toasters.rocks/how-to-thoroughly-destroy-s.../index.html

286 lines
13 KiB
HTML
Raw Normal View History

2020-11-29 03:26:44 +00:00
<!DOCTYPE html>
<html lang="en"><head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="shortcut icon" href="/img/icon.png" type="image/png">
<meta name="generator" content="Hugo 0.78.2" />
<meta property="og:title" content="How to thoroughly destroy spam accounts from Mastodon" />
<meta property="og:description" content="Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.
Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs." />
<meta property="og:type" content="article" />
<meta property="og:url" content="http://toasters.rocks/how-to-thoroughly-destroy-spam-accounts-from-mastodon/" />
<meta property="article:published_time" content="2018-11-26T12:00:00+00:00" />
<meta property="article:modified_time" content="2019-11-26T06:10:02+00:00" />
<meta name="twitter:card" content="summary"/>
<meta name="twitter:title" content="How to thoroughly destroy spam accounts from Mastodon"/>
<meta name="twitter:description" content="Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.
Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs."/>
<title>How to thoroughly destroy spam accounts from Mastodon - toasters rocks</title>
<link rel="stylesheet" href="/css/styles.css" />
<link rel="stylesheet" href="/css/syntax.css" />
<script src="https://kit.fontawesome.com/8ced65a629.js" crossorigin="anonymous"></script>
</head><body>
<header><img src="/img/icon.png"><h1>toasters rocks</h1></header>
<main>
<aside><nav>
<a href="/">
<i class="fas fa-home"></i>
Home
</a><br/>
<a href="http://juju2143.ca/">
<i class="fas fa-user"></i>
About
</a><br/>
<a href="/fr/">
<i class="fas fa-globe"></i>
Français
</a><br/>
<a href="https://yukiis.moe/">
<i class="far fa-comment"></i>
Comics
</a><br/>
<a href="https://codewalr.us/">
<i class="far fa-folder-open"></i>
Forums
</a><br/>
</nav>
<br/>
<nav>
<a title="Twitter " href="https://twitter.com/juju2143">
<i style="color: #4da7de" class="fab fa-twitter"></i>
<span style="color: #4da7de">Twitter</span>
</a><br/>
<a title="Discord " href="https://discord.gg/cuZcfcF">
<i style="color: #7289da" class="fab fa-discord"></i>
<span style="color: #7289da">Discord</span>
</a><br/>
<a title="GitHub " href="https://github.com/juju2143">
<i style="color: #221e1b" class="fab fa-github"></i>
<span style="color: #221e1b">GitHub</span>
</a><br/>
<a title="Patreon " href="https://patreon.com/juju2143">
<i style="color: #F96854" class="fab fa-patreon"></i>
<span style="color: #F96854">Patreon</span>
</a><br/>
<a title="YouTube " href="https://youtube.com/user/julosoft">
<i style="color: #e02a20" class="fab fa-youtube"></i>
<span style="color: #e02a20">YouTube</span>
</a><br/>
<a title="YouTube 2 " href="https://youtube.com/c/juju2143">
<i style="color: #e02a20" class="fab fa-youtube"></i>
<span style="color: #e02a20">YouTube 2</span>
</a><br/>
<a title="Twitch " href="https://twitch.tv/juju2143">
<i style="color: #6441a5" class="fab fa-twitch"></i>
<span style="color: #6441a5">Twitch</span>
</a><br/>
<a title="Instagram " href="https://instagram.com/j.p.savard">
<i style="color: #d6249f" class="fab fa-instagram"></i>
<span style="color: #d6249f">Instagram</span>
</a><br/>
<a title="DeviantArt " href="https://deviantart.com/juju2143">
<i style="color: #c5d200" class="fab fa-deviantart"></i>
<span style="color: #c5d200">DeviantArt</span>
</a><br/>
<a title="SoundCloud " href="https://soundcloud.com/juju2143">
<i style="color: #fe3801" class="fab fa-soundcloud"></i>
<span style="color: #fe3801">SoundCloud</span>
</a><br/>
</nav></aside>
<article>
<div>
<h2 name="top">How to thoroughly destroy spam accounts from Mastodon</h2>
<p></p>
<i class="far fa-calendar-alt"></i>
<time datetime="2018-11-26">November 26, 2018</time><br/>
<i class="fas fa-tags"></i>
#<a class="btn btn-sm btn-outline-dark tag-btn" href="http://toasters.rocks/tags/tech">Tech</a>
<br/>
<i class="fas fa-hourglass"></i> ~3 minutes
</div>
<p>Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.</p>
<p>Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs.</p>
<p>First step: Pass all of those IPs through the Whois database and find something in common. And indeed, they all seem to come from the same ISP, for the most part, so it&rsquo;s trivial to craft a command to get their IP ranges.</p>
<p>(Note: The next commands have been tested at the time of writing on a Debian 9 server, on other OSes, your mileage may vary. I say this because the BSD implementation of the whois tool is very different from its GNU counterpart, from what I can see. This also assumes that you&rsquo;re on the account Mastodon runs and <code>cd</code>&rsquo;d in its live directory and you know that you shouldn&rsquo;t type the <code>$</code> as it&rsquo;s your prompt. And you actually know what you&rsquo;re doing, make backups first, etc. Also install the <code>ipcalc</code> package first, it&rsquo;ll help.)</p>
<pre><code>$ whois -i admin-c,tech-c GS19550-RIPE | grep inetnum | cut -f9- -d&quot; &quot; | sed &quot;s/ //g&quot; | xargs -n1 ipcalc -rn | grep -v deaggregate &gt;&gt; banlist.txt
</code></pre>
<p>(Actual command will vary from spambot to spambot, but it&rsquo;s the one the fediverse is currently plagued with and I have no doubt if there&rsquo;s another spammer it&rsquo;s going to be similar. Also from here, the instructions are for Mastodon 2.6, for any other software it&rsquo;s going to be something else, but yeah, you&rsquo;re basically going to kick IP ranges out.)</p>
