Anyone else seeing spammy-looking signups from QUALITYNETWORK IP ranges? #mastoadmin
Definitely looks like a spam campaign. So far all accounts signed up from the same ISP. Here's a script you can paste in your rails console to find all users from IP ranges belonging to that ISP (assuming I didn't miss any):
To get to the rails console, run this in /home/mastodon/live as the mastodon user:
RAILS_ENV=production bundle exec rails c
You might also want to temporarily ban those IP ranges if the sign-ups don't stop. I did.
Here's a slightly revised CIDR list that seems to cover all the IPs used by the spammers so far:
https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2
(some CIDRs are redundant because they're from different sources)
Hopefully that'll do for now.
@Gargron @pfigel I'm using this script to read the CIDR list that Patrick provided and apply it to iptables
https://gist.github.com/DJSundog/76f6809cee41196366fe62b46d052643
@flussence @pfigel It would be useful to add some guidance to the Mastodon documentation for situations like this
@Gargron @pfigel
I don't have anything with iptables to hand to try this out with (my stuff all runs nftables), but here's the rough idea:
https://gist.github.com/flussence/bdef9bde16b01090c081a7e25337cd7f
If someone more familiar with this stuff can verify what I wrote is sane, I'd be grateful!
@pfigel Sidenote but - I hope there is a nice list :3
Here's a version of the block list you can dump in your nginx to get rid of the bots:
https://gist.github.com/patf/1ae99fdd15718483fc15b1e8c8f25fe2#file-naughty_list_nginx-conf
The advantage of using nginx here instead of your firewall/iptables is that you'll have an easier time checking for false-positives in logs (in case I fucked up); the bots follow a predictable pattern (GET / then GET /auth/sign_up) while real traffic would stand out.
cc @Gargron
@pfigel Is there an easy way to put that into iptables or maybe nginx?