When @bouncing@partizle.com, @The_iceman_cometh@partizle.com and I started this instance, we figured we’d get a dozen or so signups from people we knew. We left registration open, figuring no one would care because we did exactly nothing to promote this.
It’s by any measure still a small instance (~100 users) but even so, moderation of other instances is now a thing: we’ve blocked some troublesome instances, in particular ones that we suspect traffic in borderline illegal content. We by no means, however, have any good grasp on what’s federating to us from the open web.
Sooner or later, bots and spammers and trolls will find our humble little instance. Lemmy’s only real remedies for that is an application process and/or verified email. Both to our mind seem useless, because bots can convincingly automate either or both. Cloudflare can keep out the more naive bots, though ratcheting up the security in it causes inconvenience for users, especially ones who protect their privacy (think of captchas you get when using a VPN).
For its part, Lemmy is fun software, but not especially feature-rich. There’s really no admin interface to speak of. If you get 100 bot signups, you have to ban them, one at a time. That hasn’t happened yet to us, but it has happened to other instances, and it’s rough. We’ve considered even just slapping a Django admin UI on its Postgres database, but we’d need to learn the table structure and also make sure that just updating tables in Postgres is enough (ie, does Lemmy’s backend have state in RAM, etc). It’s not something we’re ready to take on right now.
Anyway, about the possible future of bots and spammers: So what do you guys think? Leave registrations wide open? Require approval? Keep it the way it is, but lean more on Cloudflare for protection?
As someone who did utilise the open registration, I am reluctant to say so, but with beehaw defederating two other big instances with open registration, it’s not likely a problem to go away. I did already see that the VPS instance needed to be upgraded, and once bots are banging on the door, that’s even more load. I also utilise a VPN, so it’d be good if WAF could be restricted to signup and login pages, I don’t mind captchas on those entry points, it’d just be nice if it didn’t bug me everywhere. Maybe I will have to plug in an email, I did end up using my real net name anyway, which can be tied to my personreasonabley easily.
Whatever needs to be done… That’s the sad reality.
Cloudflare isn’t great at figuring out what pages are “high value” enough for captchas, though we could probably figure out a way to add them with page rules or something. I do imagine, once you do the captcha once, Cloudflare won’t bother you for a while. Or that’s been my experience.
I’m in agreement here