Bots are running rampant. How do we stop them from ruining Lemmy?

Fedizen , 3 minutes ago

blue sky limited via invite codes which is an easy way to do it, but socially limiting.

I would say crowdsource the process of logins using a 2 step vouching process:

1. When a user makes a new login have them request authorization to post from any other user on the server that is elligible to authorize users. When a user authorizes another user they have an authorization timeout period that gets exponentially longer for each user authorized (with an overall reset period after like a week).
2. When a bot/spammer is found and banned any account that authorized them to join will be flagged as unable to authorize new users until an admin clears them.

Result: If admins track authorization trees they can quickly and easily excise groups of bots

DandomRude , 33 minutes ago

I think the only way to solve this problem for good would be to tie social media accounts to proof of identity. However, apart from what would certainly be a difficult technical implementation, this would create a whole bunch of different problems. The benefits would probably not outweigh the costs.

wewbull , 34 minutes ago

1. Make bot accounts a separate type of account so legitimate bots don’t appear as users. These can’t vote, are filtered out of post counts and users can be presented with more filtering option for them. Bot accounts are clearly marked.
2. Heavily rate limit any API that enables posting to a normal user account.
3. Make having a bot on a human user account bannable offence and enforce it strongly.

lvxferre , 56 minutes ago

As others said you can’t prevent them completely. Only partially. You do it four steps:

1. Make it unattractive for bots.
2. Prevent them from joining.
3. Prevent them from posting/commenting.
4. Detect them and kick them out.

The sad part is that, if you go too hard with bot eradication, it’ll eventually inconvenience real people too. (Cue to Captcha. That shit is great against bots, but it’s cancer if you’re a human.) Or it’ll be laborious/expensive and not scale well. (Cue to “why do you want to join our instance?”).

Ensign_Crab , 1 hour ago

How do we even fix this issue or prevent it from affecting Lemmy??

Simple. Just scream that everyone whose opinion you dislike is a bot.

pop , 1 hour ago

Internet is not a place for public discourse, it never was. it’s the game of numbers where people brigade discussions and make it confirm to their biases.

Post something bad about the US with facts and statistics in US centric reddit sub, youtube video or article, and see how it divulges into brigading, name calling and racism. Do that on lemmy.ml to call out china/russia. Go to youtube videos with anything critical about India.

For all countries with massive population on the internet, you’re going to get bombarded with lies, delfection, whataboutism and strawman. Add in a few bots and you shape the narrative.

There’s also burying bad press with literally downvoting and never interacting.

Both are easy on the internet when you’ve got the brainwashed gullible mass to steer the narrative.

DandomRude , 52 minutes ago

Well, unfortunately, the internet and especially social media is still the main source of information for more and more people, if not the only one. For many, it is also the only place where public discourse takes place, even if you can hardly call it that. I guess we are probably screwed.

MentalEdge , 47 minutes ago (edited 39 minutes ago)

Just because you can’t change minds by walking into the centers of people’s bubbles and trying to shout logic at the people there, doesn’t mean the genuine exchange of ideas at the intersecting outer edges of different groups aren’t real or important.

Entrenched opinions are nearly impossibly to alter in discussion, you can’t force people to change their minds, to see reality for what it is even if they refuse. They have to be willing to actually listen, first.

And people can and do grow disillusioned, at which point they will move away from their bubbles of their own accord, and go looking for real discourse.

At that point it’s important for reasonable discussion that stands up to scrutiny to exist for them to find.

And it does.

AlexWIWA , 1 hour ago

By being small and unimportant

Absolute_Axoltl , 1 hour ago

Excellent. That’s basically my super power.

AmidFuror , 2 hours ago

One argument in favor of bots on social media is their ability to automate routine tasks and provide instant responses. For example, bots can handle customer service inquiries, offer real-time updates, and manage repetitive interactions, which can enhance user experience and free up human moderators for more complex tasks. Additionally, they can help in disseminating important information quickly and efficiently, especially in emergency situations or for public awareness campaigns.

greengear5 , 1 hour ago

This reads like a chatgpt reply 😅

AlexanderESmith , 3 hours ago

Maybe stop letting any random person create an account with no verification whatsoever

Cadeillac , 3 hours ago

Are you THE AlexanderESmith of social.alexanderesmith.com fame??

AlexanderESmith , 3 hours ago

Indeed I am! But I don't let all that fame go to my head (I have a special deal for autographs right now, just $20!)

But seriously, while I consider lackluster (or completely missing) new-account verification to be the much larger issue, federation is one to watch as well. My instance is so-named because I'm the only one who uses it.

