Patrick Figel 🐣 is a user on mastodon.at. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Patrick Figel 🐣 @pfigel

Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges?

Patrick Figel 🐣 @pfigel

Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):

gist.githubusercontent.com/pat

To get to the rails console, run this in /home/mastodon/live as the mastodon user:

RAILS_ENV=production bundle exec rails c

You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.

· Web · 14 · 14
Patrick Figel 🐣 @pfigel

Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:

gist.github.com/patf/1ae99fdd1

(some CIDRs are redundant because they're from different sources)

Hopefully that'll do for now.

Eugen @Gargron@mastodon.social

@pfigel Is there an easy way to put that into iptables or maybe nginx?

Valère @valere@hostux.social

@Gargron @pfigel ufw example :
hostux.social/@valere/10007447

DJ Sundog - from the toot-lab @djsundog@toot-lab.reclaim.technology

@Gargron @pfigel I'm using this script to read the CIDR list that Patrick provided and apply it to iptables

gist.github.com/DJSundog/76f68

flussence 🦖 @flussence@mastodon.social

@Gargron @pfigel I'd recommend using an ipset for these if it's an option, it's slightly safer/efficient-er than adding entries into the main tables

Eugen @Gargron@mastodon.social

@flussence @pfigel It would be useful to add some guidance to the Mastodon documentation for situations like this

flussence 🦖 @flussence@mastodon.social

@Gargron @pfigel
I don't have anything with iptables to hand to try this out with (my stuff all runs nftables), but here's the rough idea:
gist.github.com/flussence/bdef

If someone more familiar with this stuff can verify what I wrote is sane, I'd be grateful!

Jenkar 🐟 @Jenkar@cybre.space

@pfigel Sidenote but - I hope there is a nice list :3

Patrick Figel 🐣 @pfigel

Here's a version of the block list you can dump in your nginx to get rid of the bots:

gist.github.com/patf/1ae99fdd1

The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.

cc @Gargron

KemoNine @kemonine@social.holdmybeer.solutions
@pfigel @gled
knittenkitten🐈👩‍💻 @knittenkitten@mastodon.technology

@pfigel cc @ashfurrow

Sean R. Lynch ☑️ @seanl@literati.org

@pfigel Are they solving a CAPTCHA successfully? (not that you should use one; just curious)

Patrick Figel 🐣 @pfigel

@seanl nope

gled @gled@mastodon.host

@pfigel @seanl

You can find here also another way of blocking the signup:

github.com/gled-rs/mastodo/com

Could be expanded if needed to add automatically the domain to the blocklist.

Lili @Pasty@niu.moe

@pfigel @Technowix isn't OP the thing you noticed earlier?

Léo @Technowix@niu.moe

@Pasty @pfigel maybe :s rn I'm kinda not into fixing it until some tests / fixes have been found

Dzuk @dzuk@weirder.earth

@pfigel hey @mykola check this out. We just got hit with a bunch of spam accounts (I've stopped them all, but I've had to stop registrations right now to stem the flow)

mykola @mykola@weirder.earth

@dzuk @pfigel Hmm. Is there an IP block we can just ban or anything?

BoF⋅ⵣ [·_·] @BoF@mstdn.fr

@pfigel
Does this mean that if my ISP is using dynamic IPv4 (which is the case) other users will be blocked ? And if users are behind 1 IPv4 CGNAT mobile) will not have access ?

Patrick Figel 🐣 @pfigel

@BoF Not sure what you mean. The IPs in that list belong to a group of networks that don't seem to serve any residential users, from what I can tell.

mastodon.at powered by Mastodon