this post was submitted on 24 Mar 2024
102 points (98.1% liked)

Lemmy

12524 readers
48 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

There have been a number of comment spam attacks in various posts in a couple of /c's that I follow by a user/individual who uses account names like Thulean*

For example: [email protected] in [email protected]

and [email protected] in [email protected]

edit: Also [email protected] in [email protected]

The posts have been removed or deleted by the respective /c's mods, and the offending accounts banned, but you can see the traces of them in those /c's modlogs.

The comments consist of an all-caps string of words with profanities, and Simpsons memes.

An attack on a post may consist of several repeated or similar looking comments.

This looks like a bored teenager prank, but it may also be an organization testing Lemmy's systemic and collective defenses and ability to respond against spam and bot posts.

top 24 comments
sorted by: hot top controversial new old
[–] [email protected] 53 points 7 months ago (1 children)

This user is just the latest in a series of spammers since Lemmy has grown in popularity. It's hard to tell if they have some vendetta against the platform or are just maladjusted and want to annoy people having a good time.

As someone who posts across Lemmy a lot, I am usually made aware of the spammers almost immediately, because my inbox will be full of the same spam comment replies all at once. I just report them up to the various instances when I see it.

[–] [email protected] 8 points 7 months ago* (last edited 7 months ago)

It's hard to tell if they have some vendetta against the platform or are just maladjusted and want to annoy people having a good time.

Cynical tinfoil hat theory: there's now a financial incentive to harm alternatives to a certain website that recently had their IPO. The timing does kind of fit, at least.

[–] [email protected] 30 points 7 months ago (3 children)

A per-user rate limit of some sort could have reduced the attack surface I think? Something like that would be quite a bit of dev work to implement though...

At least the situation was promptly resolved and users nuked, although R.I.P. to any smaller Lemmy servers that went down due to the massive spam wave

[–] [email protected] 35 points 7 months ago

Actually there is, spammers are kind of funny because they help solidify the platform long term for short term gains. Turns out rate limiting was broken in the latest release of Lemmy, and no one noticed until this latest attack. So, there's a big fix and sounds like it'll be patched in the latest version. Thanks spammer for helping us bugfix the platform to shore it up!

[–] [email protected] 8 points 7 months ago (1 children)

I'm not sure how extensive the spam wave was, nor how quickly the user was able to create an account, make the comments.

I doubt that the quantity in that I came across would be enough to take down a server, but that may be the point: To test lemmy's collective defenses and response without drawing too much attention.

A common IP address or address range ban file that's frequently updated and downloaded by each instance might be another way to boost security.

If this is actually an org attack, I'm guessing that we'll see botnet DDOS comment and post attacks next.

[–] [email protected] 1 points 7 months ago (1 children)

I highly doubt it's an org attack, Lemmy just isn't popular enough to see something like that.

I don't know if Lemmy has the ability to shadow ban, but those can be pretty effective for cases like this. It obviously wouldn't help with a botnet attack, but it would help with your average, run of the mill pranksters.

[–] [email protected] 1 points 7 months ago (1 children)

It's part of the ol' Big Tech playbook:

If a promising emerging competitor emerges:

  1. Acquire the emerging competitor for cheap when it's still small
  2. Copy the competitor's best features to make them irrelevant
  3. Co-opt them with integration so the competitor's users won't see any advantage to staying with them
  4. Pollute the competitor's content to make your own offering look better
  5. Steal the competitor's best talent
[–] [email protected] 1 points 7 months ago

I mean it's possible, but lemmy only has ~50k monthly active users. Reddit, on the other hand, is in the millions (>400M monthly active users last year, and >50M daily active users). Lemmy just isn't anywhere in the ballpark of being a threat to anyone.

I also think Lemmy has some architectural issues that will make it very difficult to scale to anywhere near Reddit size, even if it somehow gets the users.

It's a cool service, I just highly doubt it's the target of any big campaign. And that's a big part of why I'm here, it's big enough to have interesting communities, but small enough to avoid most of the spam.

