Testing custom code to fight spam registration on Mastodon

Hugo GameiroAnnouncements, Mastodon, SysAdmin

Registration spam is a tricky problem. The common solution is to present a CAPTCHA but I do understand the hesitation to implement them and I also don’t like it. CAPTCHAs are an ugly solution, they bring the burden of a problem to the end user and cause problems with accessibility. Also, creating a good CAPTCHA that is not dependent on third parties requires a lot of time and effort because it needs to continuously be improved and it’s a game of cat and mouse in an attempt to be one step ahead of spammers.

The Mastodon development team has implemented some features to try and reduce the impact or intensity of spambots. Things like validation of MX records, allowing admins to block email domains, offering an option to make registration require manual approval and they did help to some extent.

This past couple of weeks I have noticed a new form of spam registrations that have the potential to cause problems with MailGun, the SMTP provider where notification emails are sent from for most instances hosted with me. The failure rate of messages went from ~3% to ~8% and this will lower the reputation of the SMTP IP being used.

Everyday I am getting multiple reports caused by registration confirmation emails being sent to email addresses that are being bombarded with emails and being rejected with a message like “User is receiving mail too quickly”. I have notice that these attacks use a different IP for each registration and don’t repeat attacks using the same email address.

In an attempt to reduce this problem and see if I can save the SMTP IP reputation (or soon notification emails could end up in spam or being rejected altogether) I have decided to implement a couple of anti-spam techniques:

  • a registration form honeypot that is hidden by CSS
  • reject any registration attempt where the form is submitted faster than 3 seconds after page load.

You can find my custom v3.2.1 patched fork here. The development work was one more time done by Claire, again thanks for your help.

Finally, I have also implemented this Pull Request that will allow admins, that have approval required for sign up active, to have the option of making mandatory the invite request text and with an optional regex field to reject words or expressions that are regularly used to spam the request invitation form.