A dev initially suggested in the Lemmy GitHub to remove captchas from future releases altogether because “they’re easy to bypass”.

Here’s the thing though, the lemmy.world instance avoided the daily 10k+ bot signups per day the other instances are currently experiencing simply by activating captchas.

Yes basic OCR easily bypasses them, but the whole point is that you’re forcing the spammer to use it, and it costs CPU resources, meaning that for the same budget the spammer will be able to create LESS bot accounts, or none at all if he doesn’t know how to automate the use of an OCR. Compare that with the current situation where anyone who followed a Python crash course can easily write a small script doing tens of thousands of automated signups using just the requests module.

Please enable captchas by default in future releases. You can try out other proposed solutions like hashcash too but IMO focus on the low hanging fruit first and make captchas a default in 0.18 already. One barrier, no matter how weak it is, is much better than no barrier at all.

And to those who maintain websites that list instances and rank them by size, you are also contributing to this problem by adding an incentive for bad actors to inflate their own instances. Please either remove that ranking, or remove the spammy looking instances by hand.

Also, maybe change the user count such that only users having clicked on the verification link are counted.

  • PenguinLover@lemmy.ml
    link
    fedilink
    English
    arrow-up
    42
    ·
    2 years ago

    Completely agree, captcha’s aren’t gonna make it impossible to make bots, but it makes it more complicated. It will force bad actors to invest more time in it. Wich will turn some part of them away.

    On a positive note, I think the fact that we see so many bot signups shows lemmy (the fediverse in general) is growing and matters, otherwise people wouldn’t spend so much time and resources to make these bots. All big platforms have these kind of problems and need to learn how to deal with them.

    • 0xpr03@feddit.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      2 years ago

      yeah it was never about making it impossible, only about making it inconvenient enough that it’s manageable

    • clobubba@kbin.social
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      2 years ago

      I’m already having enough trouble getting accustomed to KBin. It seems like I get logged out after some period of inactivity even if I don’t close its tab. If I want to comment, I already generally have to log back in. Adding a captcha on top of that would genuinely discourage me from participating.

      • PenguinLover@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        2 years ago

        I was only talking about captcha’s for account creation. To just log in they would indeed be to much of a hassle.

      • Nadya@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        2 years ago

        The page is cached and your token expires after a bit. If you read a thread and then spend time typing up a post you’ve likely crossed the threshold. Copying your post and simply refreshing the page is all that’s needed - you shouldn’t have to sign back in again.

      • Ataraxia@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        2 years ago

        Weird. I signed up for kbin two weeks ago and went back today and didn’t need to log in. It was still logged in.

  • TheYang@lemmy.ml
    link
    fedilink
    English
    arrow-up
    18
    ·
    2 years ago

    I mean, it’s a currently approved PR

    There’s also an active Issue about replacing captchas (which are often an issue privacy-wise) with a mCaptcha, where you computer does “Bitcoin-Like” useless calculations which the server easily can verify that you did.
    So it would be much more costly to make a billion spam accounts

    • CoderKat@kbin.social
      link
      fedilink
      arrow-up
      0
      arrow-down
      2
      ·
      2 years ago

      I’m very skeptical that mCaptcha would actually work besides perhaps temporarily slowing bots down due to being niche. How expensive can you make it without hurting legitimate users? And how expensive does it need to be to discourage bots? Especially when purposefully designed bots can actually do the kinda math we’re talking about in optimized software and hardware while legitimate users can’t.

  • xuu@social.sour.is
    link
    fedilink
    English
    arrow-up
    16
    ·
    2 years ago

    Hard agree… currently of the top 20 fastest growing servers in the fediverse most are instances with less than 10 active users but they are showing 50k - 70k bot accounts.

      • xuu@social.sour.is
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        You can find them in “Top 20 Fastest Growing Servers” on here https://fedidb.org/

        and instances can add them to their blacklist. though it probably helpful to reach out to the admins. many are new and are unaware of how it works.

  • fubo@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    1
    ·
    edit-2
    2 years ago

    Bot registrations can also be slowed down by just … slowing down.

    Real users don’t need a registration to happen within 250 milliseconds. It’s okay to delay it for several seconds just to rate-limit bots.

    (This is sometimes described as the “tarpit” approach.)

      • fubo@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        2 years ago

        Yep. Successful anti-spam usually relies on a mix of different techniques, not just one!

      • animist@lemmy.one
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 years ago

        I think the commenter you replied tonwas giving an additional suggestion rather than an alternative to your original suggestion

    • kevincox@lemmy.ml
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      edit-2
      2 years ago

      If you add a delay the botters will just run more requests in parallel. It is a tiny barrier but in a completely different league than even a simple captcha.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          2 years ago

          And then you respond by limiting access by IP. That degrades the experience a bit for large networks like universities, but if it’s limited to logins and signups, it can be acceptable.

          And then they respond with bot nets, and then you know you’ve hit the mainstream.

  • –Phase–@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    10
    ·
    2 years ago

    Agreed, I’m really concerned about the fact that email verification and captchas are available but off by default. With the state of the internet now they really should be on by default.

    • clobubba@kbin.social
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      2 years ago

      I use disposable email addresses where an address is required. I’m certain that isn’t a barrier for spammers.

      • CoderKat@kbin.social
        link
        fedilink
        arrow-up
        5
        ·
        2 years ago

        Barriers are relative. Everything that makes it slightly harder will stop a large chunk of bots, since bots aren’t able to easily adapt like humans can. Plenty of very basic bots are in fact stopped by lack of emails.

        But yeah, email verification is heavily more so that you can verify they have access to the email, and thus the email is safe to use for things like password resetting. Without it, webmasters can get swamped with complaints about people getting locked out of accounts or the likes because they signed up with the wrong email.

        In theory, you can also go further by only allowing email providers that have anti bot mechanisms, but it’s difficult to maintain that and it will always exclude some legitimate users.

  • dudeami0@lemmy.dudeami.win
    link
    fedilink
    English
    arrow-up
    9
    ·
    2 years ago

    I’d say setting registrations to closed and having the operator enable/configure which to use is the best default. CAPTCHAs can also be automated, so this won’t stop anyone that is ambitious enough. If someone sees value in automating account registrations, they might be willing to pay for the CAPTCHAs to be solved for fraction of a US cent each.