Lemmy: Anti-spam measures

Created on 26 Apr 2019  路  14Comments  路  Source: LemmyNet/lemmy

enhancement

Most helpful comment

We will never support google recaptcha, but I'm open to PRs for other potential ones. Right now the main only spam method prevention is the strong moderation abilities, the tunable rate_limits for signups.

All 14 comments

What sort of measures? Rate limits for the API? Or something else?

We will definitely need rate limits for the API as a whole.

Ya so far I'm gonna start working on an in-memory IP address cache that rate-limits signups to one every X for something for a certain IP address.

I want all the limiting and security to be "at the door", IE on registration, I don't really wanna rate limit the websocket API as a whole.

I think it is probably a good idea to rate limit the API as a whole. Once an instance scales to hundreds of users, a group of bots could make accounts and then spam things like comments, community creation (as we have seen) or votes.

Pretty much every public API I have seen rate limits all requests to prevent abuse.

This is a really hard problem with decentralized social networks. It's fairly trivial to get a few million IP addresses (esp with IPv6) to spam votes with and get whatever posts to the top you want.

Some existing solutions to maybe consider...

  • Require all users to be invited by another user, so if someone makes a billion accounts, you just go as far up the tree as necessary and ban all derivative accounts from voting.
  • Allow instance owners to require phone verification to vote. They can then blacklist instances they're getting spam from, or whitelist popular instances that request it.

Def don't want phone (for privacy reasons) or email invite chain (not a fan of this method). There is a ticket for this tho, which is a solution used in a lot of places that I really like. #209

Yeah. I'm also against using a phone for that.

Hello. So finally is there any anti spam method? I would like to suggest a captcha, either by google or hCaptcha.

We will never support google recaptcha, but I'm open to PRs for other potential ones. Right now the main only spam method prevention is the strong moderation abilities, the tunable rate_limits for signups.

9

We will never support google recaptcha, but I'm open to PRs for other potential ones. Right now the main only spam method prevention is the strong moderation abilities, the tunable rate_limits for signups.

Fair enough. There is hCaptcha as well (i don't have a strong opinion either in favor or against it).

The solution proposed seems good. However, i am a bit confused about the definition of interval. In the example, is it 180 or 60 messages per second? I don't see a limit for community creation either.

#maximum number of messages created in interval
message: 180
# interval length for message limit
message_per_second: 60

Community creation follows the same limits as register.

180 reqs / minute.

3 register reqs / hour.

Community creation follows the same limits as register.

180 reqs / minute.

3 register reqs / hour.

So where it says message_per_second it actually means "size of interval in seconds"?

No, it means per_second, a time length. 3 register posts per 3600 seconds.

Outside of captcha, this is done.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

NicolasCARPi picture NicolasCARPi  路  5Comments

dessalines picture dessalines  路  3Comments

Nutomic picture Nutomic  路  5Comments

dcode picture dcode  路  6Comments

chopin2712 picture chopin2712  路  3Comments