Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges?

Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):

To get to the rails console, run this in /home/mastodon/live as the mastodon user:

RAILS_ENV=production bundle exec rails c

You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.

Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:

(some CIDRs are redundant because they're from different sources)

Hopefully that'll do for now.

Here's a version of the block list you can dump in your nginx to get rid of the bots:

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

cc @Gargron

@pfigel Is there an easy way to put that into iptables or maybe nginx?

@pfigel Sidenote but - I hope there is a nice list :3

@pfigel Are they solving a CAPTCHA successfully? (not that you should use one; just curious)

@pfigel @seanl

You can find here also another way of blocking the signup:

Could be expanded if needed to add automatically the domain to the blocklist.

@pfigel hey @mykola check this out. We just got hit with a bunch of spam accounts (I've stopped them all, but I've had to stop registrations right now to stem the flow)

@dzuk @pfigel Hmm. Is there an IP block we can just ban or anything?

@pfigel I got some spammy sign ups and put a halt to new accounts until I can look more closely. So did @noelle .

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.