Skip Navigation

lemm.ee plans for mitigating image upload abuse

Hey folks!

I made a short post last night explaining why image uploads had been disabled. This was in the middle of the night for me, so I did not have time to go into a lot of detail, but I'm writing a more detailed post now to clear up where we are now and where we plan to go.

What's the problem?

As shared by the lemmy.world team, over the past few days, some people have been spamming one of their communities with CSAM images. Lemmy has been attacked in various ways before, but this is clearly on a whole new level of depravity, as it's first and foremost an attack on actual victims of child abuse, in addition to being an attack on the users and admins on Lemmy.

What's the solution?

I am putting together a plan, both for the short term and for the longer term, to combat and prevent such content from ever reaching lemm.ee servers.

For the immediate future, I am taking the following steps:

1) Image uploads are completely disabled for all users

This is a drastic measure, and I am aware that it's the opposite of what many of our users have been hoping, but at the moment, we simply don't have the necessary tools to safely handle uploaded images.

2) All images which have federated in from other instances will be deleted from our servers, without any exception

At this point, we have millions of such images, and I am planning to just indiscriminately purge all of them. Posts from other instances will not be broken after the deletion, the deleted images will simply be loaded directly from other instances.

3) I will apply a small patch to the Lemmy backend running on lemm.ee to prevent images from other instances from being downloaded to our servers

Lemmy has always loaded some images directly from other servers, while saving other images locally to serve directly. I am eliminating the second option for the time being, forcing all images uploaded on external instances to always be loaded from those servers. This will somewhat increase the amount of servers which users will fetch images from when opening lemm.ee, which certainly has downsides, but I believe this is preferable to opening up our servers to potentially illegal content.

For the longer term, I have some further ideas:

4) Invite-based registrations

I believe that one of the best ways to effectively combat spam and malicious users is to implement an invite system on Lemmy. I have wanted to work on such a system ever since I first set up this instance, but real life and other things have been getting in the way, so I haven't had a chance. However, with the current situation, I believe this feature is more important then ever, and I'm very hopeful I will be able to make time to work on it very soon.

My idea would be to grant our users a few invites, which would replenish every month if used. An invite will be required to sign up on lemm.ee after that point. The system will keep track of the invite hierarchy, and in extreme cases (such as spambot sign-ups), inviters may be held responsible for rule breaking users they have invited.

While this will certainly create a barrier of entry to signing up on lemm.ee, we are already one of the biggest instances, and I think at this point, such a barrier will do more good than harm.

5) Account requirements for specific activities

This is something that many admins and mods have been discussing for a while now, and I believe it would be an important feature for lemm.ee as well. Essentially, I would like to limit certain activities to users which meet specific requirements (maybe account age, amount of comments, etc). These activities might include things like image uploads, community creation, perhaps even private messages.

This could in theory limit creation of new accounts just to break rules (or laws).

6) Automated ML based NSFW scanning for all uploaded images

I think it makes sense to apply automatic scanning on all images before we save them on our servers, and if it's flagged as NSFW, then we don't accept the upload. While machine learning is not 100% accurate and will produce false positives, I believe this is a trade-off that we simply need to accept at this point. Not only will this help against any potential CSAM, it will also help us better enforce our "no pornography" rule.

This would potentially also allow us to resume caching images from other instances, which will improve both performance and privacy on lemm.ee.


With all of the above in place, I believe we will be able to re-enable image uploads with a much higher degree of safety. Of course, most of these ideas come with some significant downsides, but please keep in mind that users posting CSAM present an existential threat to Lemmy (in addition to just being absolutely morally disgusting and actively harmful to the victims of the abuse). If the choice is between having a Lemmy instance with some restrictions, or not having a Lemmy instance at all, then I think the restrictions are the better option.

I also would appreciate your patience in this matter, as all of the long term plans require additional development, and while this is currently a high priority issue for all Lemmy admins, we are all still volunteers and do not have the freedom to dedicate huge amounts of hours to working on new features.


As always, your feedback and thoughts are appreciated, so please feel free to leave a comment if you disagree with any of the plans or if you have any suggestions on how to improve them.

187 comments
  • Please please do not implement an invite system.

    The success of a forum like this depends on people being able to join and express their thoughts freely. Reddit and digg would never have gotten where they are if they had a closed system.

