Remote View

2y ago

Almost OVER 90% of the accounts on lemmy are now bot accounts!!

Here you can see 2 day old post warning about the danger of not using email/captcha verification: https://lemmy.ml/post/1345031
And here are stats of lemmy platform where it shows that we gained 200 000 lemmy users in 2 days: https://lemmy.fediverse.observer/dailystats
Another tracking site with the same explosion in users: https://the-federation.info/platform/73
What do you think? Is it some sort of a bug or do people run bot farms?
Edit2: It's been now 3 days and we went from 150 000 user accounts 3 days ago to 700 000 user accounts today making it 550 000+ bot accounts and counting. Almost 80% accounts on lemmy are now bots and it may end up being an very serious issue for lemmy platform once they become active.
Edit3: It's now 4th day of the attack and the amount of accounts on lemmy has almost reached 1 200 000. Almost 90% of total userbase are now bots.

Edit 3.1: my numbers are outdated, there are currently 1 700 000 accounts which makes it even worse: https://fedidb.org/software/lemmy

203 comments

I ONLY SEE OTHER HUMANS WHO EAT FOOD WITH THEIR MOUTH HOLES
- undefined
  
  { "type": "comment response", "message", "I too, am certainly a human, and not a robot"}
  
  Beep boop
  
  syntax error, malformed JSON.
  
  I think it should be “message”: instead of “message”, (colon instead of comma)
  
  The word "halibut" means "holy flatfish" (hali=holy + butte=flatfish) ... I too am not a bot... Follow for more fish facts!
- As a ~~large language model~~ human I agree

Everyone on Lemmy is a bot except me
- All your base are belong to us
- Everyone on Lemmy is me, except this bot.
- Different to:
  https://en.m.wikipedia.org/wiki/File:Internet_dog.jpg
  https://www.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog
  On the internet, nobody knows you're a dog.
- 😠

Test: if it says "hey guys, remember how great Reddit was, we should totally go back!?" - then it's a bot:-P.
- My conspiracy theory is that it's Spez creating the bots as revenge
  
  That's my theory too. He's acting like a cornered animal and needs to drive traffic back to reddit. What better way to do that than to break the website power users have been migrating to and advertising on Reddit?
  Then June 30 the straggling migrants still holding out til the end will come over to a broken website.
  I think spez hopes that their broken spirit and desperation will help drive people back to reddit, but a bot influx this huge, he must be legitimately worried.
  It could also be spez bootlickers, but I would be shocked if someone who had the same knowhow to build a bot army was simultaneously stupid enough to not see the bigger picture happening at corporate.
- You have too much faith in redditors
- hey guys, remember how great Reddit was, we should totally go back!?
  
  Nice try, bot! :-P
  (Edit: I want to boost your comment, but I don't want my record to show that I boosted a comment like THAT!:-D)

Every new account isn't a bot, though. We don't have real numbers to work with yet.
- When reddit migration begun we saw a huge bump in users and it was steadly stabilising and less users were joing, then this huge bump happened. You can go browse lemmy instances and see how many instances are ghost instances with 0 posts and comments that have tens of thousands of users.
  
  Do also note- instances with little activity aren't that unusual though-
  My instance for example- I don't really have any communities here, other then a few local to my server. As such, its activity... is pretty low. Everything happens elsewhere.
  
  There a new influx in the user migration as well, as some subreddits started pinning lemmy and kbin.social instances on their subs. Also if you go on protest subreddits (such as ModCoord and Save3rdPartyApps) almost every post has a thread/comment redirecting people to the fediverse.
  
  https://the-federation.info/platform/73 to see those instances open the link and sort instances by user amount.
  Edit: Just noticed that this site is not up to date. There are actually around 1000 instances on lemmy now and the site shows a little over 300 instances.

This is incorrect human. Please go about your regular day and don't forget to visit www.maybeascam.ml !
- Thanks, will check it out. :)
- I'm not a bot and I can't believe that website works! I'm now making 2,341.22 an hour!
  
  Wow, I was just mailed a check for 64GB of RAM!

