A spam attack that hit X rival Mastodon, Misskey and other apps highlights how the decentralized social web, also known as fediverse, is open to abuse. In recent days, attackers have targeted smaller Mastodon servers, taking advantage of open logs to automate the creation of spam accounts. Eugen Rochko, founder and CEO of Mastodon confirmed the attack in a publication over the weekend, adding that Mastodon server administrators should switch registration to approval mode and block delete email providers to help combat the issue.
While this is not the first spam attack to hit fediverso, Rochko notes that only larger servers like Mastodon.social had been attacked previously. Since that server is run by Mastodon's own team, they have been able to mitigate these attacks themselves. What's different this time is that spammers targeted smaller and even abandoned servers that offered open registration, allowing bad actors to quickly create accounts and generate spam.
This particular attack, which was completely automated when attackers discovered they could create spam scripts, was caused by a dispute between two sides on Discord, where one side was trying to ban the other side's Discord server, according to reports from Mastodon (more details here). Many of the other targets of spammers They weren't just Mastodon: they also aimed at misskey, an open source decentralized blogging platform that uses the ActivityPub protocol, such as Mastodon, Pixelfed, PeerTube and others, allowing its users to interact with those on other federated social platforms). Like the origins of spam seems to be a japanese forum many of the targets were also in Japan.
The spam attack highlighted one of the weaknesses arising from the way the fediverso is structured. Mastodon is open source software that anyone can install on their own server, essentially establishing their own instance or node, which connects to other federated social media servers, powered by the ActivityPub protocol.
Because Mastodon's smaller servers are often hobby projects run by enthusiasts, they were vulnerable to this type of attack. If server administrators were not paying attention to their servers on a daily basis and offering open logs, they were probably victims of spam.
Or as a server administrator, @Chris@mastodon.cosmicnation.co commented: “Some administrators were reminded that they had an instance. And we also learned that there are MANY abandoned instances with the door open to registration without approval.”
During the last few days, server server administrators they worked together for create lists of abandoned instances than other administrators that could be used as the basis for a block list to protect their own users from spam attacks. Many servers were simply shut down because their administrators decided it would be easier to wait out the attack or abandon Mastodon entirely.
The popular third-party app Mastodon Ivory, by Tapbots, released an emergency update which included a custom filter called “Potential Spam” in its Filter tab that would allow users to silence spam mentions. Affected users could activate this filter to detect most spam, but could not stop spam push notifications, the company said.
The attack appears to be subsiding. Technologist and researcher Tim Chambers (@tchambers@indieweb.social) noted that he began to have less than 40 spam accounts to suspend on the server he manages, for example. Mastodon argues that on active servers with a reactive moderation team, Mastodon has multiple tools to prevent automated account registration, including approval mode, CAPTCHA, and various blocking tools, so the attacker was handled very quickly. He also noted that the spam attack was decreasing as the two hacking groups had apparently made peace.
While some saw the experience as positive for the social network and social diversity in general, as it revealed a weakness that could now be discussed and addressed, others were upset by the experience and Rochko's lack of response in the first hours of the attack.
“This is ruining my experience with Mastodon. It makes me want to quit and give up,” wrote a Mastodon server administrator.sam@urbanistas.social. "And Eugen's continued silence on the issue doesn't help," they said.
Mastodon CTO Renaud Chaput said the attack will push the company to improve its software.
“At the moment, there are no good integrated tools to handle this type of situation, as it is a complex issue: federated networks are not easy! – but we have many ideas on how to improve our fighting functions against spam and abuse,” he said. “We will work on it over the next few months. We are always working to improve the software (the latest version introduced optional captcha support). Another action we took today is to change the configuration of new instances so that they are not open by default, and we added a banner to remind administrators that fully open instances must be actively moderated, so this should be a careful decision by part of the administrator. ”Chaput added.
Since the arrival of Instagram Threads, another Twitter/X competitor that also plans to federate through ActivityPub, Mastodon usage has been trending downward.
By October of last year, Mastodon had grown to include around 1,8 million monthly active users. When Threads launched publicly, it was down to 1,5 million. As of the public launch of Bluesky this month, another decentralized social network based on a different protocol (meaning it is not part of the same fediverse, at least until a bridge is built), the use of Mastodon had gone down 1 million monthly active users.
Mastodon's usage remains there, according to the company's home page. The broader fediverse, which includes Mastodon and other apps, has around 2,9 million monthly active users. Threads' entry into this space will eclipse other Mastodon servers and could bring Meta's technical expertise in areas like spam prevention, but many are concerned that Meta's ultimate goal is to essentially take over the fediverse by becoming the client. default that users choose and using their significant resources to scale adoption of the Meta app.