    I almost didn't join lemmy because the first two instances I heard about (lemmy.ml and beehaw) had closed registration. I think I applied and then forgot about it for 2 weeks. Thankfully I saw a post about lemmy on reddit yet again and finally found an open instance.

    Don't let the actions of a few scumbags ruin a good thing for everyone. You'll be giving them exactly what they want.

    • I agree that users should be able to join Lemmy freely, but I think it makes a lot of sense to try and spread users out more between instances - this spreads out the responsibilities between more admins, spreads out the load between more servers and also reduces the chance of a single point of failure for the whole system.

      It's clear that there are seriously vile people out there who want to cause huge amounts of damage to Lemmy, and if we have unlimited growth in a few selected instances, then these people only have to target those specific instances for maximum damage.

      In a perfect world, none of this would be necessary, but then again, in a perfect world, we wouldn't need a decentralized platform in the first place.

      • Thanks for responding!

        I agree that it's best for the lemmyverse.net if there are many big instances too.

        Unfortunately, the concept of the fediverse isn't as easy to understand. The average newcomer (who mostly just wants to consume content and occasionally ask a question or two) starts off by interacting within their instance, and it takes some time to figure out cross-instance communication (there are still posts about this on the nostupidquestions-type communities). For such users, landing on a small instance means they'll poke around the Local active posts, think that "this forum is dead", and never return.

        Like reddit, having a large userbase on lemmyverse is important to keep the conversation interesting (see https://i.imgur.com/4tXHAO0.png). Reddit has provided lemmy with a huge shot at success by injecting a large number of users. But if I'm being honest, the conversation on the lemmyverse isn't as diverse and engaging as it is on reddit yet. This isn't self-sustaining yet. I can point to 2 pieces of evidence to support this:

        1. Using Voat as a (imperfect) proxy - I don't know if there are official stats of Voat, but the best dataset I've seen for Voat (https://ojs.aaai.org/index.php/ICWSM/article/download/19382/19154/23395) has 16.2M comments in 2.3M submissions from 113k users. Voat was shut down for lack of funding, but even in its heyday it wasn't exactly thriving - many people on Voat were united in their toxicity and it never really got going. Compare these numbers to the lemmyverse which has about 100k active users over the last 6 months. If the fediverse is to grow beyond "that niche forum for nerds", this userbase isn't enough.
        2. It's already clear that the number of active users is decreasing - since mid-July, the number of monthly active users has dropped from 70k to 50k. This is expected (bunch of redditors who joined in June, poked around and said hi and left), but it means if the lemmyverse wants to have any chance of succeeding long term, you can't alienate new users now.

        The approach I've been advocating since the beginning of lemmy is:

        • if you see a user who's interested in lemmy but isn't really tech savvy, just point them to one of the biggest instances. Don't explain what federation is, leave it as a feature to be discovered once they're engaged.
        • if you see a user who's interested in the concept of a fediverse and wants to know how it works, explain federation and send them to a smaller instance.

        The way federation works now, it's still disadvantageous to be on a smaller instance (discoverability of new communities is harder, syncing posts/comments isn't always fast, it's hard to know which community is more active. Many of these can be fixed with changes to activitypub and lemmy protocol, but in the meantime, sending casual users to small instances means they'll likely never return.

        So to sum up, I think there should be an avenue for casual users to join the biggest instances, even as we encourage people to move to smaller ones (either targeting those who are more tech savvy, or those who have already been on Lemmy long enough to know how it works - I myself was on Lemmy.world and switched to this "smaller" instance).

        Anyway, you're the admins here and I have no say over what you eventually do. I'm just hoping you'll consider the practical realities of user behavior - everyone wants what's best for the fediverse in the long term.

    • If I may, lemm.ee is now the second biggest instance. Redirecting people to register on local instances (feddit.country) or generalist ones (reddthat.com, Lemmy.today, discuss.online etc.) couldebe reasonable to make those ones grow as well.

      I agree that there should be a clear lists of instances open for registrations, but that probably needs to wait for the dust to settle a bit beforehand

    • While I understand your concerns, this instance has gotten a fair bit larger and will start to suffer the same issues that lemmy.world does if registrations aren't curbed. It can't grow infinitely. That just isn't feasible for one server. Having closed registrations on lemm.ee doesn't stop anyone from signing up on different instances. A solution might be to temporarily limit registration here in some way, and for the devs and instance admins to find a better way of helping new users choose an instance. The initial sign up process was confusing, and could be streamlined to make it easier for people to choose an instance. In the long term, enhancing the way federation works so users who do sign up on smaller/newer instances don't need to be lemmy savvy to find content would also help alleviate that type of issue.

