This morning we're seeing a bunch of "Spam Report" toots from an account on miniwa.moe. They're tagging a bunch of unrelated admins, including me, and providing links to further information that return 404s. Not sure exactly what the purpose of these toots were, but it was poorly executed, and the account has been suspended on our end until we hear from the miniwa.moe admins.
There really needs to be a way for an instance admin to be able to automatically ignore reports from a specific server. Especially when those users have no fucking clue what it is they're reporting.
The site linked to above includes downloadable versions of the list you can import to add to your server's existing blocks. If you've never imported a blocklist before, there are instructions for Mastodon imports here:
so it looks like mastodon allows you to view peers and version via the public api. so it should be possible to create a tool to pull a list of instances that you federate with and then filter them by version and possibly a few other criteria to build a list of instance that you may want to limit for security reasons.
I might try to throw this together and see if I can automate a way to check instances I federate with and block ones that are severely out of date.
So, quick Linux Mastodon Admin question from a noob...
If I want to cronjob certain tootctl commands to run weekly can I just put them in the crontab with @weekly? I tried using the script from https://ricard.dev/improving-mastodons-disk-usage/ but it doesn't seem to run anymore after the last few Mastodon updates.
When setting up the script originally, I used the traditional way of setting it weekly, but I saw in the crontab that there's a few already in there with @weekly set so I was wondering if I could just set the commands themselves in the crontab like that.
Also, if anyone knows a list of instances that previously had spam in the recent spam attack, and have since fixed it, I'd appreciate a link to the list 😅
Running your own services on the public internet can bring years—maybe even a lifetime—of joy, purpose, and connection. It also requires continuous attention and care, at least a little bit every day, even when you don't feel like it.
I believe in the #IndieWeb philosophy that encourages folks to explore the option of owning their own digital resources, but I wonder if we under-emphasize how it's more like adopting a puppy than like getting into woodworking. #mastoadmin
Other #MastoAdmin thinking about adding captchas to their instance registrations, be sure to listen to what Disabled users are saying about them and why they might make life harder for existing users and new users and wanna be users of your instance. From the cookie not working, to the text prompts only accepting perfect, American, spelling and grammar, to the captcha not working on all browsers, and many more https://adrianroselli.com/2014/12/recaptcha-reboot.html?Theme=Unset@vmstan
Dear #fediadmin / #mastoadmin folks: Does the community have any experience or guidance about incorporating a nonprofit entity to manage a fedi server?
Building a charitable nonprofit to legally hold and maintain a medium-sized, community-serving instance strikes me as a good idea, along the lines of a charity that runs a small public garden. (We have a lot of these, in New York…)
I'm interested to hear any stories or advice folks might have about this!
Is it possible to save in #Mastodon only the things that any user of the server would also have in his home timeline, instead of just everything? It would save me tons of storage and I would have the content I want to read saved for longer. #Mastoadmin
Currently sleeping the sleep of the righteous, @andrew was up way too late building tools to fend off the current wave of fedi spam, playing whack-a-mole with bad accounts, and getting fedi friends up and running with their own blocklists.
I’d like to convene a discussion this week or next to do a mini retro on this attack and some #designthiking work around fedi spam fighting tools. If you’re interested in the discussion, @ me your email or send one to spamretro at hypatia dot ca and I’ll loop you in on it 🙏
Would love to have a proper UR/UX person on the call, I’m a mere amateur at that part 😅
Still going through and sending out invites for a retro/postmortem call regarding this weekend's spam attack, but in the interim I also made an asynchronous retro form: https://forms.gle/V4h9zBE6pcTvpQAx8
Also useful if you hate video calls, have a conflict on your calendar, or otherwise prefer writing. Thanks for sharing and/or replying!
Re last: Please please please, don't use #HCaptcha! We blind people call it HateCaptcha, and it's for a reason. Their accessibility so-called innovative technology is simply broken and doesn't work reliably. You can't imagine how much time I spent fighting with this so-called accessibility cookie. Please don't use it, for goodness sake. #MastoAdmin
All admins: do set up your online registration to this setting: we did it years ago and it has GREATLY reduced any issues of spammer accounts being set up on our server.
HugOps to other Mastodon instances whose mods have cleaned up the whole "being a vector for spam" thing. I see y'all, and appreciate the effort put toward having a clean feed going forward.
Across the #Mastodon network, instances have faced a significant spam attack this weekend.
This challenge has pushed Mastodon's meager moderation tools to their absolute limits, but Mastodon admins across the fediverse have risen to the occasion!
Show some gratitude to your local #Mastoadmin and consider supporting them with a donation if possible.
Every bit helps in maintaining the quality of your community.
Thank you to all the Mastodon administrators and everyone who contributes. 🛡️
Actually feel happy with how this #spam crisis has been playing out. Fedi was knocked off-balance for a few days, then pulled together rapidly with shared information that admins can apply quickly.
This has been an important resilience test for a young but increasingly visible and truly federated social media network. it's just as well that the cause was spillover from some dumbasses having a discord fight. The incident feels like a vaccine against far more dangerous future attacks. #mastoadmin
Hi folks,
I've just enabled hcaptcha for new accounts in addition to requiring admin review for all accounts on Tiggi.es running 4.2.7.
Admins:
NOTE: This is not advocating for using hcaptcha. Please research it as some disabled users may find it difficult or impossible to use. Use your judgment.
It's pretty easy to do. Sign up via https://www.hcaptcha.com/ - It's free for smaller sites. Don't use the initial Site Key they provide. Do generate a Secret Key AND KEEP IT SECURE. If you don't save it here, you'll have to regenerate it later, as the site won't show you the whole key again.
Next, verify your email address once they email you, sign in, and create a new site for the domain via the Sites Menu and "Add Sites" Button - You will be provided a Site Key.
Now to configure Mastodon, as user mastodon, edit live/.env.production and add the following lines to the end:
HCAPTCHA_SITE_KEY=SITE KEY HERE
HCAPTCHA_SECRET_KEY=SECRET KEY HERE
No quotes or anything are needed.
Restart mastodon-web, then go to Administration->Server Settings->Registrations and you'll see a new checkbox as shown below.
This has the chance at helping cut down on bot registrations. The Mastodon docs aren't complete here, and I did some hunting to figure this out. Thought I'd share. :)
Just be aware as the screen shot notes that this may make registration more difficult for some disabled folks.
Why is hcaptcha an env variable... This seriously can't be done through the UI? Honestly, the more and more I use my Misskey-based instance the more and more I realize how far behind Mastodon is. I mean yeah I like Mastodon for the most part but why do they make everything so damn annoying? Rip to anyone who uses @mastohost due to the Mastodon devs having all the good server configuration set to the env file.