this post was submitted on 12 Sep 2024
421 points (98.8% liked)

Fediverse

28713 readers
548 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
421
Instance Admins: Check Your Instance for Vote Manipulation Accounts [PSA] (dubvee.org)
submitted 3 months ago* (last edited 3 months ago) by [email protected] to c/[email protected]
181 comments fedilink hide all child comments
 

Over the past 5-6 months, I've been noticing a lot of new accounts spinning up that look like this format:

  • https://instance.xyz/u/gmbpjtmt
  • https://instance.xyz/u/tjrwwiif
  • https://instance.xyz/u/xzowaikv

What are they doing?

They're boosting and/or downvoting mostly, if not exclusively, US news and politics posts/comments to fit their agenda.

Edit: Could also be manipulating other regional news/politics, but my instance is regional and doesn't subscribe to those which limits my visibility into the overall manipulation patterns.

What do these have in common?

  1. Most are on instances that have signups without applications (I'm guessing the few that are on instances with applications may be from before those were enabled since those are several months old, but just a guess; they could have easily just applied and been approved.)
  2. Most are random 8-character usernames (occasionally 7 or 9 characters)
  3. Most have a common set of users they're upvoting and/or downvoting consistently
  4. No posts/comments
  5. No avatar or bio (that's pretty common in general, but combine it with the other common attributes)
  6. Update: Have had several anonymous reports (thanks!) that these users are registering with an @sharklasers.com email address which is a throwaway email service.

What can you, as an instance admin, do?

Keep an eye on new registrations to your instance. If you see any that fit this pattern, pick a few (and a few off this list) and see if they're voting along the same lines. You can also look in the login_token table to see if there is IP address overlap with other users on your instance and/or any other of these kinds of accounts.

You can also check the local_user table to see if the email addresses are from the same provider (not a guaranteed way to match them, but it can be a clue) or if they're they same email address using plus-addressing (e.g. [email protected], [email protected], etc).

Why are they doing this?

Your guess is as good as mine, but US elections are in a few months, and I highly suspect some kind of interference campaign based on the volume of these that are being spun up and the content that's being manipulated. That, or someone, possibly even a ghost or an alien life form, really wants the impression of public opinion being on their side. Just because I don't know exactly why doesn't mean that something fishy isn't happening that other admins should be aware of.

Who are the known culprits?

These are ones fitting that pattern which have been identified. There are certainly more, but these have been positively identified. Some were omitted since they were more garden-variety "to win an argument" style manipulation.

These all seem to be part of a campaign. This list is by no means comprehensive, and if there are any false positives, I do apologize. I've tried to separate out the "garden variety" type from the ones suspected of being part of a campaign, but may have missed some.

[New: 9/18/2024]: https://thelemmy.club/u/fxgwxqdr
[New: 9/18/2024]: https://discuss.online/u/nyubznrw
[New: 9/18/2024]: https://thelemmy.club/u/ththygij
[New: 9/18/2024]: https://ttrpg.network/u/umwagkpn
[New: 9/18/2024]: https://lemdro.id/u/dybyzgnn
[New: 9/18/2024]: https://lemmy.cafe/u/evtmowdq
https://leminal.space/u/mpiaaqzq
https://lemy.lol/u/ihuklfle
https://lemy.lol/u/iltxlmlr
https://lemy.lol/u/szxabejt
https://lemy.lol/u/woyjtear
https://lemy.lol/u/jikuwwrq
https://lemy.lol/u/matkalla
https://lemmy.ca/u/vlnligvx
https://ttrpg.network/u/kmjsxpie
https://lemmings.world/u/ueosqnhy
https://lemmings.world/u/mx_myxlplyx
https://startrek.website/u/girlbpzj
https://startrek.website/u/iorxkrdu
https://lemy.lol/u/tjrwwiif
https://lemy.lol/u/gmbpjtmt
https://thelemmy.club/u/avlnfqko
https://lemmy.today/u/blmpaxlm
https://lemy.lol/u/xhivhquf
https://sh.itjust.works/u/ntiytakd
https://jlai.lu/u/rpxhldtm
https://sh.itjust.works/u/ynvzpcbn
https://lazysoci.al/u/sksgvypn
https://lemy.lol/u/xzowaikv
https://lemy.lol/u/yecwilqu
https://lemy.lol/u/hwbjkxly
https://lemy.lol/u/kafbmgsy
https://discuss.online/u/tcjqmgzd
https://thelemmy.club/u/vcnzovqk
https://lemy.lol/u/gqvnyvvz
https://lazysoci.al/u/shcimfi
https://lemy.lol/u/u0hc7r
https://startrek.website/u/uoisqaru
https://jlai.lu/u/dtxiuwdx
https://discuss.online/u/oxwquohe
https://thelemmy.club/u/iicnhcqx
https://lemmings.world/u/uzinumke
https://startrek.website/u/evuorban
https://thelemmy.club/u/dswaxohe
https://lemdro.id/u/efkntptt
https://lemy.lol/u/ozgaolvw
https://lemy.lol/u/knylgpdv
https://discuss.online/u/omnajmxc
https://lemmy.cafe/u/iankglbrdurvstw
https://lemmy.ca/u/awuochoj
https://leminal.space/u/tjrwwiif
https://lemy.lol/u/basjcgsz
https://lemy.lol/u/smkkzswd
https://lazysoci.al/u/qokpsqnw
https://lemy.lol/u/ncvahblj
https://ttrpg.network/u/hputoioz
https://lazysoci.al/u/lghikcpj
https://lemmy.ca/u/xnjaqbzs
https://lemy.lol/u/yonkz

