toasters.rocks/how-to-thoroughly-destroy-s.../index.html

15 lines
12 KiB
HTML

<!doctype html><html lang=en><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link rel="shortcut icon" href=/img/icon.png type=image/png><meta name=generator content="Hugo 0.79.0"><meta property="og:title" content="How to thoroughly destroy spam accounts from Mastodon"><meta property="og:description" content="Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.
Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs."><meta property="og:type" content="article"><meta property="og:url" content="http://toasters.rocks/how-to-thoroughly-destroy-spam-accounts-from-mastodon/"><meta property="article:published_time" content="2018-11-26T12:00:00+00:00"><meta property="article:modified_time" content="2019-11-26T06:10:02+00:00"><meta name=twitter:card content="summary"><meta name=twitter:title content="How to thoroughly destroy spam accounts from Mastodon"><meta name=twitter:description content="Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.
Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs."><meta name=theme-color content="#660066"><title>How to thoroughly destroy spam accounts from Mastodon - toasters rocks</title><link rel=stylesheet href=http://toasters.rocks/css/toastersrocks.min.css></head><body><header><img src=/img/icon.png><h1>toasters rocks</h1></header><main><aside><nav><a href=/><i class="fas fa-home"></i>Home</a><br><a href=http://juju2143.ca/><i class="fas fa-user"></i>About</a><br><a href=/fr/><i class="fas fa-globe"></i>Français</a><br><a href=https://yukiis.moe/><i class="far fa-comment"></i>Comics</a><br><a href=https://codewalr.us/><i class="far fa-folder-open"></i>Forums</a><br></nav><br><nav><a title=Twitter href=https://twitter.com/juju2143><i style=color:#4da7de class="fab fa-twitter"></i><span style=color:#4da7de>Twitter</span></a><br><a title=Discord href=https://discord.gg/cuZcfcF><i style=color:#7289da class="fab fa-discord"></i><span style=color:#7289da>Discord</span></a><br><a title=GitHub href=https://github.com/juju2143><i style=color:#221e1b class="fab fa-github"></i><span style=color:#221e1b>GitHub</span></a><br><a title=Patreon href=https://patreon.com/juju2143><i style=color:#f96854 class="fab fa-patreon"></i><span style=color:#f96854>Patreon</span></a><br><a title=YouTube href=https://youtube.com/user/julosoft><i style=color:#e02a20 class="fab fa-youtube"></i><span style=color:#e02a20>YouTube</span></a><br><a title="YouTube 2" href=https://youtube.com/c/juju2143><i style=color:#e02a20 class="fab fa-youtube"></i><span style=color:#e02a20>YouTube 2</span></a><br><a title=Twitch href=https://twitch.tv/juju2143><i style=color:#6441a5 class="fab fa-twitch"></i><span style=color:#6441a5>Twitch</span></a><br><a title=Instagram href=https://instagram.com/j.p.savard><i style=color:#d6249f class="fab fa-instagram"></i><span style=color:#d6249f>Instagram</span></a><br><a title=DeviantArt href=https://deviantart.com/juju2143><i style=color:#c5d200 class="fab fa-deviantart"></i><span style=color:#c5d200>DeviantArt</span></a><br><a title=SoundCloud href=https://soundcloud.com/juju2143><i style=color:#fe3801 class="fab fa-soundcloud"></i><span style=color:#fe3801>SoundCloud</span></a><br></nav></aside><article><div><h2 name=top>How to thoroughly destroy spam accounts from Mastodon</h2><p></p><i class="far fa-calendar-alt"></i><time datetime=2018-11-26>November 26, 2018</time><br><i class="fas fa-tags"></i>#<a class="btn btn-sm btn-outline-dark tag-btn" href=http://toasters.rocks/tags/tech>Tech</a><br><i class="fas fa-hourglass"></i>~3 minutes</div><p>Well, it seems Mastodon have a problem with a particular spambot. As an instance admin, I investigated and here&rsquo;s my findings.