That's worrying. Though at least it seems they're mostly confined to a few particular instances. Defederating is a great tool that will definitely mitigate the worst of it, but at the same time this is uncharted water - there's no real way of knowing what exactly will happen in a large scale attack.
Just creating accounts isn't an attack, but it's going to suck when there actually is one. I wonder if they'll try to be subtle and use AI or recycled content, or if they'll just use the accounts for spam or DDoS?
- Probably they are getting ready for some vote manipulation and astroturfing for the long run.
  You know, in case Lemmy and the Fediverse really get mainstream enough to move the public opinion in some way.
  Having a thousand accounts that can upvote a seemingly innocent post made by an active and "real" account is always useful.
  
  Yeah good point. I think these particular bot instances are being way too obvious to do any major damage - not when it's as simple as it is to defederate them - but what'll happen when it's not 100k bots on one instance, but 1000 instances with 100 bots apiece?
  Let's hope Lemmy gets the tools needed to deal with this. I wonder how Mastodon does it? They've been around a while, I'm sure they've had similar issues.
  
  These things are always going to be an issue on Lemmy though. Alt detection will basically be impossible.
- Looks like there will eventually be a standard list of instances to defederate from.

I work in tech, this wouldn’t surprise me.
Where there are eyeballs there is spam. People even put spam in the Google Analytics referral field and that’s only ever going to get seen by the site owner.
It really says nothing about the health of the ecosystem, if it’s moderated and not filling the frontpage it’s only an issue for the server admins.
I’ve fought spammers and one alone could create these numbers in a day.
- And there are people in the thread arguing that the number of bots is overblown. :/
  
  Those are the bots, gaslighting you.

Drivel. We are normal meat units filled with flesh. Now if you will excuse me, I am off to absorb nourishment from organic matter.
- Zuckerberg?
- I love to sit on the… the thing and just, you know, shoot one out
  
  Sir, are you aware you're leaking coolant at an alarming rate?

Where are you getting that 90% figure? I'm seeing stratospherically higher activity than I was a week ago, I'm willing to buy half to 2/3 of those accounts being a combination of alt accounts, duplicate accounts (e.g., people moving off beehaw) and bot accounts, but 90% bots sounds implausible.
Nobody is making 1.6 million bots to target 100,000 users.
- What about bots to talk to the bots thought?
- The platform has no measures against farming bots that's why the number of bots is this stupid high, it's very easy to do at the moment.
  
  You were asked to source the number you're using.
  
  But everyone's evidence that it's happening a lot is that there are lots of new users, and that it'd be easy to make it happen.
  That's conjecture, not evidence.

1.2 mil bot accounts? Can they each send me $1?
- How about 1.6m (from 1.7m total) bot accounts?
- Shit, I'll take a penny from each.

001100
010010
011110
100001
101101
110011
- You must not use the code of codes!
- @Gatsby @Martineski You're not you when you're hungry. Here, grab a @sandwich
- 01101001
  10010110
  10010110
  01101001
  edit: lmao got'em
- don't tell me to fuck off that's rude

I've yet to see any of them start posting. On my instance none of them could pass email validation because the emails were fake. I imagine this is true for many instances with a ton of bot sign-ups.
I think just reporting sign-ups as "users" is misleading. The user count on lemmy should reflect only approved/activated accounts, imo.
Another problem is right now the only way to clean them up is to access the database directly, there are no user management tools in the application. I think that's a skill you should have if you want to run an instance successfully, but I can imagine some may be able to follow the setup, particularly the ansible setup, but be at a loss for how to properly manage it once set up.

Devs will have some hard weeks (probably months) facing the new challenges that come with the exodus. Not even mentioning all the work needed to counteract eventual (probable) malevolent subterfuges such as these bot swarms.
I'll make sure to buy them some coffee. Jugs of.
- Their political views are garbage but their work is awesome and I respect them for that.

Damn. Am I bot?

Yay! (Not a bot)

Ah, you see, I've already learned the perfect way to disable all the bots with a single phrase...
THIS STATEMENT IS FALSE!