Edit: If you see anyone from your instance on here, please please please verify before taking any action. I'm only able to cross-check these against the content my instance is aware of.

(page 4) 35 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 3 months ago* (last edited 3 months ago) (7 children)

You should out the users and topics they are engaging with.

load more comments (7 replies)
[–] [email protected] 1 points 3 months ago (1 children)

Lemmy should do something like make captcha and email verification the default in the next version, and reject federation from anyone with a lower version. If we accept federation from any instance where this was never turned on, banning accounts one by one is worse than Sisyphean. They'll just keep finding more vulnerable instances that are already trusted and abuse them to spam the rest of the fediverse.

If admins want to manually turn it off, then they should be prepared to manage that.

[–] [email protected] 8 points 3 months ago (4 children)

reject federation from anyone with a lower version.

21% of the instances still run 0.19.3 as we are speaking: https://fedidb.org/software/lemmy/versions

load more comments (4 replies)
[–] [email protected] 17 points 3 months ago (4 children)

What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

I guess admins also have to be on top of detecting and defederating from such instances?

[–] [email protected] 35 points 3 months ago* (last edited 3 months ago)

What stops the botters from setting up their own instances to create unlimited users for manipulating votes?

Nothing, really. Though bad instances like that would be quickly defederated from most. But yeah, admins would have to keep an eye on things to determine that and take action.

load more comments (2 replies)
[–] [email protected] 4 points 3 months ago (2 children)

Lemmy should have the option to defederate from instances depending on automated criteria. Sign ups without admin checks are a great attribute to use for defederation, because it leads to such abuse. I've finally blocked most communities and instances that have news about US politics and have a clean feed, but for newcomers, that shit is everywhere.

Anti Commercial-AI license

[–] [email protected] 8 points 3 months ago

It's not a native feature, but some instances have a script or plugin (not super familiar with it beyond a general awareness of its existence) that can tie their federation allow/block lists with Fediseer. So, like, if an instance gets censured by a bunch of other instances you're on good terms with, it can automatically pick that up and add it to your block list.

I don't hate the idea of that, and I have seen it protect a few instances from several spam waves, but I haven't implemented it myself.

load more comments (1 replies)
[–] [email protected] 11 points 3 months ago (1 children)

I have a manual process for admitting people, do I need to do anything if I know exactly who is on my instance, or do I need to do anything to protect my instance from other bad acting instances (beyond defederating, which I do when I notice a lot of spam). Any queries you recommend?

[–] [email protected] 10 points 3 months ago* (last edited 3 months ago) (4 children)

I have a manual process for admitting people, do I need to do anything if I know exactly who is on my instance,

With that in place, I wouldn't think so. I'm in the same boat with a small instance that has always used applications. The problematic accounts I've noticed are all using these random, 8-character names and seem to be setting up shop across open instances w/o applications. So chances are, if you're manually admitting people, you'd have noticed these already and likely not approved them.

do I need to do anything to protect my instance from other bad acting instances

Unfortunately, defederating only protects your instance's users from being impacted by the manipulations. Beyond that, it's less a bad instance rather than them being taken advantage of (kind of like our persistent troll who instance hops every few days).

For now, I've just banned the vote manipulation accounts and moved on (this PSA notwithstanding lol) I wouldn't consider these a "defederation worthy" offense. When I do defed, it's for bigger reasons or just temporary due to spam (sometimes admins can't deal with it right away but it's causing a huge problem now and I need to do something in the short term).

Queries, I do have some, but they're ugly AF. lol. I should prob look into starting a Matrix room or admin community where we can share and improve each others' utility scripts.

[–] [email protected] 4 points 3 months ago

Thanks l, that all makes sense. I'll keep an eye out

load more comments (3 replies)
[–] [email protected] 10 points 3 months ago

Hats off, Admiral, thank you for doing your due diligence and sharing with the community.

[–] [email protected] 14 points 3 months ago

Thank you for your service 🫡

[–] [email protected] 24 points 3 months ago (2 children)

As an end user, ie. not someone who either hosts an instance or has extra permissions, can we in anyway see who voted on a post or comment?

I'm asking because over the time I've been here, I've noticed that many, but not all, posts or comments attract a solitary down vote.

