Spam attack on Twitter/X rival Mastodon highlights ‘fediverse’ vulnerabilities

A spam attack that impacted the open source X rival Mastodon, Misskey and other apps highlights how the decentralized social web, also known as the fediverse, is open to abuse. Over the past several days, attackers have targeted smaller Mastodon servers, taking advantage of open registrations to automate the creation of spam accounts. Mastodon founder and CEO Eugen Rochko confirmed the attack in a post over the weekend, adding that Mastodon server administrators should switch over registration to approval mode and block disposal email providers to help combat the problem.

While this is not the first spam attack that has impacted the Fediverse, Rochko notes that only larger servers like Mastodon.social had been targeted previously. As that server is run by Mastodon’s own team, they’ve been able to mitigate those attacks themselves. What’s different this time is that the spammers targeted the smaller and even abandoned servers offering open registration, allowing the bad actors to quickly create accounts and generate spam.

Image Credits: Eugen Rochko on Mastodon

This particular attack, which was fully automated when the attackers learned they could script spam, was caused by a dispute between two sides on Discord, where one side was trying to get the other side’s Discord server banned, according to reports on Mastodon. (More details on that here.) Many of the spammers’ other targets weren’t Mastodon alone — they were also targeting Misskey. (Misskey is an open source, decentralized blogging platform that uses the ActivityPub protocol, like Mastodon, Pixelfed, PeerTube and others, allowing its users to interact with those on other federated social platforms.) As the origins of the spam seem to be a Japanese forum, many of the targets were also in Japan.

The spam attack highlighted one of the weaknesses that comes with how the fediverse is structured. Mastodon is open source software that anyone can install on their own server, essentially establishing their own instance, or node, that connects with other federated social networking servers, powered by the ActivityPub protocol.

Because Mastodon’s smaller servers are often hobbyist projects run by enthusiasts they were vulnerable to this sort of attack. If the server admins were not paying attention to their servers on a daily basis and had offered open registrations, they were likely victims of the spam.

Or as one server admin, @Chris@mastodon.cosmicnation.co remarked, “Some instance admins got reminded that they had an instance. And we also learned there are A LOT of abandoned instances out there with their door wide open for registration without approval.”

Over the past several days, server admins worked together to create ongoing lists of abandoned instances that other admins could use as a basis for a blocklist to protect their own users from the spam attacks. Many servers were simply shut off as their admins decided it would be easiest to wait out the attack or abandon Mastodon altogether.

The popular third-party Mastodon app Ivory, from Tapbots, released an emergency update that included a custom filter dubbed “Potential Spam,” in its Filter tab that would allow users to mute spam mentions. Impacted users could turn this filter on to catch most of the spam, but they weren’t able to stop spam push notifications, the company said.

The attack appears to be winding down as of this morning. Technologist and researcher Tim Chambers (@tchambers@indieweb.social) noted that today was the first day in four days that he had less than 40 spam accounts to suspend on the server he admins, for instance. Mastodon tells TechCrunch that on active servers with a reactive moderation team, Mastodon has multiple tools to prevent automated account registration, including approval mode, CAPTCHAs and various blocking tools, so the attacker has been handled very quickly. It also noted that the spam attack was winding down as the two hacker groups have apparently made peace.

While some saw the experience as a positive for the social network and the wider fediverse, as it revealed a weakness that could now be discussed and addressed, others were angry about the experience and Rochko’s lack of response in the early hours of the attack.

“This is ruining my Mastodon experience for me. It makes me want to walk away and give up,” wrote one Mastodon server admin sam@urbanists.social. “And Eugen’s continued silence on the problem doesn’t help with that,” they said.

Mastodon’s CTO Renaud Chaput said the attack will prompt the company to improve its software.

“At the moment, there are no good built-in tools to handle this, as this is a complex issue — federated networks are not easy! — but we have many ideas on how to improve our spam and abuse-fighting features,” he said. “Those will be worked on during the upcoming months. We are always working on improving the software (the last release introduced optional captcha support). Another measure we took today is switching the setting for new instances so they are not wide-open by default, and added a banner to remind admins that fully open instances need to be actively moderated, so this needs to be a careful decision by the admin,” Chaput added.

Since the arrival of Instagram Threads, another Twitter/X competitor that also plans to federate by using ActivityPub, Mastodon usage has been trending down.

In October of last year, Mastodon had grown to include around 1.8 million monthly active users. By the time Threads launched publicly, it had dropped to 1.5 million. As of this month’s public launch of Bluesky, another decentralized social network based on a different protocol (which means it’s not part of the same fediverse, at least until a bridge is built), Mastodon usage had dropped to 1 million monthly active users.

That’s where Mastodon usage remains today, according to the company’s homepage. The broader fediverse, which includes Mastodon and other apps, has around 2.9 million monthly active users. Threads’ entry into this space will dwarf other Mastodon servers and could lend Meta’s technical expertise in areas like spam prevention, but many are concerned that Meta’s ultimate goal will be to essentially take over the fediverse by becoming the default client that users choose and using its significant resources to scale adoption of Meta’s app.

Updated 2/20/24, 1:31 p.m. ET to add Mastodon CTO comment