is being spammed to death by Japanese 
high schoolers and there is nothing that can be done about it
Spammers are just creating accounts on instances that have no registration verification and creating thousands of posts that ping random people with images. The spam seems to originate from a group of Japanese script kiddies that just wanted to vandalise Misskey and now every instance is getting false-flag spam messages from thousands of accounts over thousands of instances.
The details are actually a bit fuzzy since it's all speculation outside of some discord screenshots and the spam that is actually sent, but it doesn't matter in the grand scheme of things. Since there's like thousands of tiny instances and nothing stops spammers from just making their own, the only guaranteed solution right now is to make a whitelist of servers that moderate account registration. I made one post on an irrelevant instance earlier and got three of these spam messages from different accounts on different instances.
https://mastodon.social/@Gargron/111953045633249137
There is an ongoing spam attack on the fediverse for the last couple of days. It's more widespread than before, as attackers are targeting smaller servers to create accounts. Before, usually only https://mastodon.social was targeted and our team could take care of it. For server administrators out there: If you don't need open registrations, switch over to approval mode. If you do, blocking disposable e-mail providers is a massive stopgap to the problem. Mastodon also supports hCaptcha.
I just have to point out that all of this is being done by a community of 12-15 year olds because ActivityPub is shit actually 
. The script to test for open registration nodes is literally this:
export async function isNoCapNoMail(host: string, softwareType: string) {
if (softwareType !== "misskey") {
return false;
}
const endpoint = `https://${host}/api/meta`;
try {
const res = await fetch(endpoint, {
method: "GET",
headers: {
"Content-Type": "application/json",
},
});
const json = await res.json();
if (json["emailRequiredForSignup"]) {
return false;
}
if (
json["enableHcaptcha"] ||
json["enableMcaptcha"] ||
json["enableRecaptcha"]
) {
return false;
}
return true;
} catch {
return false;
}
}
Someone's definitely improved this by now since it does more than just misskey, but you get the point. Just imagine the damage someone could do with an integrated captcha solver. Most ActivityPub software doesn't have any kind of middleware for handling incoming messages and maybe drop them based on filters, but that'll probably change soon.
I have found some more information on this CPTK, the japbros probably already knew but uhh:
They're just skids
Most of them are like kids (literal 11-14 year olds)
They have done many raids in the past, they DDoS'd 2chan back in 2022 and they've taken legal action against them
Their old group imploded due to infighting
According to the Karasawa Wiki (yeah that lawyer who got doxxed like 100 times for being a 2chan troll), their leaders have been doxxed, MULTIPLE times. And they're all kids.
Anyway good luck to Bluesky on their fediverse integration lol
Jump in the discussion.
No email address required.
We should be doing this, especially once Bluesky federates.
Jump in the discussion.
No email address required.
It's called "BS" for a reason
Jump in the discussion.
No email address required.
More options
Context
More options
Context