I see this type of thing all over the place. Sometimes it's two down votes, indicating that it happens more than once.

I note that human behaviour might explain this to some extent, but the voting happens almost immediately, in the face of either no response, or positive interactions.

Feels a lot like the Reddit down vote bots.

[–] [email protected] 30 points 3 months ago (3 children)

As a regular user, I don't think there's much you can do, unfortunately (though thank you for your willingness to help!). Sometimes you can look at a post/comment from Kbin to see the votes, but I think Mbin only shows the upvotes. Most former kbin instances, I believe, switched to mbin when development on kbin stalled.

The solitary downvotes are annoying for sure. "Some people, sigh" is just my response to that. I just ignore those.

Re: Downvote bots. I can't say they're necessarily bots, but my instance has scripts that flag accounts that exclusively give out downvotes and then bans them. That's about the best I can do, at present, to counter those for my users.

load more comments (3 replies)
[–] [email protected] 21 points 3 months ago (1 children)

At the moment, admins can see the votes. Mods are going to in a future version (https://github.com/LemmyNet/lemmy/pull/4392 )

load more comments (1 replies)
[–] [email protected] 10 points 3 months ago (2 children)

Another data point in favor of supporters of Dead Internet Theory .

Also, this is one more example of why it would be better if instances charged a little bit from everyone: spammers will rather run things from their own machines (or some illegal botnet) than paying something with a credit card.

[–] [email protected] 9 points 3 months ago* (last edited 3 months ago) (1 children)

Yeah nah man. I’m poor as fuck. Like usually have cents left if my bank account poor, and don’t always have meals poor. I ain’t paying a penny, even though I love lemmy.

I’ll give my ID or passport before I pay money.

load more comments (1 replies)
[–] [email protected] 21 points 3 months ago (2 children)

That may work, or you'd just get a bunch of chargebacks from stolen credit cards lol.

I do like the idea of some kind of verification besides from a questionnaire, but I'm not sure what would ever get traction.

[–] [email protected] 7 points 3 months ago* (last edited 3 months ago) (1 children)

you’d just get a bunch of chargebacks from stolen credit cards lol.

Criminals use stolen credit cards for high value items that can be sold quickly. If criminals really wanted to do mass manipulation via AP servers, it will be easier/faster/cheaper for them to spin up their own servers than signing up for paid accounts.

The one counter-argument that I would accept though: what if bad actors running psyops become commercial providers to attract legit customers and mix it with their agents?

[–] [email protected] 6 points 3 months ago (2 children)

True.

I guess my main hangup with payment-based registration is trust. Personally, even though I am willing to pay for a Lemmy account (I guess I technically do since I run an instance), I would be between hesitant and completely avoidant to giving payment info to a random instance that could be hosted by anyone.

If they use some kind of well-known, trusted donation/payment service, I guess that could alleviate that. Now that I think about it, it may also encourage people to use instances more local to them since they would probably want to recognize the donation platform the instance uses. (e.g. if an instance used a donation/payment service that's only well-known in Sweden, I would have absolutely no idea as an American if it was legit or not, would not risk it, and would choose a different instance).

I'm still not completely for the idea of requiring payment for sign up, but I definitely can see the benefits to it.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 6 points 3 months ago

I see most of them are on the same "lemy.lol" instance.

[–] [email protected] 37 points 3 months ago (10 children)

I just had a look at https://lemy.lol/, and they have email verification enabled, so it's not just people finding instances without email check to spam account on there.

@[email protected] and @[email protected] FYI

[–] [email protected] 1 points 3 months ago

It could also be instance admins fucking around.

[–] [email protected] 16 points 3 months ago (1 children)

Alright. I’ll check this ASAP.

[–] [email protected] 8 points 3 months ago

Thanks!

[–] [email protected] 18 points 3 months ago* (last edited 3 months ago)

Thanks. I edited the wording for "open signups". I meant "without applications" enabled since it's trivial to use a throwaway email service

load more comments (7 replies)
[–] [email protected] 143 points 3 months ago (7 children)

We have our own astroturfing bots, did we make it?

[–] [email protected] 51 points 3 months ago (1 children)

I believe "Russian Bot Farm Presence" is the preferred metric of social network relevance in the scientific community.

load more comments (1 replies)
[–] [email protected] 1 points 3 months ago

lol hahahahaha

[–] [email protected] 33 points 3 months ago

Make it harder to moderate? Sure!

load more comments (4 replies)
[–] [email protected] 50 points 3 months ago (1 children)

Thank you for the list, we'll remove the Jlai.lu account

[–] [email protected] 45 points 3 months ago* (last edited 3 months ago)

I strongly advise verifying first, but yes.

I can only verify them based on the posts/comment votes my instance is aware of. That said, I do have sufficient data and enough overlap to establish a connection/pattern.

load more comments
view more: ‹ prev next ›