A dev initially suggested in the Lemmy GitHub to remove captchas from future releases altogether because “they’re easy to bypass”.

Here’s the thing though, the lemmy.world instance avoided the daily 10k+ bot signups per day the other instances are currently experiencing simply by activating captchas.

Yes basic OCR easily bypasses them, but the whole point is that you’re forcing the spammer to use it, and it costs CPU resources, meaning that for the same budget the spammer will be able to create LESS bot accounts, or none at all if he doesn’t know how to automate the use of an OCR. Compare that with the current situation where anyone who followed a Python crash course can easily write a small script doing tens of thousands of automated signups using just the requests module.

Please enable captchas by default in future releases. You can try out other proposed solutions like hashcash too but IMO focus on the low hanging fruit first and make captchas a default in 0.18 already. One barrier, no matter how weak it is, is much better than no barrier at all.

And to those who maintain websites that list instances and rank them by size, you are also contributing to this problem by adding an incentive for bad actors to inflate their own instances. Please either remove that ranking, or remove the spammy looking instances by hand.

Also, maybe change the user count such that only users having clicked on the verification link are counted.

  • @fubo@lemmy.world
    link
    fedilink
    English
    15
    edit-2
    2 years ago

    Bot registrations can also be slowed down by just … slowing down.

    Real users don’t need a registration to happen within 250 milliseconds. It’s okay to delay it for several seconds just to rate-limit bots.

    (This is sometimes described as the “tarpit” approach.)

    • AlmightySnoo 🐢🇮🇱🇺🇦OP
      link
      fedilink
      English
      112 years ago

      Yes, but the point is that and captchas are not exclusive. I hope devs will backtrack on their intention to remove captchas and instead make them a default.

      • @fubo@lemmy.world
        link
        fedilink
        English
        42 years ago

        Yep. Successful anti-spam usually relies on a mix of different techniques, not just one!

      • animist
        link
        fedilink
        English
        32 years ago

        I think the commenter you replied tonwas giving an additional suggestion rather than an alternative to your original suggestion

    • @kevincox@lemmy.ml
      link
      fedilink
      English
      42 years ago

      If you add a big delay the botters will just run more requests in parallel. It is a tiny barrier but in a completely different league than even a simple captcha.

      • Meow.tar.gz :verified:
        link
        fedilink
        52 years ago

        @kevincox @fubo I’ve tried actually shunting the bots into a queue that basically sets the TCP receive window to 1. You’re quite correct, the bots just spawn off more processes.

        • And then you respond by limiting access by IP. That degrades the experience a bit for large networks like universities, but if it’s limited to logins and signups, it can be acceptable.

          And then they respond with bot nets, and then you know you’ve hit the mainstream.