    • i get your point but some folks aren’t that put off by it, assuming they can ask for an invite and it does t take ten years. i had to work at it a bit over on reddit but i took my time and just wrote about the difficulties and in a couple weeks hey, i got an invite. i’d prefer a nicer community once i’m in to a quick and easy entry but it sucks thereafter (or is just chaotic and unhappy periodically). it’s like your house. do you just let everyone in from fear of being lonely? probably not. probably, if you’re not a outlier, you’ve taken steps to make it a bit hard for anyone not invited to enter. and it makes your home a better place to be.

  • thank you for your work sunaurus, and i'm sorry you had to sort through this

    (particularly annoying though, as i never got around to adding a user banner; and i had one in mind as well. i wish there was some way to externally host avatars and banners)

  • I'm going to be a part of an invite only community?! Of course, given the circumstances, this is pretty fucked. But I feel kinda fancy right now.

    Thanks for all you do on lemm.ee

  • This has been a great instance since day one, and it's good to see you once again being so proactive. Thank you for the update!

    There are downsides with all kinds of moderation, but ultimately most of us accept that the internet can't function as a true free-for-all. Absolutely in support of whatever you feel is necessary to keep the server safe, but please watch out for yourself too and make sure you're asking for help where needed.

    p.s. anyone reading this who doesn't donate to the server yet, here's a reminder that that's a thing you can do.

  • I like almost everything on this plan, except for the last 2 items. The account requirements for "extra activities" best be chosen carefully as to not encourage the good old "karma farming" that we got away from in leaving Reddit.
    And the ML thing for recognizing NSFW is also something to be carefully considered. Too strict and it gets annoying with false positives, it can restrict posting actual content, and too lax won't make a difference for the people actually looking to circumvent it. I think a "vetting" system like the previous item could be better in the long run, in only letting "trusted" people upload content.

  • Lemmy admins need to do whatever it is they can to handle CSAM if and when it arises. Users need to be understanding in this because as I’ve argued in other threads, CSAM itself poses a threat to the instance itself, as it poses a threat to the admins if they cannot clean up the material in a timely manner.

    This is going to likely get weird for a bit, including but not limited to:

    • instances going offline temporarily
    • communities going offline temporarily
    • image uploads being turned off
    • sign ups being disabled
    • applications and approval processes for sign ups
    • ip or geoip limiting (not sure if this feature currently exists in lemmy, I suspect it doesn’t but this is merely a guess)
    • totally SFW images being flagged as CSAM. Not advocating against use of ML / CV approaches, but historically they aren’t 100% and have gotten legit users incorrectly flagged. Example

    I just want folks to know that major sites like reddit and facebook usually have (not very well) paid teams of people who’s sole job is to remove this material. Lemmy has overworked volunteers. Please have patience, and if you feel like arguing about why any of the methods I mentioned above are BS or have any questions reply to this message.

    I’m not an admin, but I’m planning on being one and I’m sort of getting a feel for how the community responds to this sort of action. We don’t get to see it a lot in major social media sites because they aren’t as transparent (or as understaffed) as lemmy instances are.

  • That sucks, but hopefully something good can come out of it eventually. Like better mod tools...

  • These are great ideas especially the ability for users to invite others. I think it’s also a good way to get new people into the fediverse since inviting someone will have them easily know what instance to go to.

    Will you submit all these features to the official lemmy backend too?

    • Yes, my goal is to submit PRs to the main Lemmy repo with all of these changes

  • Top work - I notice DBZero's instance reckons they've implemented AI scanning-and-blocking for CSAM, it may be worth getting in touch/investigating there.

  • I think the only sustainable option here is to keep media on the instance it was first posted to and every instance managing their own stuff.

    If it gets too crowded close registrations and another instance grows.

  • Has there been any developments on the Github in regards to all this? Really, the only things that will solve this long term are proper and granular moderation tools.

  • I think the images should never be cached from other instances in the first place, that is a huge oversight in pictrs since not only does it have the potential to cache unwanted content but also causes the images hosted to rapidly accumulate which isn't ideal as it increases storage requirements which is unfair to people who want to self-host a personal instance. Hosting a personal instance should not have monstrous storage requirements or serious liability risk due to caching all images automatically, it should only cache what is uploaded to the Instance like profiles and banners, and posts that include images from the Instance.


