Today, a bunch of new instances appeared in the top of the user count list. It appears that these instances are all being bombarded by bot sign-ups.
For now, it seems that the bots are especially targeting instances that have:
- Open sign-ups
- No captcha
- No e-mail verification
I have put together a spreadsheet of some of the most suspicious cases here.
If this is affecting you, I would highly recommend considering one of the following options:
- Close sign-ups entirely
- Only allow sign-ups with applications
- Enable e-mail verification + captcha for sign-ups
Additionally, I would recommend pre-emptively banning as many bot accounts as possible, before they start posting spam!
Please comment below if you have any questions or anything useful to add.
Nice! Would be cool if you could also include current statuses of captchas, emails, and application requirements.
Tell me how to fetch them and it will. ;)
I think the easiest option is to just iterate through the list of suspicious instances, and then check
{instance_url}/api/v3/sitefor each of them. Relevant keys of the response json aresite_view.local_site.captcha_enabled,site_view.local_site.registration_mode, andsite_view.local_site.require_email_verification.Since it’s a bunch of separate requests, probably it makes sense to do these in parallel and probably also to cache the results at least for a while.
It occurs to me that this kind of thing is better left to observer, as it’s set up to poll instances and gather data. I would suggest you ask them to ingest and expose this data as well