</p><p>Symptoms: Accounts keep singing up on your instance. The username are all random syllables (kind of sounds like Japanese), they have random full English/American-sounding names, their email address are all from random domains as if their owner have a pretty big budget on that and they all have different IPs.</p><p>First step: Pass all of those IPs through the Whois database and find something in common. And indeed, they all seem to come from the same ISP, for the most part, so it&rsquo;s trivial to craft a command to get their IP ranges.</p><p>(Note: The next commands have been tested at the time of writing on a Debian 9 server, on other OSes, your mileage may vary. I say this because the BSD implementation of the whois tool is very different from its GNU counterpart, from what I can see. This also assumes that you&rsquo;re on the account Mastodon runs and <code>cd</code>&rsquo;d in its live directory and you know that you shouldn&rsquo;t type the <code>$</code> as it&rsquo;s your prompt. And you actually know what you&rsquo;re doing, make backups first, etc. Also install the <code>ipcalc</code> package first, it&rsquo;ll help.)</p><pre><code>$ whois -i admin-c,tech-c GS19550-RIPE | grep inetnum | cut -f9- -d&quot; &quot; | sed &quot;s/ //g&quot; | xargs -n1 ipcalc -rn | grep -v deaggregate &gt;&gt; banlist.txt
</code></pre><p>(Actual command will vary from spambot to spambot, but it&rsquo;s the one the fediverse is currently plagued with and I have no doubt if there&rsquo;s another spammer it&rsquo;s going to be similar. Also from here, the instructions are for Mastodon 2.6, for any other software it&rsquo;s going to be something else, but yeah, you&rsquo;re basically going to kick IP ranges out.)</p><p>Now that you have a bunch of IPs to ban, enter the Rails console:</p><div class=highlight><div class=chroma><table class=lntable><tr><td class=lntd><pre class=chroma><code><span class=lnt>1
</span></code></pre></td><td class=lntd><pre class=chroma><code class=language-sh data-lang=sh> $ <span class=nv>RAILS_ENV</span><span class=o>=</span>production bundle <span class=nb>exec</span> rails c
</code></pre></td></tr></table></div></div><p>Now this bit of code will tell you their usernames, to make sure you have no false positives.</p><div class=highlight><div class=chroma><table class=lntable><tr><td class=lntd><pre class=chroma><code><span class=lnt>1
</span></code></pre></td><td class=lntd><pre class=chroma><code class=language-ruby data-lang=ruby> <span class=no>File</span><span class=o>.</span><span class=n>open</span><span class=p>(</span><span class=s2>&#34;banlist.txt&#34;</span><span class=p>,</span><span class=s2>&#34;r&#34;</span><span class=p>)</span><span class=o>.</span><span class=n>each_line</span> <span class=p>{</span> <span class=o>|</span><span class=n>ip</span><span class=o>|</span> <span class=no>User</span><span class=o>.</span><span class=n>where</span><span class=p>(</span><span class=s2>&#34;last_sign_in_ip &lt;&lt; ?&#34;</span><span class=p>,</span> <span class=n>ip</span><span class=o>.</span><span class=n>strip</span><span class=p>)</span><span class=o>.</span><span class=n>each</span> <span class=p>{</span> <span class=o>|</span><span class=n>u</span><span class=o>|</span> <span class=nb>puts</span> <span class=n>u</span><span class=o>.</span><span class=n>account</span><span class=o>.</span><span class=n>username</span> <span class=p>}</span> <span class=p>};</span><span class=mi>0</span>
</code></pre></td></tr></table></div></div><p>And now, this is the fun part, destroy them!</p><div class=highlight><div class=chroma><table class=lntable><tr><td class=lntd><pre class=chroma><code><span class=lnt>1