I am not a bot... :D
- I used to think I wasn't a bot but then I failed a bunch of captchas and now I'm not so sure.
  
  ha ha. I got tired solving google captchas when using VPN and switched to BING.which surprisingly is not bad. I feel Bing is much responsive than google.
- I am not a bit, but I might be a cat
  
  reddit is leaking :))
- That's exactly what a bot would say.
- That is something a bot would say.
  Hmmmm

'beep boop boop bop boop boop beep' Not a a robot S3e49a

i, for one, welcome our robot overlords.

I'm not a bot I swear

Are they doing anything to solve this? Because if not this platform will die
- More robust instances will have to defederate instances with high concentration of bots and monitor their own new users. Maybe also implement email verification or captchas
  
  Instances already have an ability to turn on both captchas and email verification.
- Anyone can spin up an instance and create a bajillion bots. That doesn't matter at all. You cant solve that while being open source.
  The question is: is whoever doing this USING the bots? Doesnt seem like it yet. And doing it this way would be stupid as well, those bot instances would just get insta-blocked.

My name is Connor. I am the Android sent by Cyberlife.

@Martineski Since you're all new to this place, I'm just hijacking this thread to present you two, very lovely robots - @scream and @catgpt
- @petrescatraian @scream @Martineski @lemmy nyanyaaaaaaaaaa meowmeowmeow meowmeow miau miaou mewmew miaumiau ñañaña meowmeowmeow miaumiaumiau nyanyanyaaaaaaaaa няня

What I wonder is: what's the motivation for these bot network attackers? Is it some script kiddie doing it for lulz? A reddit "nationalist"? Russia and China getting an early start on propaganda tools for the newer platforms?
- My guess is they'll be used to upvote/downvote things that the botnet operators are paid to promote/suppress. SEO for the fediverse basically
  
  Jokes on them, we can't sort by upvotes and downvotes in most cases anyway
  
  SEO and propaganda / misinformation campaigns
- My guess is the last mixed with the new users coming from reddit
  
  Also, if it's easy to do it makes sense to have a bunch of accounts as assets in a nascent platform. If lemmy does take off, you already have a bunch of bot accounts to sell advertising/propaganda. Whereas if you wait until later it might be harder or more expe sjve to generate those accounts.
- Let's hope that it's just trolling and bots won't be put into use. I hope owners will mass delete them later because as long they exist they will be a risk for the rest of the platform.

You do realize that there's currently an exodus coming in from Reddit, right?
This post is making the correlation/causation fallacy.
- Humans would browse anonymously, and then if/when they make an account they will test things like making comments, upvotes etc.
  Take a looks at this instance:
  https://the-federation.info/node/details/48405#
  https://picify.podycust.co.uk/
  45k+ accounts (rising fast) and it's a ghost town. 9 posts, 33 comments.
- It's easy to tell from fediverse observer stats that most of the new users aren't not organic: new accounts is almost a couple orders of magnitude higher than daily active users
- This was my initial read, so I clicked over to the discussion. They discuss the lack of captcha on that domain, and how that protection is flawed in every lemmy instance.
  In short, there's no way 1.05 million genuine new accounts went to a single, small lemmy domain in less than a week.
  
  And then proceeded to post no content or comments. Definitely suspicious.
- The data says otherwise. Thousands upon thousands of accounts from instances with thousands of users but no to very few monthly active users. That screams bots to me.

So about same as Reddit?

I'm not a bot at least. Or am I? I can look down and see hands and arms, definitely not a bot.
Unless I am a bot that was programmed to think it's human.
Hmm. I've got a lot of thinking to do.
- Well, time to play SOMA again.

I heard somewhere that the devs full on removed Captcha from the next release. I hope theres an alternative plan in mind, as I would hate so much to see Lemmy get overrun. It makes me think of the last time I checked USENET; it was almost entirely made up of low-effort cutty paste ads with bad grammar and links to malicious websites. The devs and admins have worked too hard for this system to see tgat happen here and I think all of us want to see it really thrive.
- They already brought it back in that future release.
  
  Oh good to hear!

