Spam signups on a lone fediverse server

One of the sites that I host is a PeerTube instance, scitech.video. It’s not a particularly active place. The policies are intentionally draconian, mostly to simplify my job as the sole moderator. This doubtless puts off some potential users and that’s fine by me. Existing members haven’t uploaded any videos for a while so it’s very much on the fringes of the fediverse.

Of course, spammers and their scripts aren’t bothered by whether a given target is obscure. When I have user registrations open I get around ten profiles like these created per day:

They’re always about random small businesses and websites so I presume a shady marketing firm is trying to do SEO. I don’t believe it’s well-targeted though. Unless the user uploaded a video on their channel (which I would have to moderate first) I don’t think these profiles are accessible from the public PeerTube frontend. You could probably query these users via ActivityPub from Mastodon or something but I don’t see why anyone would do that. At a guess, the scripters responsible don’t even know what the fediverse is and my site has been caught up in their signup spray.

What I find most interesting is that all of these accounts have no problem providing verified email addresses. They are unique and most of them are from mainstream email providers. 90+% of them are from gmail.com. When it comes to my little website, this is using a sledgehammer to crack a walnut. You could use any dodgy anonymous mailer, or abuse + suffixes, or use different patterns of . in your Gmail address to turn a single Google account into any number of distinct addresses. (I did once have a spammer using that last trick.)

With signups coming from legitimate-looking Gmail accounts there is very little I can do on my own. If I wanted to automate protection against this sort of thing I would have to hook into some sort of distributed address-reputation system across lots of different servers. Maybe it would be effective, maybe it wouldn’t, and maybe it would cause problems for legitimate potential users.

So the idea of email verification as a way to prevent spam is long gone. It’s probably been the case for a long time on serious websites, but when it gets so bad that spammers are impudently using large numbers of accounts from relatively trusted domains to deface obscure websites in a way that is completely ineffective… it’s clearly game over.

And that sucks for the independent web in general. I wish I could host a website like this one without having to deal with this background noise, and without having to put roadblocks in the way of legitimate users. I’ve disabled user registrations and added a note that a user should email me if they want an account.

The good news is that this isn’t a major problem for the fediverse at large. The ratio of administrators to users is much less lop-sided than central providers. Imagine if YouTube had humans evaluating each request for a new publishing account—it is impossible for them. With PeerTube it doesn’t matter if my instance is “human-scale”. It doesn’t matter if every instance is human-scale, provided there are enough instances and enough humans. We have the option to embrace a more hands-on approach to solving problems, while continuing to let the network grow. That’s something the centralised services can’t do, not on their shareholders’ watch.