Spammy Saturday

A fediverse spam crisis highlights an inherent flaw in the decentralized social networking model: Some people are bad at updating and maintaining their apps.

By Ernie Smith

The percentage of people getting spam on the fediverse appears to have been relatively small—one poll I saw on Monday suggested that just 6% of roughly a thousand people had experienced the problem—but the people who were being bothered were dealing with a lot of it.

I was one of those people. I first started noticing the tidal wave of spam coming in around Friday morning, with Chinese text referencing some random hacking group. But by Saturday, the spam had taken its final form—a series of messages referring to a specific Discord group.

WTF was happening? And why? Security blogger Brian Krebs suggested that this might be a “Joe job”—an attempt to spam a wide number of users to make people mad at a certain audience, in this case a Discord group heavily referenced in the spammy messages.

Meanwhile, cybersecurity specialist Kevin Beaumont suggests that the lack of security controls in the fediverse are widely being exploited.

“There [are] a bunch of technical issues it highlights, which is that Fediverse is very open to abuse at present,” he wrote. “There’s no spam filtering at all. It’s like email from 1996. It’s wide open to abuse.”

The Serial Port

🚀 Dive into The Serial Port on YouTube for fascinating videos on vintage tech and the dawn of the Internet. Revel in 1990s nostalgia and the pioneering days of the web as we uncover tech history’s hidden gems! 💾✨ #RetroTech #90sNostalgia

I can’t personally vouch for the root cause, but I do think the problem highlights an inevitability of the fediverse that needs to be addressed: Ease of maintenance.

Running a Mastodon server is often a gigantic pain if you aren’t deeply familiar with a number of basic programming and server maintenance tools, the most important perhaps being Docker. It is a command-line tool through and through, and if it isn’t properly hardened, whether by limiting sign-ups or keeping a server up to date, it can be like a screen door for an automated attack.

Part of the reason for this is that the thing that the application is doing is deeply complex—it is polling your own data, sharing it with the world, then trying to grab data from literally every server it can reach on the fediverse. It’s not particularly fun to manage, and I’ve not had much fun trying to get it to work on my end. (I recently changed my approach to container management, which has helped, but there are still plenty of things that need fixing.)

But it means that updating and maintaining the server can be painful, especially at scale, which means that it’s an easy task to back-burner. After all, if a database migration means that you’re going to be stuck in a command line all weekend if something goes wrong, why would you want to do that? The spam attack seems to have highlighted the fact that a number of small-scale site maintainers have fallen down on the job, and it threatens to have a dampening effect on the entire fediverse model.

Servers with the smallest, narrowest audiences often have the least support from an organizational standpoint—and they’re the sitting ducks for aggressive spammers. If you go to the front pages of some of these servers, it becomes clear that many of them are underutilized or not maintained heavily. And that means that, over time, they become weak links, susceptible to spam, hacking, or ostracization. (This is generally true of any other self-hosted tool, by the way: Just ask anyone who has struggled to manage an WordPress instance over the last decade.)

Other servers end up blocking or muting these small servers to fend off the spam, cutting off actual users in the process. Slowly, it undermines the whole purpose of the entire endeavor. I don’t think that’s what anyone wants to see from the fediverse.

The solutions are imperfect—Mastodon implemented a CAPTCHA solution for new accounts in a recent update, but even that has proven controversial because CAPTCHAs are inherently inaccessible. (Controversy around fediverse issues? Not uncommon.)

But the truth is, there is a scale gap that probably needs to be met here. If you’re someone maintaining a server for yourself, or for a handful of users, you may not need a full-fat Mastodon instance. You might be better off with, say, a self-contained application that runs in the background on your Mac or Linux machine that allows you to plug into the broader fediverse at will—a combined server-client setup. That doesn’t exist quite yet, but I could easily see it appearing someday.

I trust the developers working on fediverse tech will get there—a number of alternatives to Mastodon, for example, already exist, and many of them are far more lightweight.

The reason that centralized solutions to every problem always win is because of this technical capabilities gap, and it is simply not realistic for every social justice organization or scientist club on Mastodon to have a Docker whiz on staff. Docker is not as hard as it seems—certainly less confusing at first glance than, say, git—but if there’s any way to ease the technical gap, a lot of people who might have been wary of hosting their own Mastodon server in the past might just hop on board.

(And for those simply using Mastodon servers, rather than running them: Support your server by donating. It actually goes to a better cause than a blue checkmark on Twitter—and it makes it a little less painful for admins to handle the maintenance.)

Federated links

I’m utterly enthralled by the recent story of the radio tower that went missing. Skepticism about the root cause of the theft is flying around right now, but the station is now back on the air at the least.

If you read our pieces on George Schlatter’s Turn-On last year, you’ll be thrilled to know that he just released a third “lost episode” online. Lost media no more.

End of an era for computer nerds: FreeBSD is on track to start dropping 32-bit chip support. Your PowerBook’s BSD install might be at the end of the line.


Find this one an interesting read? Share it with a pal!

And be sure to give our sponsor The Serial Port a watch. If you love retro tech (likely because you read us) you’ll enjoy it!

Ernie Smith

Your time was just wasted by Ernie Smith

Ernie Smith is the editor of Tedium, and an active internet snarker. Between his many internet side projects, he finds time to hang out with his wife Cat, who's funnier than he is.

Find me on: Website Twitter