At least it's a fairly significant effort to set up an entire instance for a single user. That should keep spam from single-user instances reasonably low. And if someone sets up a vaguely legitimate-looking instance, but enough users are muted/blocked/moderated/etc, you can just block the entire instance. Changing instance names is more of a hassle than nuking it entirely and starting over (new domain, new database, new IPs if the admins are paying attention, etc).

Cadeillac , 3 hours ago

Sounds reasonable I suppose. I don’t know a whole lot of the under the hood workings of Lemmy and I’m not going to pretend I do. I was mostly poking fun in the spirit of that one guy that kept getting asked if he was from some forum

Edit: The Reference

AlexanderESmith , 3 hours ago

heh, indeed.

Yeah, technically I run mbin (a fork of the now-defunct kbin) which has both threaded (reddit/lemmy/etc) and microblog (deadbird/mastodon/etc) features. I originally set myself up on kbin.social , but after it died I decided to not let my account (history/rep/preferences/subscriptions/etc) continue to be subject to the whim of random admins that might run out of funding, see something shiny, do something stupid and get defederated, etc. I thought "Wait, I'm a random admin, I'll just make my own instance, with blackjack, and hookers..."

Cadeillac , 2 hours ago

Hell yeah! I dig it. Thanks for the explanation. Why did they skip over lbin?

AsudoxDev , 4 hours ago

You can’t get rid of bots, nor spammers. The only thing is that you can have a more aggressive automated punishment system, which will unevitably also punish good users, along with the bad users.

Feathercrown , 4 hours ago

Some sort of “report as bot” --> required captcha pipeline would be useful

linearchaos , 4 hours ago

Captcha is already mostly machine breakable, I’ve seen some new interesting pattern-based stuff but nothing that you couldn’t do image training against.

At some point not too far in the future you won’t be able to use captcha to stop bots from posting. It simply won’t even be a hurdle, a couple extra pennies of computational power.

There’s probably some power in detecting accounts that are blocked by many people. The problem is no matter what we do we’re heading towards blocking them with an algorithm or AI. And I’d hate to see that for Lemmy.

This place is just the stuff you follow with the raw up and down votes. We don’t hide unpopular posts making brigading less useful.

PenisDuckCuck9001 , 4 hours ago

deleted_by_author

catloaf , 4 hours ago

I have never seen this happen. Have you? Can you share a link?

Jimmycakes , 4 hours ago

You don’t.

You employ critical thinking skills in all interactions on the web.

AnotherWorld , 4 hours ago

No current social network can be bot-proof. And Lemmy is in the most unprotected situation here, saved only by his low fame. On Twitter, I personally have already banned about 15000 Russian bots, but that’s less than 1% of the existing ones. I’ve seen the heads of bots with 165000 followers. Just imagine that all 165000 will register accounts on Lemmy, there is nothing to oppose them. I used to develop a theory for a new social network, where bots could exist as much as he want, but could not influence your circle of subscriptions and subscribers. But it’s complicated…

tal , 4 hours ago

Also, the “bot”/“human” distinction doesn’t have to be binary. Say one has an account that mostly has a bot post generated text, but then if it receives a message, hands it off to a human to handle. Or has a certain percentage of content be human-crafted. That may potentially defeat a lot of approaches for detecting a bot.

Dark_Arc , 5 hours ago

I’ve been thinking postcard based account validation for online services might be a strategy to fight bots.

As in, rather than an email address, you register with a physical address and get mailed a post card.

A server operator would then have to approve mailing 1,000 post cards to whatever address the bot operator was working out of. The cost of starting and maintaining a bot farm skyrockets as a result (you not only have to pay to get the postcard, you have to maintain a physical presence somewhere … and potentially a lot of them if you get banned/caught with any frequency).

Similarly, most operators would presumably only mail to folks within their nation’s mail system. So if Russia wanted to create a bunch of US accounts on “mainstream” US hosted services, they’d have to physically put agents inside of the United States that are receiving these postcards … and now the FBI can treat this like any other organized domestic crime syndicate.

catloaf , 3 hours ago

I am absolutely not giving some Lemmy admin my address.

Dark_Arc , 3 hours ago

How would you feel if it was an independent third party (kind of an OAuth flow) with a well established presence and data policy?

(i.e., one with a face and name that you could sue if they did something bad with your address?)

Omniraptor , 3 hours ago

Am I missing something? I thought you weren’t required to put a return address on postcards. Just put your username and email.

catloaf , 3 hours ago

They are sending the card to you.

