New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent registration spams #877
Comments
Should also log IPs in admin panel upon registration |
I believe this issue should be bumped up in priority, to possible get something in place for the next RC. A number of instances have been hit by dozens of spam registrations over the past 48 hours. |
In certain cases, another possible approach would be to rely on external authentication, removing local account creation altogether. Mastodon is missing this feature, which would have many benefits on its own (single sign-on, social logins). We are starting to see organizations with an existing user base who are offering Mastodon as an additional service. For them, local accounts are an extra annoyance with no benefit even before spam starts to appear. |
Mastodon is not missing this feature, Mastodon already has this feature: LDAP, CAS, SAML |
Alright, thanks. I had replied based on this topic: https://discourse.joinmastodon.org/t/single-sign-on-with-discourse/766 Since I am interested in Discourse integration, I will continue there for further details. |
I understand the unwillingness to integrate reCaptcha as it is owned by Google. But I'd like to see the option to create a custom captcha by simply specifying two fields.
This will help many instances that are specialized or localized. In my case for example I run a Swedish instance so I could easily ask a question in Swedish that only Swedes would be able to answer because it would be culturally ambiguous. And that would get rid of all foreign spam bots for me without having to maintain endless IP-blocks. And were you to create an API endpoint to update the captcha it could be automated to serve a math question very easily. |
I made a a simple CAPTCHA service a while ago specifically for Pleroma, but I'm sure it can be integrated into mastodon as well, as it only has a single endpoint. I'm willing to help integrating it if needed. |
What about hCaptcha? |
Yes, hCaptcha seems fine. Would make it up to the instance owners to decide wether it's a good idea or not to do hCaptcha. Bumping this and mentioning @Gargron. Highly appreciated feature from my side. |
I also want to add that I (as an instance owner) are struggling keeping tabs on the users and see if they spam. It's just too easy right now as there is 0 protection from the get go. I can understand that you would feel this is a cat and mouse game. However, while you have easy to break windows, you still have a lock on your front door! It could also be beneficial to tackle this together with #13013 |
self hosted captchas https://github.com/koto-bank/kocaptcha |
Hello 👋🏼 Maybe you can also consider https://github.com/markets/invisible_captcha, a honeypot solution. P.S. I'm the maintainer, happy to help if you are interested :) |
Can we please add an option to add captcha? Yes, it can be broken, but it heightens the threshold, which already turns away a large fraction of spammers |
hCaptcha support was merged with 4.2, closing as completed |
@vmstan Hi! |
|
@vmstan Thanks! |
Mastodon grows really fast, and malicious users too. To counter registration spams, why not implement a preventive solution with captcha, honeypot, ip limit or other solutions?
The functionality can be disabled on instances if administrators don't care about spam.
Can it's possible to add this functionnality to prevent this?
The text was updated successfully, but these errors were encountered: