• 0 Posts
  • 16 Comments
Joined 2 years ago
cake
Cake day: June 9th, 2023

help-circle




  • I think that’s likely to cover common uses outside of just ‘for the lulz’.

    The for the lulz resonates a lot with me - though I know that a decade of dealing with a lot of these types assuredly biases me to at least some degree - because it’s easy enough to do what they’re doing now AFTER you figure out how you’re going to monetize it and signups this aggressive and so widespread doesn’t really make sense to me.

    In my experience with content moderation/fraud/abuse work, I found that you’d often have a very slow trickle of accounts sign up over weeks/months/and, in one situation, years, and THEN they’d all break bad and you’d have entire servers and instances all light on fire at once and result in a mess that’ll take a very long time to clean up.

    If you have 5,000 users that signed up all at once you can literally just delete all those rows from the database and probably not impact too many real people vs. if you have 5,000 users sign up over 6 months then you have the data dispersed in good data and now have much more of an involved spelunking expedition to embark on. I also found that it was typically done in waves as well, so you can’t do a single clean and go ‘well all the accounts that weren’t doing thing must be okay’ because eh, maybe not.

    And, also, there’s a lot of hand-wringing about developer and instance politics from various blog posts, “news” sources, the fediverse, traditional social media and so on from all sides of the spectrum, and while I’d never claim to be a centrist or even remotely moderate, the more embedded in one extreme or another you find yourself you can start justifying doing all sorts of stupid shit, and a DDoS (which, quelle surprise is ongoing right now) is SO trivial to do when there’s not a whole lot of preventative measures in place that don’t require a bunch of squabbling internet humans to cooperate and work together to block signups, clean up the mess that’s already there, and work with each other on mitigation tools that do things everyone agrees with.


  • It’s always about following the money for spammers/malware/etc. authors: there’s (usually) a commercial incentive they’re pushing towards.

    The bot is evolving and adapting to countermeasures and becoming “smarter” which means some human somewhere is investing time and effort in doing this, which means there’s some incentive.

    That said, I doubt it’s strictly commercial because the Lemmy user base is really small and probably not worth much because if you’re here you’re most certainly not on the area of the bell curve that’ll fall for the usual spambot commercialization double-your-money/fake reviews/affiliate link/astroturfing approaches.

    I’d wager it’s more about the ability to be disruptive than the ability to extract money from the users you can target, so like, your average 16-year-old internet trolls.


  • Because you can’t make thousands of spambots on your own instance because as you noted it’d take about 5 minutes to defederate and thus remove all the bots.

    You want to put a handful on every server you can, because then your bots have to be manually rooted out by individual admins, or the federation between instances gets so broken there’s no value in the platform.

    And for standing up more instances, you have to bear the cost of running the servers yourself, which isn’t prohibitive, but more than using bots via stolen/infected proxies (and shit like Hola that gives you a “free vpn” at the cost of your computer becoming an exit node they then resell).

    Also, I’m suspicious that it’s not ‘spam bots’ in the traditional sense since what’s the point of making thousands of bots but then barely using them to spam anyone? My tinfoil hat makes me think this is a little more complicated, though I have zero evidence other than my native paranoia.





  • No, you’ve (maybe) limited your singular solitary instance’s growth: your instance is not “Lemmy” and admins should do whatever they find works for them, is something they can easily enforce, and resolves the problem.

    If you want to geoip limit signups to Skokie, Illinois? Great! If it works for you and keeps your instance from being The Problem, then it’s a valid solution.

    (I don’t disagree that email domain blocks are not a singular solution to any abuse problem, but I also think that whatever works for the individual admin is perfectly reasonable, and email blocks CAN be worthwhile.)


  • As with all things non-corporate, you determine if the instance you want to use is run by a reliable person by uh, vetting the person. This is absolutely impractical and absolutely not something you can ask an average person to do in order to post cat memes on the internet, so long-term the right call would probably be to move the “big instances” into a foundation/corporation model (think OSI or Apache or Gnome or…) to provide proper shared ownership of resources, continuity planning, and better handling and monitoring of donated funds as well as better opportunities for outside funding - it’s actively easier to get funding or support for actual foundations/non-profits than some dude running a thing in his basement.

    You then have a very public entity that’s much simpler for any random person to decide if they’re reasonable - the fact they exist AT ALL is a huge indicator of legitimacy because the work required to even get that far is not entirely trivial.

    Monetization is… problematic. It’s probably going to HAVE to be donation-based because I don’t think ads or data mining or segues to our sponsor are acceptable on federated platforms and won’t result in you getting anything but tossed out.