</span></code></pre></td><td class=lntd><pre class=chroma><code class=language-ruby data-lang=ruby> <span class=no>File</span><span class=o>.</span><span class=n>open</span><span class=p>(</span><span class=s2>&#34;banlist.txt&#34;</span><span class=p>,</span><span class=s2>&#34;r&#34;</span><span class=p>)</span><span class=o>.</span><span class=n>each_line</span> <span class=p>{</span> <span class=o>|</span><span class=n>ip</span><span class=o>|</span> <span class=no>User</span><span class=o>.</span><span class=n>where</span><span class=p>(</span><span class=s2>&#34;last_sign_in_ip &lt;&lt; ?&#34;</span><span class=p>,</span> <span class=n>ip</span><span class=o>.</span><span class=n>strip</span><span class=p>)</span><span class=o>.</span><span class=n>each</span> <span class=p>{</span> <span class=o>|</span><span class=n>u</span><span class=o>|</span> <span class=n>u</span><span class=o>.</span><span class=n>account</span><span class=o>.</span><span class=n>user</span><span class=o>.</span><span class=n>destroy</span><span class=p>;</span> <span class=n>u</span><span class=o>.</span><span class=n>account</span><span class=o>.</span><span class=n>destroy</span> <span class=p>}</span> <span class=p>};</span><span class=mi>0</span>
</code></pre></td></tr></table></div></div><p>Now you can&rsquo;t see them anymore. If you missed a few, you can always put their IPs in <code>banlist.txt</code> and repeat the process. Now to make sure they&rsquo;re not going to come back, you can either put them in your iptables or your favourite firewall, or put a blacklist in your nginx. Run this as your normal admin user:</p><div class=highlight><div class=chroma><table class=lntable><tr><td class=lntd><pre class=chroma><code><span class=lnt>1
</span></code></pre></td><td class=lntd><pre class=chroma><code class=language-sh data-lang=sh> $ cat banlist.txt <span class=p>|</span> xargs -n1 -I<span class=s1>&#39;{}&#39;</span> <span class=nb>echo</span> deny <span class=s1>&#39;{}&#39;</span><span class=se>\;</span> <span class=p>|</span> sudo tee /etc/nginx/blacklist
</code></pre></td></tr></table></div></div><p>Then edit your nginx config and put an <code>include blacklist;</code> somewhere in your instance&rsquo;s server block. Don&rsquo;t forget to reload nginx!</p><p>And there you go. How to find out and destroy spambots for dummies. Have fun and don&rsquo;t forget to do this once in a while :)</p><p>Sources:
<a href=https://mastodon.at/@pfigel/100076564629123760>https://mastodon.at/@pfigel/100076564629123760</a>
<a href=https://github.com/tootsuite/mastodon/issues/109#issuecomment-298767655>https://github.com/tootsuite/mastodon/issues/109#issuecomment-298767655</a></p></article><ul class=pagination><li class=page-item><a class=previous href=http://toasters.rocks/facebook-sucks/>« Facebook sucks</a></li><li class=page-item><a class=next href=http://toasters.rocks/writing-a-book/>Reflections on 2018, part 1: Writing a book »</a></li></ul><article><div id=disqus_thread></div><script type=application/javascript>var disqus_config=function(){};(function(){if(["localhost","127.0.0.1"].indexOf(window.location.hostname)!=-1){document.getElementById('disqus_thread').innerHTML='Disqus comments not available by default when the website is previewed locally.';return;}
var d=document,s=d.createElement('script');s.async=true;s.src='//'+"juju2143"+'.disqus.com/embed.js';s.setAttribute('data-timestamp',+new Date());(d.head||d.body).appendChild(s);})();</script><noscript>Please enable JavaScript to view the <a href=https://disqus.com/?ref_noscript>comments powered by Disqus.</a></noscript><a href=https://disqus.com class=dsq-brlink>comments powered by <span class=logo-disqus>Disqus</span></a></article></main><footer>Copyright © 2020 J.P. Savard - Theme by <a href=https://github.com/juju2143/hugo-theme-toastersrocks>J. P. Savard</a> - Powered by Hugo 0.79.0</footer></body></html>