Re: I stopped open registration for gnusocial.jp by DoS attack.

[Administrator de Gnusocial.net]

El Thu, 29 Dec 2022 10:49:21 +0900
"SENOO, Ken" <develop@senooken.jp> escribió:
> Administrator de Gnusocial.net
> 
> Thanks for advice. It seems RegisterThottle is enabled by default and 
> not work...

Maybe tweaking the values? I've never had such an influx that made it
work...

> 
> Is Autosandbox valid? Spam bot can post local a lot.

Sure; being sandboxed accounts means that they are not seen in public
timelines by visitors. The more visible spam accounts you have, the
more will come, as they see there is no moderation in the place.

And, of course, then you have to remove those accounts :)


> 
> I try RequireValidatedEmail.
> 
> If he is busy and cannot maintain, I think he had better step down.
> If he cannot work it, he should switch him to other person. If head
> person is not work, project does not work, in general.
> 
> I also work full time, but I update my site everyday at 2 months.
> 
> I do not mention about https://codeberg.org/GNUsocial/gnu-social. 
> Because this is not official repository (no announcement) and it is
> not fair. Current official is notabug.org.

The one in notabug is the official v2 repo; the one in codeberg is the
official v3 repo, as you can see by clicking in the official web page,
at https://www.gnusocial.rocks/v3/

> 
> Firstly, I think developers shoud use GNU social (own product) by
> self.
> 
> I will wait objection or replying opinion from them. But I think 
> developers do not check chat and this mailing list. I check mailing
> list and chat almost everyday, but developers do not mention at one
> since September. So I think they would not reply, or ignore me.
> 
> I think current all developers are student (kids), no working 
> experience. And they would use them own closed chat only. People
> cannot see and join them.
> 
> I hear some opinions. Interested user cannot join GNU social
> development by current condition.
> 
> 
> On 2022/12/29 0:00, Administrator de Gnusocial.net wrote:
> > In case that it is useful to you:
> >
> > - Enable "Autosandbox" plugin, so new accounts are sandboxed by
> >    default (they don't appear in public timelines) until an admin
> >    un-sandboxes them.
> > - Enable "RequireValidatedEmail" plugin, so only accounts with
> > verified email can post.
> > - Enable "RegisterThottle" plugin, so spam accounts registration is
> >    mitigated.
> >
> > I don't know any mitigation against "Password reset e-mail bomb",
> > but those plugins really help against the other two.
> >
> > Besides that, there's something else about moderating large servers
> > (I don't know the number of accounts as your nodeinfo does not say
> > it, but fedidb.org says you have 154): you need more people,
> > besides you, to moderate, even if we are talking only about
> > mitigating spam accounts, and that need will increase with the
> > number of accounts you host. This is not a technical issue, but a
> > social one.
> >
> > About the harsh words about the developers: Diogo has said before
> > that he is busy right now, and that efforts are being put into
> > version 3 of Gnusocial, as you can see in
> > https://codeberg.org/GNUsocial/gnu-social I don't really get the
> > complaint against Spookie, so I won't comment on that. Anyway, I
> > think it is quite unfair to say what you are saying.
> >
> >
> > El Wed, 28 Dec 2022 23:31:03 +0900
> > "SENOO, Ken" <develop@senooken.jp> escribió:  
> >> I stopped open registration for gnusocial.jp by DoS attack.
> >>
> >> I posted about this in [告知:
> >> gnusocial.jpへのDoS攻撃とweb.gnusocial.jpの分散SNS参加 | GNU social
> >> JP](https://web.gnusocial.jp/post/2022/12/28/341/).
> >>
> >> My server gnusocial.jp is damaged by DoS attack following contents.
> >>
> >> - Password reset e-mail bomb.
> >> - A lot of regstration from bot.
> >> - A lot of post by bots.
> >>
> >> I am not familiar with security. So I stopped open registration for
> >> gnusocial.jp.
> >>
> >> gnu social has weak security functions. General registration
> >> reception is dangerous if targeted by attackers.
> >>
> >> By the way, recently, I posted these articles.
> >>
> >> - [告知: gnusocial.jpのGNU socialでの最大一般公開サーバー化 | GNU
> >> social JP](https://web.gnusocial.jp/post/2022/12/19/306/)
> >> - [Qvitter著者のGNU socialへの復帰 | GNU social
> >> JP](https://web.gnusocial.jp/post/2022/12/26/320/)
> >>
> >> I started gnusocial.jp on 2022-07. gnusocial.jp became largest open
> >> registration GNU social server (surely have many sleeping and spam
> >> accounts). Server cost is only 1.5 USD (220 JPY) per month! This is
> >> power of GNU social.
> >>
> >> gnusocial.jp also is only server for using Qvitter/Pleroma FE on
> >> GNU socialv2. And Qvitter author Hannes Mannerheim back on GNU
> >> social (<https://gnusocial.jp/hannes>)!
> >>
> >> This is my result of activity.
> >>
> >> If you are developers, you should use GNU social firstly.
> >> Apparently, spookie <https://outerheaven.club/users/spookie> uses
> >> mainly Pleroma/Akkoma (not GNU social!). I think if you do not use
> >> GNU social, you are not developers.
> >>
> >> Diogo, you do not merge, and ignored my PR
> >> <https://notabug.org/diogo/gnu-social/pulls/293>. I am very sad and
> >> disappointment for you.
> >>
> >> In first my article, new GNU social server started (social.076.moe,
> >> gnusocial-v2.cyberrex.jp). They are my acquaintance. I think these
> >> are my result of activity. And they would have same issue for my
> >> PR. If you merge my PR, they had no same problem. I think
> >> developers should stand as user firstly.
> >>
> >> Why did you ignore me? I think if you have no passion, you have
> >> better to step down development leader same as evan prodoromou and
> >> matt lee.
> >>
> >> I think money is the center pin (top priority) for continuing
> >> development. PeerTube also have same money trouble ([報道: PeerTube
> >> v5の公開 | GNU social
> >> JP](https://web.gnusocial.jp/post/2022/12/15/298/)).
> >>
> >> If we have enough money, we can employ by my self. Mastodon=Eugen
> >> Rochko succeeded earning money his patreon.
> >>
> >> Do you have business/strategy/idea? If you have no them, you cannot
> >> continue GNU social. I think donation is not enough. No activity,
> >> no life. People assume GNU social as dead if you have no activity.
> >>
> >> I started my business on web.gnusocial.jp. I keep updating my site
> >> everyday at least 2 months. This year 2022 is starting year.
> >> Surely I have no money now. I will start making money on 2023. I
> >> have some business ideas.
> >>
> >> I appreciated supporting ActivityPub on GSv2 on you. It is OK for
> >> ignoring/refusing me.
> >>
> >> If my business succeed (success of employing myself), I will start
> >> new GNU social site and continuing development GNU social alone,
> >> and gathering new developers. If it is success, you cannot catch
> >> up with me. I am an associate FSF member
> >> (https://www.gnu.org/thankgnus/2022supporters.html) also. I am
> >> serious.
> >>
> >> Hannes was gave up because western country was not interested in
> >> DSNS. Globally, Japan is the most active and important country for
> >> decentlized SNS (https://fedidb.org/network, pawoo.net/mstdn.jp are
> >> Japan). And I am only Japanese for current GNUsocial relating. If
> >> we have success in Japan, we have success in the world.
> >>
> >>  
>

pgpg4iowd2Cwg.pgp
Description: Firma digital OpenPGP