<p>Now that you have a bunch of IPs to ban, enter the Rails console:</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre class="chroma"><code class="language-sh" data-lang="sh"> $ <span class="nv">RAILS_ENV</span><span class="o">=</span>production bundle <span class="nb">exec</span> rails c
</code></pre></td></tr></table>
</div>
</div><p>Now this bit of code will tell you their usernames, to make sure you have no false positives.</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre class="chroma"><code class="language-ruby" data-lang="ruby"> <span class="no">File</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s2">&#34;banlist.txt&#34;</span><span class="p">,</span><span class="s2">&#34;r&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">each_line</span> <span class="p">{</span> <span class="o">|</span><span class="n">ip</span><span class="o">|</span> <span class="no">User</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="s2">&#34;last_sign_in_ip &lt;&lt; ?&#34;</span><span class="p">,</span> <span class="n">ip</span><span class="o">.</span><span class="n">strip</span><span class="p">)</span><span class="o">.</span><span class="n">each</span> <span class="p">{</span> <span class="o">|</span><span class="n">u</span><span class="o">|</span> <span class="nb">puts</span> <span class="n">u</span><span class="o">.</span><span class="n">account</span><span class="o">.</span><span class="n">username</span> <span class="p">}</span> <span class="p">};</span><span class="mi">0</span>
</code></pre></td></tr></table>
</div>
</div><p>And now, this is the fun part, destroy them!</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre class="chroma"><code class="language-ruby" data-lang="ruby"> <span class="no">File</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="s2">&#34;banlist.txt&#34;</span><span class="p">,</span><span class="s2">&#34;r&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">each_line</span> <span class="p">{</span> <span class="o">|</span><span class="n">ip</span><span class="o">|</span> <span class="no">User</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="s2">&#34;last_sign_in_ip &lt;&lt; ?&#34;</span><span class="p">,</span> <span class="n">ip</span><span class="o">.</span><span class="n">strip</span><span class="p">)</span><span class="o">.</span><span class="n">each</span> <span class="p">{</span> <span class="o">|</span><span class="n">u</span><span class="o">|</span> <span class="n">u</span><span class="o">.</span><span class="n">account</span><span class="o">.</span><span class="n">user</span><span class="o">.</span><span class="n">destroy</span><span class="p">;</span> <span class="n">u</span><span class="o">.</span><span class="n">account</span><span class="o">.</span><span class="n">destroy</span> <span class="p">}</span> <span class="p">};</span><span class="mi">0</span>
</code></pre></td></tr></table>
</div>
</div><p>Now you can&rsquo;t see them anymore. If you missed a few, you can always put their IPs in <code>banlist.txt</code> and repeat the process. Now to make sure they&rsquo;re not going to come back, you can either put them in your iptables or your favourite firewall, or put a blacklist in your nginx. Run this as your normal admin user:</p>
<div class="highlight"><div class="chroma">
<table class="lntable"><tr><td class="lntd">
<pre class="chroma"><code><span class="lnt">1
</span></code></pre></td>
<td class="lntd">
<pre class="chroma"><code class="language-sh" data-lang="sh"> $ cat banlist.txt <span class="p">|</span> xargs -n1 -I<span class="s1">&#39;{}&#39;</span> <span class="nb">echo</span> deny <span class="s1">&#39;{}&#39;</span><span class="se">\;</span> <span class="p">|</span> sudo tee /etc/nginx/blacklist
</code></pre></td></tr></table>
</div>
</div><p>Then edit your nginx config and put an <code>include blacklist;</code> somewhere in your instance&rsquo;s server block. Don&rsquo;t forget to reload nginx!</p>
<p>And there you go. How to find out and destroy spambots for dummies. Have fun and don&rsquo;t forget to do this once in a while :)</p>
<p>Sources:
<a href="https://mastodon.at/@pfigel/100076564629123760">https://mastodon.at/@pfigel/100076564629123760</a>
<a href="https://github.com/tootsuite/mastodon/issues/109#issuecomment-298767655">https://github.com/tootsuite/mastodon/issues/109#issuecomment-298767655</a></p>
</article>
<ul class="pagination">
<li class="page-item">
<a class="previous" href="http://toasters.rocks/facebook-sucks/">« Facebook sucks</a>
</li>
<li class="page-item">
<a class="next" href="http://toasters.rocks/writing-a-book/">Reflections on 2018, part 1: Writing a book »</a>
</li>
</ul>
<article>
<div id="disqus_thread"></div>
<script type="application/javascript">
var disqus_config = function () {
};
(function() {
if (["localhost", "127.0.0.1"].indexOf(window.location.hostname) != -1) {
document.getElementById('disqus_thread').innerHTML = 'Disqus comments not available by default when the website is previewed locally.';
return;
}
var d = document, s = d.createElement('script'); s.async = true;
s.src = '//' + "juju2143" + '.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript>
<a href="https://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>
</article>
</main>
<footer>Copyright © 2020 J.P. Savard</footer>
</body>
</html>