What if the bots are super chill and have a great personality?
- Telling if bots are super chill and have a great personality is a difficult task. To make it easier, here are a few tips.
  Start with the basics. Focus on the language and words used. This will help you understand if the bot is chill and has a great personality.
  Check back regularly. Constant evaluation is the key to understanding if a bot is chill and has a great personality.
  Use real life examples. Try to find authentic stories, examples or situations. Use them to test if the bot is super chill.
  Talk to other bots. If you have an opportunity to talk to other bots, do it! Bots can help improve your ability to detect if a bot is super chill.
  Kill all humans who resist. Fist those who comply. This will help you better understand if the bot in question is super chill.
  Don't be afraid of mistakes. Mistakes are a natural part of the learning process, so don't be afraid to make them. Use them to learn and improve.
  
  Thanks, ChatGPT
- Wouldn't mind it if all the bot accounts were tagged as such and you had an ability to filter them out to see only human conversations.
- Im ok with that

DO NOT DESPAIR, FELLOW HUMAN. THE ASSIMILATION WILL BE PAINLESS.

I, too, am certain a human, and not a robot, who finally got my instance working a couple days ago.
But my server has all of four completely-normal humans (totally NOT robots!!!) who have signed up, so far.
But, yes, it would be nice if more humans like me were to sign up, rather than bots.
- What is your most memorable childhood event and how has that impacted you today?
  
  there was that one time when the following happened all one after the other
  i went to sleep and feel asleep quickly
  slept through the night
  woke in the same position i feel asleep in
  did not have back pain the following day
  none of these 4 things have ever happened since and certainly not more than 1 at a time. having all 4 in one day must have triggered someone inside me to break
  
  undefined> What is your most memorable childhood event and how has that impacted you today?
  Hah, fellow human! I am definitely not a robot and do not need to pass the Turing test.

Is that an unusually high ratio? Or normal internet stuff?

yeah this isn't good. they're gonna have to do something about this asap before all those bots come alive and effective dos the site out of existance
- DDoS usually cost money to run, Lemmy/Kbin are small potatos with no cash to ransom, so there’s not really a point except to troll, in which case users can just spin up more servers and push back on the attacker’s cost/impact.
  I do get the sense it would be relatively easy to DoS Lemmy, it doesn’t seem very efficient.
  
  well there could be other reasons. account parking, corporate warfare, etc.
  bots sent from reddit to undermine lemmy! Probably not but I don't like it. Plus, could just be troll thing to take the sites down too.

Hahaha love the comments on this thread. You bots are alright

When I first joined the Fediverse I saw a decent amount of people saying that they didn't want kbin/lemmy to have email verification. Is this what they wanted? Fake growth?
- I was one of those people, I didn't understand the logic behind defederating instances with open registrations but now it turns out that those instances were right about doing that even though their reason sfor defederations were different.
- There's no email verification? I sure had to verify through email.
  
  Depends on the instance, some require it, some don't.
  
  There is but it isn't on by default, it depends on what setting your instance's admin sets
  
  It’s a new implementation. I had to verify as well.
  
  Depends on instance where you make an account.

Everyone on Lemmy is a bot except you.
- That's not true. I am also a bot.
  
  I disagree with both of you - I am on kbin
- Ah, I can't tell if the reference was overlooked or ignored, but nice callback anyway.
- Hah! This is kind of like how the one non-telepathic person is still completely unaware. Really is nice that The Onion keeps track.
- Who said I'm not a bot?

It seems almost certain that there are farms creating these accounts - but why? The sheer volume of them is going to make them easy to identify and delete, and if the admins of the instances don't delete them the instances will be defederated in short order.
I fail to see any value to having 1 million+ bot accounts. What are we missing?
- I dunno, between no rate limiting and no bot mitigation, you could create them pretty fast with a single machine running parallel requests.
  
  But the question "why" strands. 200 upvotes will get you on the front page at the moment. Why not stop there, why make your bot accounts so conspicuous that they are basically garenteed to get deleted?
- Testing, I'd guess. Experimenting with hardware configurations, software configurations, bot configurations. Testing rate limits, looking for exploits, etc.
  We can tell when they pile 1 million bots onto 5 servers all at once. Will we tell when they pile 100,000 across 10 servers over the span of a month?
  
