Bring back Captcha #3200
Comments
|
Related to #2922 |
|
Cannot stress this enough. captchas saved my server just now from getting spammed. I had over 800 spam signups overnight and after I enabled captcha it stopped. whoever is doing this is an amateur that can't use captcha bypassing bots but that's the purpose of captcha in my opinion, to mitigate spam from at least some bad actors. Of course it won't stop the more experienced spammers with captcha bypassing bots but it should be kept. |
|
See #2922 , captchas will not stop those signup bots, we know from experience, because someone has written a signup bot that can bypass them. You need to turn on registration IP rate-limiting. |
|
But they are all from different IPs. So IP-ratelimiting wouldn't work. |
|
Two days ago I had 6 users on my instance. Today I have 669. I don't even need to look at any logs to tell that this is obviously a whole bunch of bot users that have been created. Captcha is necessary in order to fend off these bots. If we don't, the spam bots will kill Lemmy just like spam bots killed Usenet discussions years ago. |
|
As an alternative to captchas, I have a lot of faith that an invite system would be a great help in fighting against bots (#1777) - especially if users need to be active in order to replenish their invites. Maybe that would be a better solution going forward? |
|
See also this feature request to implement hashcash as a better alternative to graphical CAPTCHAs
Rate limiting by IP is bad for users who need to use tools like VPNs or Tor Browser to access the internet safely. Please consider adding support for hashcash to rate-limit by session instead of by IP Address as it's better for at-risk users. |
|
Seems the current bot wave is increasing quickly, and mostly on instances with captchas disabled. So it seems that the captcha is definitely acting as a deterrent in the current wave. Every new instance that appeared in the top here today has captchas disabled: https://lemmy.fediverse.observer/list |
|
I'm really not liking the Lemmy Devs pushing back on the community so hard here. I assure you, the quickest way to get a fork of the project will be to anger everyone who runs an instance because your opinion on security has a measurable impact on our time. This is my comment in support of this feature, but it's also a rallying cry if y'all choose not to return the feature leaving us admins only with options like Cloudflare and Imperva to protect the fediverse from spam. If this feature is not returned, I commit to forking this project, reverting the change myself, and getting it to other concerned instance admins. EDIT: Until a better solution is implemented. Double Edit: No more issues here. The devs will accept a roll back PR (arguably easier to deliver than a new solution) and commit to ensuring it's in v0.18. I feel that this is a completely acceptable way to move forward that is aware of the downstream impacts on the greater fediverse. That addresses all of my concerns - thank you for listening to us! |
|
@th3raid0r the devs have already supported the idea of adding mCaptcha support, which is a better alternative to graphical CAPTCHAs (both mathematically and heuristically). Instead of forking, why not just submit a PR for mCaptcha? They already said they'll accept it. |
|
According to one admin, most of the wave of recent new users has been spam accounts: |
|
Re: a comment in #2922 :
Not so sure about this... our instance got hit with a huge pile-on of bot-accounts yesterday, and enabling the CAPTCHA instantly stopped the influx. I +1 implementing something privacy-protecting like HashCash or mCAPTCHA as options. But in the meantime I think removing the existing solution was probably premature. |
|
Just to pile on here we had a bunch of bots registering today and enabling captcha put a stop to them as well. I honestly think that this should stay in until a better solution is in place. It's not perfect but it is better than nothing even if its not the ideal solution. This will buy some time until something else is out there. |
|
Based on this feedback I agree that captchas should be restored. They are far from perfect, but its still better than allowing account creation with a simple POST request. There are other options but captcha is already supported in lemmy-ui, and will be faster to reimplement. If someone could write the code it would be very helpful, as we barely have time for that anymore. You can checkout the tag |
This comment was marked as abuse.
This comment was marked as abuse.
|
@ForbodingAngel I think the argument you want to make is Defense in Depth |
|
One note, is that captchas (and all signup blocking methods) being optional, it still won't prevent people from creating bot-only instances. The only effective way being to block them, or switch to allow-only federation. Once people discover the lemmy-bots that have been made that can bypass the previous captcha method, it also won't help (unless a new captcha method like the suggested ones above are implemented). |
|
@dessalines I agree, but in that situation the responsibility falls on instance admins to blacklist bad-acting instances from federation. For admins who want to maintain a good reputation in the 'verse, there needs to be multiple layers of tools available, with admins able to select which combination of them they think is appropriate for their instance. |
|
Standing up an instance is and pretty trivial, automatable and fast. If I were a spammer, I'd have a preseeded db with thousands of users or a data seed script that adds them to my instance. If I can create one instance an hour, blacklisting will quickly become unsustainable. I can probably add them faster than that. This is an interesting attack vector to the system and it makes me think that allow-only federation will inevitably become the norm for most instances. |
|
@lightrush what you're describing can happen with email, but we don't have allow-only email. Rather, I think shared blocklists are healthier than allow-only federation. This is how email works. Is there already an apolitical organization in the |
|
Sure. Shared blocklists could do it. Individual admins on every instance doing their own blocking however sounds impractical. If a shared blocklist system or protocol isn't established before the spammers fire up, I think admins are likely to resort to allow-only. Of course any of these scenarios will evolve. E: I see you already started mulling over the protocol. :D |
|
This should probably be closed and further conversation moved to a discussion. This was resolved with #3249 |
|
This is already included in 0.18.1-rc.1 |
Requirements
Is your proposal related to a problem?
We just had a spam wave. I enabled captcha to prevent the automated spam signups.
Has helped on mastodon as well.
The spam accounts didn't get verified, but they caused the e-mail to be blocked for this domain, because they used non-existent Gmail addresses. That's why the captcha would be a gooed extra step.
(Account approvals aren't useful with a few thousand new accounts per day.)
Describe the solution you'd like.
Bring back captcha.
Describe alternatives you've considered.
Mail verification doesn't always work, and in this case it got my mail for the domain blocked.
Approvals are too much work for a big server
Additional context
No
The text was updated successfully, but these errors were encountered: