When @bouncing@partizle.com, @The_iceman_cometh@partizle.com and I started this instance, we figured we’d get a dozen or so signups from people we knew. We left registration open, figuring no one would care because we did exactly nothing to promote this.

It’s by any measure still a small instance (~100 users) but even so, moderation of other instances is now a thing: we’ve blocked some troublesome instances, in particular ones that we suspect traffic in borderline illegal content. We by no means, however, have any good grasp on what’s federating to us from the open web.

Sooner or later, bots and spammers and trolls will find our humble little instance. Lemmy’s only real remedies for that is an application process and/or verified email. Both to our mind seem useless, because bots can convincingly automate either or both. Cloudflare can keep out the more naive bots, though ratcheting up the security in it causes inconvenience for users, especially ones who protect their privacy (think of captchas you get when using a VPN).

For its part, Lemmy is fun software, but not especially feature-rich. There’s really no admin interface to speak of. If you get 100 bot signups, you have to ban them, one at a time. That hasn’t happened yet to us, but it has happened to other instances, and it’s rough. We’ve considered even just slapping a Django admin UI on its Postgres database, but we’d need to learn the table structure and also make sure that just updating tables in Postgres is enough (ie, does Lemmy’s backend have state in RAM, etc). It’s not something we’re ready to take on right now.

Anyway, about the possible future of bots and spammers: So what do you guys think? Leave registrations wide open? Require approval? Keep it the way it is, but lean more on Cloudflare for protection?