Bring back Captcha

[ruudschilders]

Requirements

• [X] Is this a feature request? For questions or discussions use https://lemmy.ml/c/lemmy_support
• [X] Did you check to see if this issue already exists?
• [X] Is this only a feature request? Do not put multiple feature requests in one issue.
• [X] Is this a UI / front end issue? Use the lemmy-ui repo.

Is your proposal related to a problem?

We just had a spam wave. I enabled captcha to prevent the automated spam signups. Has helped on mastodon as well.

The spam accounts didn't get verified, but they caused the e-mail to be blocked for this domain, because they used non-existent Gmail addresses. That's why the captcha would be a gooed extra step.

(Account approvals aren't useful with a few thousand new accounts per day.)

Describe the solution you'd like.

Bring back captcha.

Describe alternatives you've considered.

Mail verification doesn't always work, and in this case it got my mail for the domain blocked. Approvals are too much work for a big server

Additional context

No

[sunaurus]

Related to #2922

[RGBok]

Cannot stress this enough. captchas saved my server just now from getting spammed. I had over 800 spam signups overnight and after I enabled captcha it stopped. whoever is doing this is an amateur that can't use captcha bypassing bots but that's the purpose of captcha in my opinion, to mitigate spam from at least some bad actors. Of course it won't stop the more experienced spammers with captcha bypassing bots but it should be kept.

[dessalines]

See #2922 , captchas will not stop those signup bots, we know from experience, because someone has written a signup bot that can bypass them. You need to turn on registration IP rate-limiting.

[ruudschilders]

But they are all from different IPs. So IP-ratelimiting wouldn't work. I know captcha's don't keep all out. But they keep out a fair deal. So what's the downside to keeping it in?

[ctsrc]

Two days ago I had 6 users on my instance. Today I have 669. I don't even need to look at any logs to tell that this is obviously a whole bunch of bot users that have been created.

Captcha is necessary in order to fend off these bots.

If we don't, the spam bots will kill Lemmy just like spam bots killed Usenet discussions years ago.

[sunaurus]

As an alternative to captchas, I have a lot of faith that an invite system would be a great help in fighting against bots (#1777) - especially if users need to be active in order to replenish their invites. Maybe that would be a better solution going forward?

[maltfield]

See also this feature request to implement hashcash as a better alternative to graphical CAPTCHAs

• https://github.com/LemmyNet/lemmy/issues/3204

captchas will not stop those signup bots...You need to turn on registration IP rate-limiting.

Rate limiting by IP is bad for users who need to use tools like VPNs or Tor Browser to access the internet safely. Please consider adding support for hashcash to rate-limit by session instead of by IP Address as it's better for at-risk users.

[sunaurus]

Seems the current bot wave is increasing quickly, and mostly on instances with captchas disabled. So it seems that the captcha is definitely acting as a deterrent in the current wave.

Every new instance that appeared in the top here today has captchas disabled: https://lemmy.fediverse.observer/list

[th3raid0r]

I'm really not liking the Lemmy Devs pushing back on the community so hard here. I assure you, the quickest way to get a fork of the project will be to anger everyone who runs an instance because your opinion on security has a measurable impact on our time.

This is my comment in support of this feature, but it's also a rallying cry if y'all choose not to return the feature leaving us admins only with options like Cloudflare and Imperva to protect the fediverse from spam.

If this feature is not returned, I commit to forking this project, reverting the change myself, and getting it to other concerned instance admins. EDIT: Until a better solution is implemented.

Double Edit: No more issues here. The devs will accept a roll back PR (arguably easier to deliver than a new solution) and commit to ensuring it's in v0.18. I feel that this is a completely acceptable way to move forward that is aware of the downstream impacts on the greater fediverse. That addresses all of my concerns - thank you for listening to us!

[maltfield]

@th3raid0r the devs have already supported the idea of adding mCaptcha support, which is a better alternative to graphical CAPTCHAs (both mathematically and heuristically).

Instead of forking, why not just submit a PR for mCaptcha? They already said they'll accept it.