[–] [email protected] 2 points 7 months ago (1 children)

This wouldn't really solve the issue as the user could rather simply create as many accounts as they like to circumvent per-account limits.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (1 children)

That takes more effort though, especially if accounts require some kind of "not a robot" thing, like email verification, submitting an "essay," etc. I'm not a fan of that and think a different moderation system would be preferred (prefer to not go into details here), but it's easy and should be quite helpful.

It's not a "fix," more of a mitigation.

[–] [email protected] 2 points 7 months ago

Typical mistake by the comment above yours: anti theft of anti break-in measures dont make it impossible to break in, they just make it harder and more time consuming. You dont need to outrun the bear, you just need to outrun the person next to you.

So this absolutely is a great idea.

[–] [email protected] 17 points 7 months ago

I saw these a few days ago and they reminded me that I am a moderator of a sleepy little community. 😆

Thankfully the mod tools were very effective in banning the user and nuking comments.

[–] [email protected] 14 points 7 months ago (1 children)

Of note about this is that image links in comments aren't rehosted by Lemmy. That means it would be possible to flood a community with images hosted by a friendly or compromised server, and gather a lot of information about who was reading that community (how many people, and all their IP address and browser fingerprint information, to start with) by what image requests were coming in kicked off by people seeing your spam.

I didn't look at the image spam in detail, but if I'm remembering right the little bit of it I looked at, it had images hosted by lemmygrad.ml (which makes sense) and czchan.org (which makes less sense). It could be that after uploading the first two images to Lemmygrad they realized they could just type the Markdown for the original hosting source for the remaining three, of course.

It would also be possible to use this type of flood posting as a smokescreen for a more targeted plan of sending malware-infected images, or more specifically targeted let's-track-who-requests-this-image-file images, to a more limited set of recipients.

Just my paranoid thoughts on the situation.

[–] [email protected] 6 points 7 months ago (1 children)

Image rendering attacks and download tracking are well known, so it's not paranoid at all.

[–] [email protected] 5 points 7 months ago

Yep.

There are two big end-user security decisions that are totally mystifying to me about Lemmy. One is automatically embedding images in comments without rehosting the images, and the other is failing to warn people that their upvotes and downvotes are not actually private.

I'm not trying to sit in judgement of someone who's writing free software but to me those are both negligent software design from an end-user privacy perspective.

[–] [email protected] 7 points 7 months ago

And the simpsons memes aren't even good, jokes aside maybe something like X comments or posts under X time automatically suspends user tool could help ?

[–] [email protected] 5 points 7 months ago

Noticed this before, it's quite annoying.

[–] [email protected] 4 points 7 months ago (1 children)

A lot of this stems from instances running old versions with loose registration requirements, like no captcha. This is a problem in a federated system because there's no barrier for a banned user to just jump to another instance.

Perhaps it would be a good idea if, when Lemmy has anti-spam measures implemented like rate-limiting and captchas for registration, it disabled federation with instances that are at a lower version, to motivate small instances to upgrade and enable the new features.

[–] [email protected] 3 points 7 months ago (1 children)

What I really want to see is the ability to set a threshold for a server to reach before it will federate.

Example: you have a server, you don't allow others to federate unless those servers force captcha or approval of user registration

[–] [email protected] 2 points 7 months ago

The problem is that a server could very easily lie and claim to have captchas when it really doesnt.

[–] [email protected] 3 points 7 months ago (1 children)

You wrote usernames as email addresses. You should have put /u/ in front to make links. You can also use @, however that will send a metion notification to the user.

[–] [email protected] 6 points 7 months ago* (last edited 7 months ago)

Also FYI I think lemm.ee has some automation that blocks these. I don't ever seem to get them, yet when I check other instances I can see them. Either that, or our admin are just hot on this stuff and ban them early on - both of these users were banned 3-4 days ago.

lemmy.tf seems to be a problem instance, it's still running v0.19.0 and doesn't have captcha for sign ups.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Don't they have something better to do with their time than posting on lemmy all day? ... ... ... [drags on water bottle]

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

I agree with the rate limits [email protected] suggested, I actually posted about this as well.