    I’d also say that there are fundraising options for larger instances that offer valuable communities: you can get a LOT of donations out of corporate America (this is US-centric, of course) if you’re a registered non-profit they can donate a tax write-offable donation to, and something like a Lemmy instance is just a rounding error in donations, if you can get in the door.

    I’m also not a lawyer, but have worked with lawyers on a GDPR compliant policy, and boy, is it an absolute mess. The larger instances are absolutely going to have to comply, and there absolutely has to be a way to export and delete your data, and federation is absolutely going to run into the data processor vs data controller dual-responsibility pile and it’s absolutely going to be a mess… maybe, at some point, or not. For the MOST part, it’s a policy where as long as you’re being reasonably compliant and nobody is complaining or suing you, it’s not quite as horrifying as it is on paper.

    The deletion stuff absolutely needs to be done sooner rather than later, and there needs to be a way to export all the data an instance has on a given user, but those two things will probably cover the worst risks any particular instance has.


  • I think the differing view here is ‘natural growth’ vs ‘forced growth’.

    I don’t think large servers that come by being large because they’re the preferred choice for a given community, topic, reliability, or whatever other criteria become valuable are bad.

    I think setting it up so that a new user is told ‘You go here, and you sign up on this instance.’ and writing all the onboarding stuff to direct them to the mega-instance for the sake of convenience because we can’t figure out how to make it simpler or more clear or explain how federation works isn’t the right path.

    I will admit I do not have a fantastic answer on how to explain to someone who has limited technical knowledge exactly WHY federation is the way to go for communication and that the instance you should pick relies almost exclusively on the reliability of the service (is it fast? does it stay running? is it going to exist in six months?) and the trustworthiness of the admin (are they someone who you can deal with in terms of moderation? do you trust they’re not going to use their access to violate any trusts or behave in a way contrary to your beliefs?).

    I’m old enough that my first foray into ‘federated’ content was Fidonet, and which BBS you called ‘home’ and posted from was almost exclusively a decision based on the local BBS community and the sysop because the messages and software were otherwise exactly the same from BBS to BBS.

    So, my bias is that large instances can’t be close communities and that larger instances require different and more aggressive and impersonal moderation and the bigger you get the more true both become.


  • Interesting; my general experience (and that of customers I spent time working with doing support for various cloud providers) was that you could, theoretically do so, but ‘sending the email to a provider’ and ‘the provider accepts it and delivers it’ were not always the same thing.

    Microsoft was especially bad in that it would accept the message, and give you the standard SMTP ‘message accepted’ response but then silently just drop it in the backend, never to be seen again. Didn’t go to spam, didn’t land in a filter just… vanished.

    Google, at least, had the decency to tell you when it was going to reject your email, but still.

    It was always the same dance: you need a PTR, an SPF record, DKIM, etc. but at the end of the day, Google and Microsoft absolutely gatekeep what gets delivered to their platform, so if it’s critical that your email shows up reliably every time, you have to move into the “ecosystem” of ESPs and all the hoops that are involved there if you want your message to go to the ‘big providers’.


  • Protonmail is one of the larger providers of email at this point.

    If you were to set up your own SMTP server and try to deliver mail, you essentially cannot reliably email any of the larger providers, because they’ve taken steps to mitigate spam and issues which also makes it impossible to handle your own email anymore, even if the intent wasn’t explicitly to break self-hosting.

    If you concentrate everyone into larger providers, you’re allowing them the ability to gatekeep who can and cannot talk to their users, and most people will either not understand this, or be happy to allow it.

    I will admit to some bias in not trusting there to be a ‘central’ server that’s run and maintained with the good of the community in mind because there are endless, endless examples of situations where the owners/maintainers of a service have decided to take actions that are fundamentally against their users best interests - which, of course, is probably why anyone is actually here discussing this in the first place.

    Could onboarding be improved? Absolutely. But I really don’t think the solution is to have a small handful of blessed instances and try to push everyone to them.


  • In regards to email; the reason people use one of the large providers is that the large providers have taken malicious and aggressive steps to break the ability of smaller providers to talk to them, in the name of “security”.

    It’s not a ‘natural state of being’ : up until relatively recently you could easily run your own email server (and most businesses and huge numbers of people actually did), but it’s been co-opted and broken very thoroughly by Google and Microsoft to their benefit.

    With the Fediverse, you probably don’t actually want giant servers, as you’re just repeating the concentration of users and thus power in the network into a smaller, fewer set of hands.