    I have reservations about allowing fully-invite based registrations on lemmy instances. While I do think it might be good to have invites as a way for users to skip filling out an application I don't really like the idea of requiring them like Tildes does, makes it feel like an elitist exclusive club of sorts having to beg for an invite from users. I don't think it should be an alternative to application-based registration, but rather a supplement to it, if someone can get an invite from users that's great but if not they should still be able to write an application to join, this could be extensive and also lower priority since you could get invites but should still be an option available.


    Account requirements really depends on what they are and what they restrict (also who on the instance is allowed to impose restrictions). For example on instances with downvotes enabled I think score/upvote requirements are a bad idea since it essentially means that people who disagree are locked out, like on Reddit with karma restrictions, I do not support this, it creates an echo-chamber where unpopular opinions. It'll also lead to upvote farming if there are negatives due to having a lower score.

    Comment or post requirements would just lead to post or comment farming similar to vote farming, though it's not as bad as score-requirements since people making posts and comments naturally (whether they are liked or not) can't be taken away by other people based on opinions (only if they break the rules and get posts removed, which isn't even remotely similar since they broke the rules).

    Limiting image uploading is a fair requirement in my opinion since uploads can be particularly harmful if the uploads are malicious, and also uploads aren't really needed since people can externally host almost all their images without the need for uploads.

    When it comes to DMs and restrictions around them I feel like that should be up to individual users to decide to allow private communication from certain users or not, or even to allow DMs at all, this shouldn't be something globally applied to people, maybe it could be a default in User settings and have a requirement set by the Admins but people should be able to turn it off if they don't care or want to accept messages from new users, I know I certainly will, I hate being nannied when it comes to who's allowed to send me messages, IMO Annoying or uncomfortable DMs are a fact of life and I prefer to deal with issues when they happen rather than block anyone who's a new user that might want to talk to me, it's one of the things I hated that Reddit does without giving me the option to opt out and receive messages from everyone.


    I think having a Machine-Learning based system to identify Malicious images is actually a pretty good idea going forward, I know how some people feel about AI and Machine-Learning but I think it's probably our best defense considering that none of us want to see it, it might have False positives but I'd rather than than to allow CSAM to live here. Ultimately the choice is have ML scanning or Disable pictrs here, I think ML is the better option because people are going to want to have Avatars and without pictrs that isn't possible (unless Lemmy adds support to the UI for externally hosted Avatars and Banners).


    1. I understand that this would be a temporary measure, and I hope this gets revisited in the near future.
    2. Got to do what you have to do.
    3. same as 2
    4. I do not agree with invite-based registrations and would prefer other ways to limit sign ups such as what others have already suggested in this thread.
    5. This will be tricky, but if done correctly would be something I can support.
    6. Agreed.

    Once again, thank you for this wonderful instance and I'm glad this is my home.

  • So, Lemmy.World images seem to be 're-federating' here. I couldn't find any news items over there, but... did the CSAM issue finally get patched at the Lemmy software level?

    • Can you give an example of a federated image?

      • Sure. Here's a couple posted in the community I run here-- [1], [2].

        They went offline for about a week I think, sometime after both LW and you shut down image uploads. The images above began re-federating just today.

  • Well as always users that did nothing wrong are the ones that suffer. I think banning images is overkill. Let the forum police themselves. It’s the way this is supposed to work. Just banning images site wide is pretty draconian and defeats the purpose of the fediverse. Blocking any images that could contain any level of nudity is also overkill. I’ll probably move to a self hosted server eventually.

    • I'm very happy if users who are comfortable with running live services set up their own instances, I think that's one of the best ways to ensure long-term success for Lemmy.

      In response to "let the forum police themselves" - this is not a thing, unfortunately. While it's super important for lemm.ee that users downvote and report rule breaking content, somebody still has to deal with the consequences of these reports. Our admins are now already handling a three digit amount of reports daily. Additionally, there is a chance that illegal content is uploaded and never reported, but we still have a legal responsibility to deal with it.

      • Well, in that case, I think the Fediverse is in serious trouble. You will end up with too much fragmentation in how servers handle this sort of thing; it's definitely going to keep happening and probably get worse. I think delegating to the community of forum participants to handle the problem is in the spirit of the Fediverse. In either case, I admit it's up to each server owner to do what they feel is best. I suspect the Noster model of dumb repeaters is a better model.

187 comments