[SteveDinn]

According to one admin, most of the wave of recent new users has been spam accounts: https://geddit.social/post/25346

[cloventt]

Re: a comment in #2922 :

Unfortunately captchas don't stop those signup bots either.

Not so sure about this... our instance got hit with a huge pile-on of bot-accounts yesterday, and enabling the CAPTCHA instantly stopped the influx.

I +1 implementing something privacy-protecting like HashCash or mCAPTCHA as options. But in the meantime I think removing the existing solution was probably premature.

[TOoSmOotH]

Just to pile on here we had a bunch of bots registering today and enabling captcha put a stop to them as well. I honestly think that this should stay in until a better solution is in place. It's not perfect but it is better than nothing even if its not the ideal solution. This will buy some time until something else is out there.

[Nutomic]

Based on this feedback I agree that captchas should be restored. They are far from perfect, but its still better than allowing account creation with a simple POST request. There are other options but captcha is already supported in lemmy-ui, and will be faster to reimplement.

If someone could write the code it would be very helpful, as we barely have time for that anymore. You can checkout the tag 0.17.4 and grep for captcha related code there. Note that captcha uuids and answers were stored in-memory in the websocket server which is removed now, so its necessary to add a new database table for captchas.

[ForbodingAngel]

I think its safe to say bots have pretty much beaten captchas, and they're not very useful for signups anymore. We might as well remove them. Registration applications and email verification are already in place anyway.

No offense, but this take is a bit braindead imo. Captcha aren't perfect, that is correct, but they do serve as a barrier.

Consider the swiss cheese approach to signup security where you have captcha as one layer, email verification as another, and signups as a third.

Individually, each one has holes, but if you put them together, each layer catches things that another misses. Is it perfect? No, but it's pretty damn good.

Don't let perfect be the enemy of good.

[maltfield]

@ForbodingAngel I think the argument you want to make is Defense in Depth

• https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

[dessalines]

One note, is that captchas (and all signup blocking methods) being optional, it still won't prevent people from creating bot-only instances. The only effective way being to block them, or switch to allow-only federation.

Once people discover the lemmy-bots that have been made that can bypass the previous captcha method, it also won't help (unless a new captcha method like the suggested ones above are implemented).

[cloventt]

@dessalines I agree, but in that situation the responsibility falls on instance admins to blacklist bad-acting instances from federation.

For admins who want to maintain a good reputation in the 'verse, there needs to be multiple layers of tools available, with admins able to select which combination of them they think is appropriate for their instance.

[lightrush]

Standing up an instance is and pretty trivial, automatable and fast. If I were a spammer, I'd have a preseeded db with thousands of users or a data seed script that adds them to my instance. If I can create one instance an hour, blacklisting will quickly become unsustainable. I can probably add them faster than that. This is an interesting attack vector to the system and it makes me think that allow-only federation will inevitably become the norm for most instances.

[maltfield]

@lightrush what you're describing can happen with email, but we don't have allow-only email. Rather, I think shared blocklists are healthier than allow-only federation. This is how email works.

• https://en.wikipedia.org/wiki/Domain_Name_System_blocklist

Is there already an apolitical organization in the Lemmyverse Fediverse that maintains a list of instances that are rife with spam (and only spam)? Like RBLs, I think there should be a well-documented & reasonable process for rebuilding reputation and removal from the RBL as new lemmy instance admins get a handle on how to control spam emanating from their instance.

[lightrush]

Sure. Shared blocklists could do it. Individual admins on every instance doing their own blocking however sounds impractical. If a shared blocklist system or protocol isn't established before the spammers fire up, I think admins are likely to resort to allow-only. Of course any of these scenarios will evolve.

E: I see you already started mulling over the protocol. :D E2: And someone's already doing an implementation.

[Zetaphor]

This should probably be closed and further conversation moved to a discussion. This was resolved with #3249

[awdsns]

Unfortunately the merge of #3249 was reverted, new PR #3289 not merged yet as of writing.

[Nutomic]

This is already included in 0.18.1-rc.1