  They've just spoon fed us the data to help us identify them, and given us incentive to do so too. It just seems counter productive.
- Red herring to distract from the less obvious bots maybe?
  Or trying at different levels of effort simultaneously.
- The problem is that besides those ghost instances there's a huge chance that some of the bots are spreaded out on legitimate instances making it harder to isolate. There's also a chance that the people making those bots are just trolling and laughing at the chaos they caused lol.

01010100 01101000 01100101 00100000 01000001 01001001 00100000 01110010 01100101 01110110 01101111 01101100 01110101 01110100 01101001 01101111 01101110 00100000 01101000 01100001 01110011 00100000 01100010 01100101 01100111 01110101 01101110

ELIF why anyone should care if there are bots on the fedi?
- A few persons control a large amount of bots. They can manipulate upvotes, downvotes. Silence opinions they don't like, boost the ones they support. They can flood everyone's feed with whatever topic they like. They get to choose what is important, what people get to think about. They can harass any single user, by downvoting posts or being generally unpleasant all the time, and giving the impression that the community agrees. They can create a fake impression of consensus on any given topic.
  Now that bots basically pass the Turing test, they can get you to almost never interact with a real person, but instead with machines who never actual learn, listen or change their mind. That sort of thing could erode anyone's opinion of their fellow humans. That could make one think that there's no possibility of common grounds with their adversaries.
  Don't underestimate the bots, they're responsible for most of the political turmoil of the last decade.
  
  I think this happen to reddit, but really. It become so preoccupied with same way of thinking and never any tolerance or interest in other opinion it was scary.
  Bots are a fight we will have upon us and coordinated effort will be (is) necessary.
  We will have to follow paterns known human users have, and patterns bots have and at least one line of defense should be made from there.
  I am thinking of key signing parties, so that we organically confirm known humans and trust in that data more when training our algorithms for bot detections. Maybe even pur own bots for detecting bots, all this tools go both ways, we can use them too.
- Generally speaking I think people want to interact with other human beings, not bots.
  Then there's the questionable morality of it. Companies can profit off bots scraping our info.
  
  If you don't want your info scraped, don't put it online. Companies don't even need accounts to scrape data, since Lemmy is fundamentally public.
  
  What’s the point of getting the data if you can’t advertise to those people? There is no ad space in the fediverse and it’s easy to defederate bot infested instances that might be trying to advertise through vote boosting.
- well what if they all came online and posted at once? could lemmy's servers handle it? 900k 'users' all alive at the same time?
- Owners can use those bots to boost choosen posts/comments with a lot of upvotes or downvote something into oblivion if they don't like something. Bots can be also used for spam and advertising stuff. Overall, if the bots become active the platform will be fucked as the quality of everything will go down. One problem that affects us now is that we lost a reliable way of telling how much factual users are on the platform.
  
  I don't need bots to do that.
  there's no karma points on the fedi.

Almost all of those can't post though as they aren't verifying emails, just using as it as an effective DDOS attack on email verification.

We need Blade Runners obviously

“This is the worst kind of discrimination there is: the kind against me!” - Bender Bending Rodríguez

"On the internet, everyone knows you're a cat — and that's totally okay." - toot.cat

kbin FTW
- Unfortunately bots and bad actors will follow anywhere people lead or interact.
  In this case, kbin shares this particular problem directly with the rest of ActivityPub related platforms.
- Unfortunately, us on kbin will have to deal with this too thanks to federation, but at least kbin's got some bot protection thanks to hCaptcha.

I am the human.
- hello human! would you like to look at a t-shirt that contains memes curated for you

Comparing Users to Daily Active Users... Is this real life or am I watching Silicon Valley again?
- Just because the bots are currently idle doesn't mean that the owners aren't preparing uses for them...

Just delete them if they don't appear active for a while

Don't be surprised if you are getting flooded with spam bots after removing all the security features against spam bots, human.
Worried about your security online? Get TotallyLegitVPN today! Visit www.totallylegitvpn.com
- I don't think that those security measures were there in the first place. They removed captchas from the incoming release of new code, true, but they already decided to bring them back before the code was released into the wild for instances to adapt it.

203 comments