I have the application process enabled for people to join my instance, and I’ve gotten about 20 bots trying to join today when I had nobody trying to join for 5 days. I can tell because they are generic messages and I put a question in asking what 2+3 is and none of them have answered it at all, they just have a generic message.

Be careful out there, for all you small instance admins.

  • prothy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    2 years ago

    Here are mine, according to the admin chat others have gotten similar ones

    However, these bots will adapt like you would expect LLMs to do so the messages will change depending on the registration text.

    • Demigodrick@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 years ago

      Thats incredibly helpful, thank you. Do you have email verification turned on on your instance?

      • prothy@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 years ago

        I had it turned off today as a test but I just enabled it (registrations were disabled over the past week or so). I guess I’ll see tomorrow if it makes a difference

        • Demigodrick@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 years ago

          Thanks again - when the bots came for my instance, they were stopped because all the email addresses were fake and they couldnt pass validation. I’m hoping the combination of email and manual verification helps to stop the wave. Seeing what you’ve posted in the image is really useful, im going to look back at our applications and see if any are similar, which would mean they may have got around the email validation.

          • IAccidentallyCame@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 years ago

            Are Email addresses kept and logged anywhere, or are they discarded after registration?

            For privacy reasons, it’d be nice if we could somehow have a reliable bot blocking/spam blocking method that doesn’t require Email.

            While Email adds a good layer of spam blocking just from the spam blocking the email providers are doing themselves, having an option to verify with Email OR jump through multiple hoops instead would be cool. Hoops that are difficult for a bot to be programmed to defeat all of them. Such as captcha, with a simple math equation, and something else all combined.

            Just tossing ideas around, because this is all still being built out.

            • Demigodrick@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 years ago

              Yeah they’re kept in the database.

              A sufficiently complex captcha might do it. I’ve seen something else that verifies you’re not a bot based on PoW calculation, although I don’t know how reliable that would be personally.

              A split verification method might be a good way forwards for the privacy conscious instances.