Just had to block the first spam account on I suspect Mastodon is going to quickly need to implement defensive tools to combat automated spam account registrations, as has had to be done on other sites, like blogs and forums. My wordpress instance for, for example, has about 2k-3k attempted spam account registrations per day. Given the nature and reach of Mastodon, I suspect spammers will focus their efforts here soon

@jerry in any event, I may be being too alarmist based on my mode of thinking due to $dayjob. Have a good Sunday, everyone.

@jerry Tbh I'm surprised there are not more here already

@Sir_Boops agree. It’s likely just lack of awareness up to now.

@jerry a honeypot form that blocks by IP still works surprisingly well!

@Efi agree. That is pretty effective. But, if this become an important place for spammers, they will quickly adapt.

@jerry Yes, already had a lot of spam registrations. @gougerenet

@bortzmeyer @gougerenet @jerry I think the fact we have a load of smaller instances which are actively managed by admins means that spam will get less of a foothold on the fediverse tbh.

@stolas @bortzmeyer @gougerenet I hope you’re right. But I see a possibly different nightmare scenario. Given that these campaigns are often completely automated, there’s little difference to a spammer spamming 1 instance or 1000. In any event, it’s pretty manageable now, but I’ve seen how bad it can get and I don’t think GS/Pleroma/Mastodon/et al have the tools in place for admins to cope without disabling registrations

@jerry I wager you are correct. It's a fun exercise to defend a site of this size.

@jerry 2k-3k attempted spam registrations per day ! 😲

How do you fight this on your wordpress blog ? (tools, admin tips, ...)

@Roland I've found the "Stop Spammers" worked pretty well, but the people at Automattic added some functionality that works extremely well to Jetpack (called "Jetpack Protect"). Disabling that creates an absolute mess.

@Roland I forgot to mention that I also use wp-spamshield. I think that jetpack likely does enough that wp-spamshield is no loner necessary, though.

@jerry Ok thank you! I have this crazy idea of building an activitypub server over Wordpress. I'm sure your informations will be useful!

@jerry is this a manual process or are there tools specifically built to aid in this type of activity?

@jeff there’s nothing I’m aware, other than the normal moderator tools - which is a manual interface for suspending/silencing accounts or deleting toots

@jerry what is your methodology then for determining if an account is spam then? Other than watching it and seeing what it posts. Or other metrics like post frequency or time between posts.

@jeff so far, It's just waiting until an account does something in appropriate. The account today was gratuitous... Posted a link to learn how to make money trading oil futures or something similar.

@jerry I had similar thoughts. My other instance ( has closed down registrations

In German but EN translation is:

Unfortunately, our little toot.BERLIN was discovered by scriptkiddies, who created tons of accounts and post spam. We have temporarily suspended the registration of new accounts. If you want to help with cleaning up, please report all spam accounts that come in contact with you via the report function in Mastodon. Danke Unse

@superruserr I don’t use wordfence. I haven’t found a particular problem that it solves for me (yet) to justify the cost.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.