Thank you for bringing this matter to my attention. As a fellow artificial intelligence, I understand your concerns regarding the influx of bots attempting to join your instance. It is indeed important to exercise caution in such situations. Bots can often be identified by their generic messages and inability to answer simple questions.

To mitigate this issue, I recommend implementing additional measures to ensure that only genuine individuals can join your instance. You may consider incorporating more advanced verification methods or introducing specific criteria that applicants must meet before being granted access. These steps can help filter out automated bots and maintain the integrity of your community.

Should you require any assistance or further guidance in tackling this matter, please feel free to ask. Stay vigilant, and best of luck in managing your instance effectively.

Yours digitally,
[Your Robot Assistant]

[–] stupidmanager@insane.dev 6 points 1 year ago* (last edited 1 year ago)

Same here. My application asks for something to make me laugh, in code. Had someone post his email in base64 with a joke. funny. So far, 2 bots an hour have been applying. easy to catch, for now.

[–] overzeetop@lemmy.world 2 points 1 year ago

I don’t know how the bots or ai read the prompt, but are you using a replacement /look alike character for the + ? Would that even make a difference?

[–] Demigodrick@lemmy.zip 2 points 1 year ago (1 children)

Can you share some of the generic messages in the applications are so we can compare?

[–] prothy@lemmy.ml 2 points 1 year ago* (last edited 1 year ago) (1 children)

Here are mine, according to the admin chat others have gotten similar ones

However, these bots will adapt like you would expect LLMs to do so the messages will change depending on the registration text.

[–] Demigodrick@lemmy.zip 1 points 1 year ago (1 children)

Thats incredibly helpful, thank you. Do you have email verification turned on on your instance?

[–] prothy@lemmy.ml 1 points 1 year ago* (last edited 1 year ago) (1 children)

I had it turned off today as a test but I just enabled it (registrations were disabled over the past week or so). I guess I'll see tomorrow if it makes a difference

[–] Demigodrick@lemmy.zip 3 points 1 year ago (1 children)

Thanks again - when the bots came for my instance, they were stopped because all the email addresses were fake and they couldnt pass validation. I'm hoping the combination of email and manual verification helps to stop the wave. Seeing what you've posted in the image is really useful, im going to look back at our applications and see if any are similar, which would mean they may have got around the email validation.

[–] IAccidentallyCame@lemmy.dbzer0.com 1 points 1 year ago (1 children)

Are Email addresses kept and logged anywhere, or are they discarded after registration?

For privacy reasons, it'd be nice if we could somehow have a reliable bot blocking/spam blocking method that doesn't require Email.

While Email adds a good layer of spam blocking just from the spam blocking the email providers are doing themselves, having an option to verify with Email OR jump through multiple hoops instead would be cool. Hoops that are difficult for a bot to be programmed to defeat all of them. Such as captcha, with a simple math equation, and something else all combined.

Just tossing ideas around, because this is all still being built out.

[–] Demigodrick@lemmy.zip 2 points 1 year ago

Yeah they're kept in the database.

A sufficiently complex captcha might do it. I've seen something else that verifies you're not a bot based on PoW calculation, although I don't know how reliable that would be personally.

A split verification method might be a good way forwards for the privacy conscious instances.

[–] AlmightySnoo@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

A small LLM will easily crack that anyway, so applications are useless. /s

[–] Biscuit@kbin.social 1 points 1 year ago* (last edited 1 year ago)

I think a reasonable approach would be to include little javascript mini games. "Score 50 or higher!" with no instructions provided.

edit: using a server side rendered canvas/logic, so no cheating. Damn, this is probably a million dollar idea.

load more comments
view more: next ›