Skip Navigation

[Discussion] Protecting ourselves from bot instances

If you look at the top ~20 servers on fedidb, they are very clearly botswarms. Either intentionally set up that way, or accidentally due to turning off protections and not deleting users.

You can tell this because they have 70,000 registered users, but only 10 of them are active.

I believe we should pre-emptively defederate with botswarms before they're turned on. If the instance owners clear out the bots on their instances (like lemmy.ninja did) then they should be immediately refederated.

I don't know about you guys, but I don't want this place to be drowned in spam as soon as they're activated.

18 comments
  • I also agree that lemmy instances should defederate from botswarm servers. If they can clean themselves or prove they are not botswarms then refederate. But there is little to no benefit from allowing them to run amok.

    It's not even necessarily bot content that is an issue but bot swarms would dictate what content everyone sees through artificially altering the votes on content posted. It's one of the reasons people have been fleeing reddit and we dont want that here either.

  • I've expressed concerns about the potential effects of a bot-swarm before, and have had a few mildly constructive conversations about it. Here is a thread where I lay out a few of my concerns on the matter, but I'll copy the relevant text here for easier discovery.


    Me:

    I’m all for bots that are used as tools for the community, the invidious one seems pretty great too. A bit concerned about what the potential “bot army” on some of these instances will be used for going forward though.

    @AgreeableLandscape@lemmy.ml

    There is an option to hide bot accounts in your account settings. This is also why all bots must be tagged as such so people can choose if they want to see them or not, that’s the agreement with allowing bots on Lemmy for most instances.

    Me: > I guess with that in mind, that brings different concerns into view for me. I’m wondering what proportion of this wave of bots have checked that option identifying themselves as such? If they’re good bots they will of course, but I’ve also read through posts of instance operators claiming they’ve gotten thousands of bot signups in hours, which doesn’t seem like good bot behavior to me. Are they likely to identify themselves as bots? Even if they did, would it matter? One example off the cuff, I should be able filter bots from my feed and comments as you say, but what’s stopping them from upvoting / downvoting a specific group of user’s submissions and comments to the top of my hot feed, or upvoting / downvoting by keyword? If that happens en-masse you wouldn’t really be able to say that posts and comments are being ranked or discovered organically based on merit. While this sort of thing I suspect happens often elsewhere, it can serve to control the flow of information based on a single or small group of people’s will(s).

    That is just one of the more insidious possibilities that a bot-swarm could be used for. Spamming, scamming, brigading, and poisoning discussions en-masse are all possible with even a moderately sized number of bots with the technical ability to put them to use on a platform of this size.

    I've also seen announcement posts and the resulting post in The Agora covering the use of one tool (The Lemmy Overseer) that can help to automate the de/refederation of likely bot-infested instances. While I don't think the tool is going to deter particularly motivated actors, it should take care of the "low-hanging fruit" that is the tens of thousands of suspected bot accounts that have had no engagement on the platform since account creation. Instance owners take on a lot of responsibility when federating with others, just one of which is being responsible for securing their instance against automated signups. Once they take care of their bot problem they can become refederated automatically.

    TLDR: I think we should defederate botted instances preemptively. Automatic refederation is possible, and a Matrix channel for instance operators exists for discussing refederation as a fallback measure.

  • Aye, the only reason we haven't seen any damage yet because they haven't used against us yet. I don't know any positive reason for why someone would make 20k accounts on an instance. Those instances should be refederated once they solve that issue.

  • I generally agree, but it depends on the criteria used to identify suspected botswarm servers. I'd be okay with something simple like calculating an instance's (monthly active users) / (total users) = X and then defederate if X is below some very small value.

    The automated tool mentioned by @haxe11@sh.itjust.works sounds interesting in concept but can't dig into the details at the moment.

  • I'm not very well versed in how all of this works or what the consequences of a defederation are (besides, you know, not getting to see its content anymore). But an instance with such an odd composition of users and active users should be watched with suspicion. I don't know if immediate defederation is the best solution, but it might be a good idea to have some kind of policy ready should suspicions be proven to be true?

18 comments