My man saw Terminator

Dang, good on you for following through and messaging the admins, and good on the admins who took action.

Per my original post from three weeks ago, I’m using a coarse method to identify (and try to draw the admins’ attention to) a particular pool of accounts that were created in a specific week on a handful of instances. Actively spamming bot accounts, and bot accounts on other instances, won’t be caught with my method. I’m not being thorough, just looking for low-hanging fruit.

It is possible that some legitimate users’ lurking accounts got swept up and deleted, but I think that’s very unlikely. If an instance suddenly goes from 3 users to 60,000 users in a week, then the growth abruptly stops and none of those new users show activity, that’s suspicious. If there are real people in that wave of accounts then at least a few of them should be posting or commenting, and more people should continue opening accounts over time.

Oh damn, I normally lurk w this account because I have some issues with some posts and comments not showing when they’re from different instances (yes I’ve set my language to undetermined too). I have my main on feddit.de but I only see a fraction of the comments when I look at the same post on that account. Mainly the comments from the users of other instances than feddit.de are hidden. Doesn’t seem to be a federation issue (I think?) because I can find the communities and they should be federated. Maybe it’s a Jerboa issue idk.

If you created your account on these specific instances during a particular week in June 2023, and the instance admin decides your account looks suspicious, then you might get nuked. Otherwise, no worries. I’m not campaigning to remove all lurkers, or even trying to be thorough about removing possible bot accounts. I’m going after low-hanging fruit: a particular pool of suspicious-looking accounts on a handful of instances.

No major social media site publishes estimates on bot activity, so unless someone is citing a research paper with a reasonable bot-id technique, they’re speculating. That said, there are a few useful things we can say with only modest speculation:

1. No commercial social media site has as trivial a sign up process as these instances. They had no email verification, no captcha, and no validation or gating process of any kind. Scripts created this users with a single API call, hitting it as fast as the server would respond. So on the account validation front, reddit does better than these instances of keeping bots out.
2. Every commercial social media site has a security team that attempts to monitor bots and has the capability to remove them. Some of these admins were aware of the signups, and others didn’t know how to respond. So on the monitoring and response front, reddit is more sophisticated at detecting and responding to bots.
3. These instances I believe had zero or one active users vs 100k+ bot accounts. It’s hard to say what the bot rates are on commercial social media sites, but I think we can confidently bound it to something lower than 100k to 1 in favor of bots.
4. The aggregate number of bots represented about half the total lemmyverse. I’m sure someone will disagree with me, but I would be pretty surprised if half the signups at commercial sites are malicious. But that’s more plausible than 100k to 1.
5. But one the other hand, the activity of these bots is public, and they demonstrably didn’t do anything. At least some of the malicious/clandestine bot accounts on commercial social media sites are active… so maybe here Lemmy gets the win since this massive wave of bots went unused. Now, that doesn’t mean that OTHER more sophisticated and undetected bits aren’t active on Lemmy just as they are on other social sites. But my bet is there is little to none because Lemmy doesn’t matter enough to be worth attacking by the people who are able to run sophisticated bots. But this is hard to prove one way or another.

TLDR: This signup wave was so unsophisticated it would never have been possible on a major social site with a security team. But it also didn’t do any altanfible damage, unlike clandestine bot activity on major social sites. Depending on what metrics you use to compare (and how made up your metrics are, since this is all about activity that attempts to stay hidden), either side can come out on top.

I can’t say. I don’t know of a good way to tell an authentic human-driven account from a bot account, either on Lemmy or Reddit. Here on Lemmy we can at least get aggregate user data and point to suspicious trends, which is all I have done. Reddit, on the other hand, is a completely closed box.

American, but it’s a line from a Canadian TV show that leaked across the border.

The best nationality on the north west hemisphere fr