PSA: I have just cleaned a set of russian misinfo spambots from this instance.
⚠️ We moderate registrations, and have invites enabled. ⚠️
This is how they got in:
8 days ago (mar 29) they requested an account. The request did not appear LLM generated. The request was topical enough to meet our flexible informal threshold, and read as clumsy English.
6 days ago (apr 1) I reviewed and approved the account.
Their signup email accounts were from the emailondeck tempmail provider. Each domain was different. I only bother looking at the email domain if there are other red flags. (A lot of people who choose us are technical with their own email domains. Random domains don't stand out.)
They signed up from an IPv6 address and only ever connected from 1 IP.
They made 0 posts from this account. They did not set a bio. They did not set a PFP.
They created 1 invite code for 5 uses.
5 days ago this invite code was used to make 1 account. They did not post anything, nor did they set a bio or PFP.
That second account, and all other accounts, used IPv4. They also only connected from 1 IP.
Over the next 4 days, the final 4 accounts via that invite code were made.
These accounts set bios that were a few random words and an emoji. They made the non-hashtag variety of posts the misinfo accounts make; bland word salad poetry. They boosted a bunch of other posts to try look normal.
All IPs involved have been labelled by https://spur.us as
OPEN_ROUTABLE_PROXYand the IPv4 ones were also labelled asTOR_PROXY.The admin interface identifies the posts as using clients called "ssl", "scsi", "ib".
The cleanup procedure:
Ban the accounts immediately.
Deactivate the invite code immediately.
Review other recently created accounts and invite codes.
Write this all down for future reference.
Notes:
It's easy to be complacent when you've got account creations moderated or by invite codes.
Chances are that if I had not noticed, each of the active accounts may have created their own invite code. and there would have been another 20 or more of them.