Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges?

Follow

Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):

gist.githubusercontent.com/pat

To get to the rails console, run this in /home/mastodon/live as the mastodon user:

RAILS_ENV=production bundle exec rails c

You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.

Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:

gist.github.com/patf/1ae99fdd1

(some CIDRs are redundant because they're from different sources)

Hopefully that'll do for now.

@pfigel Is there an easy way to put that into iptables or maybe nginx?

@Gargron @pfigel I'd recommend using an ipset for these if it's an option, it's slightly safer/efficient-er than adding entries into the main tables

@flussence @pfigel It would be useful to add some guidance to the Mastodon documentation for situations like this

@Gargron @pfigel
I don't have anything with iptables to hand to try this out with (my stuff all runs nftables), but here's the rough idea:
gist.github.com/flussence/bdef

If someone more familiar with this stuff can verify what I wrote is sane, I'd be grateful!

@pfigel Sidenote but - I hope there is a nice list :3

Here's a version of the block list you can dump in your nginx to get rid of the bots:

gist.github.com/patf/1ae99fdd1

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

cc @Gargron

@pfigel Are they solving a CAPTCHA successfully? (not that you should use one; just curious)

@pfigel @seanl

You can find here also another way of blocking the signup:

github.com/gled-rs/mastodo/com

Could be expanded if needed to add automatically the domain to the blocklist.

@pfigel hey @mykola check this out. We just got hit with a bunch of spam accounts (I've stopped them all, but I've had to stop registrations right now to stem the flow)

@dzuk @pfigel Hmm. Is there an IP block we can just ban or anything?

Sign in to participate in the conversation
Mastodon

mastodon.at is open to all users and federates with most instances.

🇩🇪 🇦🇹 🇨🇭 mastodon.at ist offen für alle User und ist mit vielen anderen Instanzen verbunden.