cross-posted from: https://sh.itjust.works/post/1823812
This is an update to my previous post about suspicious inactive accounts on a handful of instances: (https://sh.itjust.works/post/998307).
I ended up messaging the admins at the 16 instances show in the attached image. I pointed out their wild user numbers, and referenced the lemmy.ninja post detailing how that instance scrubbed suspicious accounts from their user database.
6 admins responded. They had all noticed the odd accounts and either thought the numbers were wrong, or weren’t sure how to purge the suspicious accounts without nuking their databases. In the end they managed to delete a combined total of about 338k dormant accounts from their instances. (One of the instances seems to have gone down since then.)
I never received a reply from the other 10 instance admins, though 8 of those 10 instances appear to be down (as of 27 July 2023). 2 instances are still up and unchanged.
Between the actively removed accounts and the downed instances, this represents a loss of 930,004 inactive Lemmy accounts!
You can see the drop in the graphs on The Federation. The total number of Lemmy accounts has been cut in half over the past 3 weeks, from a peak of 2.18M to today’s 1.09M. The change is mostly from these 16 instances.
I have to admit, I did not expect such a large change when I started this! Hopefully this bodes well for Lemmy’s future as a place where actual humans interact, rather than a cesspool of automated comments and upvote/downvote brigading.
That’s all I have for now. Keep your stick on the ice; we’re all in this together.
Great to see the transparency with which this is handled
The transparency may be my very favorite part of Lemmy. It’s almost feels like these people are invested in it’s success instead of it’s profit.
Open source vs we’re a business mentality
Early internet grassroots collaboration stuff.
It’s a very early internet mindset where success == profit.
I want to celebrate two things. 1. Your awareness of the potential dangers looming over the fediverse. 2. Your proactive attitude curtailing the problem at its root. From one human to another, thank you!
That’s actually really interesting. What’s the purpose of so many inactive accounts at once?
Seems to be enough to have a few of them, and not a million accounts since it clearly will rise suspicion… :)
Very good that you found them. Fascinating.
Maybe an attempt to try and make the fediverse look more active than it was back then, to get headlines about how it has explosive growth etc. It was June and everything really took off then.
I’ve got a couple accounts on various instances as backup, since we can’t exactly transfer accounts across instances just yet.
What’s the purpose of so many inactive accounts at once?
That really is the million dollar question. I don’t know. My fear is that they were intended to sit unnoticed until someone had a malicious use for them. Maybe to mass upvote/downvote certain content to make it more visible. Or to become active at an opportune time to make divisive posts and comments. I saw many accounts like that on Reddit; they show no activity for years and then suddenly come alive and spew garbage. I’m sure we’ll see some of that on Lemmy next year since there will be a major election in the US. Though hopefully less since a bunch of suspicious dormant accounts are now gone.
I’m thinking of making inactive accounts so I can create communities on other instances. I wanna make an old trek community on the Star Trek instance, but I wanna moderate it from this instance. So I would make an account, make the community, and transfer ownership.
Just spin your own instance. Then you’ll have complete control.
But I think putting all the Star Trek content on one instance is a neat idea and I want to participate in that idea
You can still do that in your own instance.
I can still make a community on the star trek instance from my own instance? How?
Could be as simple as reserving popular usernames too.
It’s a smart move for a spammer to create a lot of accounts in the early days of a platform, before more restrictive signups with mail verification, phone verification or captchas are in place. Look at how difficult it has become to register on Twitter or Facebook.
Perhaps something akin to this, sleeper cells for some nefarious purpose, e.g. influencing elections.
Those are crazy numbers… WTF?
If that’s is the reality for Lemmy, I can’t imagine the number of bots giant social networks have. Crazy.
Thank you for your work.
That’s the thing, right? Those giant networks’ admins surely know how inflated their userbase is. They surely know that a lot of the activity is bot faked/manipulated.
But since the end goal of those networks is generate traffic to sell something (ads, user data), they never purge the bots. They need fake engagement. They might even promote it. The human user is just being used (Cf. Stallman’s use of this term).
I work on a team that runs the web presence for a very large international music label and we postulate that 75-80% of all traffic we do at any time is bots, crawlers, and security scans. With caching in place most of the time our system hums along quite happy. It’s only when we get an influx of ACTUAL people do things go south. [Max database connections, firewall usage pegs and stops responding, edge nginx process OOMs itself, ect.]and
also you wouldn’t believe the amount of fake content that gets loaded into these wordpress pages. years of phony content and news and pictures.
Well, thanks for being part of the problem.
what do the account names look like? i myself have a random name with numbers too
You would have to ask the instance admins. I don’t have visibility to their user databases. I’m just highlighting trends in aggregate user data.
Sus.
😭 😭 😭
Well done. I for one appreciate the effort you’re putting into making this a better place by keeping the bots out. Any thoughts on what can be done to keep bots from signing up to begin with or is the plan to continuously purge inactive accounts? I know from experience that a lot of these bad actors are going to pivot and redouble their efforts. This is unfortunately a cat and mouse game that will continually need to be addressed. But, again, thank you for your work on this!
How does email handle it?
Are you referring to email verification on sign up? If so, it’s unfortunately easily overcome by bad actors. Depending on how the platform handles it, one email can be used over and over again to verify accounts or there are many services out there that provide an endless amount of quick and easy emails. The automation of this has already been solved too. For the first scenario, limits on how many times an email is used for account verification is useful. For the second scenario, we really start the cat and mouse game. You can block sign up from accounts using spam email domains. There are lists out there that can help. If someone is really persistent, they may have a trove of legitimate email addresses they can use. Then you have to start considering where the sign ups are coming from, the IP, it’s reputation, the behaviors, and hopefully it’s fingerprints from the device. You could serve a captcha but most are trivial to bypass with code straight from GitHub or captcha passing services. Overall, this is not an easy problem to solve. I know a lot of conversation on Lemmy is being had regarding this topic. It’s going to take all of us together to help solve the problem.
Email is federated very similarly to ActivityPub. How does Email handle filtering for bad instances?
I know they have sophisticated systems built up over decades that now seems to work quite well, but I don’t really know the details.
I do believe if I stand up my own email server right now that I can still send email to people without being blocked, but I’m not positive.
Instances should enable verification to create accounts (email or captcha). I think everyone learned that pretty quickly last month. Other than that, it’s up to users to diligently flag content and moderators to be responsive. Maybe there are good automod tools coming to Lemmy someday, but those are an arms race, too.
WOOO!
Thanks for keeping Lemmy healthy. ❤️
We need to find a way to get indexed on Google, Duckduckgo and other search engines.
Probably happening to some degree already, unless no robots is checked. No way lemmy jumps as high as reddit in seo for random things for a long while
Naa…I think instance admins have to let the crawlers index the content. Not sure if Admins have enabled it
A major advantage of the old place was that you could search up keywords and find a discussion on it. When I wasn’t browsing, the other times that I’d end up using it was for when I needed to look stuff up.
I’m not sure what the pros cons ratio is though.
If the women don’t find you handsome, they’ll at least find you handy.
- Red Green
Found the Canadian eh?
Thank you for your efforts to keep this place clean and civil, and especially for the transparency in describing how you’ve dealt with such annoyances. You have my respect.
You have my sword.
deleted by creator
Are you really a bot?
deleted by creator
Cool!
Thank you for your work!
Nice work!
Who needs fraudulent/abuse accounts anyway. I have moved to lemmy and am here to stay!
Thanks for the work!
Very nice, let’s try to keep this place as clean as possible
Looks like a bunch of personal instances that forgot to turn off self-registration. The down ones likely crumbled under the load