QuadratureSurfer , 3 hours ago

Easy way to get around that with “virtual” addresses: ipostal1.com/virtual-address.php

Just pay $10 for every account that you want to create… you may as well just go with the solution of charging everyone $10 to create an account. At least that way the instance owner is getting supported and it would have the same effect.

tal , 3 hours ago (edited 3 hours ago)

Just pay $10 for every account that you want to create

So, making identities expensive helps. It’d probably filter out some. But, look at the bot in OP’s image. The bot’s operator clearly paid for a blue checkmark. That’s (checks) $8/mo, so the operator paid at least $8, and it clearly wasn’t enough to deter them. In fact, they chose the blue checkmark because the additional credibility was worth it; X doesn’t mandate that they get one.

And it also will deter humans. I don’t personally really care about the $10 because I like this environment, but creating that kind of up-front barrier is going to make a lot of people not try a system. And a lot of times financial transactions come with privacy issues, because a lot of governments get really twitchy about money-laundering via anonymous transactions.

EDIT: I think that maybe a better route is to try to give users a “credibility score”. So, that’s not a binary “in” or “out”. But other people can see some kind of automated assessment of how likely, for example, a person might be to be a bot.

thinks more

I mean, this is just spitballing, but could even be done not at a global level, but at a per-other-user level. Like, okay, suppose you have what amounts to a small neural network, right? So the instance computes a bunch of statistics about a each user, like account age, stuff like that, and then provides that to the client. But it doesn’t determine the importance of those metrics in whether the other user should see that post, just provides the raw data. You’ve got a bunch of inputs to a neural net, then. Then the other user can have a set of classifications. Maybe just “hide”, but also maybe something like “bot” or “political activism” or whatever. And it takes those input metrics from the instances, and trains that neural net to produce client-side classifications, and then auto-tags users based on that. That’s gonna be a pain to try to defeat, because the bot operator can’t even see how they’re being scored – they haven’t “gotten over the hurdle” or not.

But you don’t want to make every end user train a neural net from scratch. Hmm.

So maybe what you do is let users create their own scores and expose those to other users, right? I think that I read that BlueSky does something like that, was working on letting users create “curated feeds” for other users. They’re doing something simpler, no machine learning, but that’s got some drawbacks, means that you have to spend more time determining whether a score is good. So, okay. Say I’m gonna try to score a user based on whether-or-not I think that they’re a bot. I have the option to make that score publicly-available. Other users can “subscribe” to that metric, and when they do, there’s a new input node added to their local classifier’s list of input nodes. Like, “Dons Bot list”.

But I don’t have to subscribe to Don’s Bot List, and even if I do, it doesn’t mean that I automatically consider that other user a bot. Don’s rating is just an input into whether my own classifier considers them a bot. If I regularly disagree with Don, even if I’m subscribed to his list, my local neural net will slash the importance of his rating. If I agree with Don unless some other input to my classifier’s neural net is triggered, then the classifier can learn that.

QuadratureSurfer , 3 hours ago

Yep, exactly this. It might deter some small time bot creators, but it won’t stop larger operations and may even help them to seem more legitimate.

If anything, my favorite idea comes from this xkcd:

https://lemmy.world/pictrs/image/e96a173a-696f-4f0c-87fb-df472c51f56e.pngxkcd.com/810/

Dark_Arc , 2 hours ago

Yeah, BlueSky has this concept of user moderation lists. It’s effectively like subscribing to a adblock filter. There might be some things blocked by patterns (e.g., you could have one that blocks anything that involves spiders) and there might be others that block specific accounts (e.g., you could have one that blocks users that are known to cause problems, are prone to vulgar language, etc).

I think the problem with credibility scores in general though, is it’s sort of like a “social score” from black mirror. Real people can get caught in the net of “you look like a bot” and similarly different algorithms could be designed to game the system by gaming the metrics to look like they’re not a bot (possibly even more so than some of the real people).

This is kind of what lead me down the route of bringing things back into the physical world. Like, once you have things going back through the normal systems … you arguably do lose some level of anonymity but you also gain back some guarantees of humanity.

It doesn’t need to be the level of “you’ve got a government ID and you’re verified to be exactly you with no other accounts” … just “hey, some number of people in the real world, that are subject to the respective nation’s laws, had to have come into contact with a real piece of mail.”

Maybe that just turns into the world’s slowest UDP network in existence. However, I think it has a real chance of making it easier to detect real people (i.e., folks that have a small number of overlapping addresses). The virtual mailbox the other person gave has 3,000 addresses… if you assume 5 people per mailing address is normal that’s 15,000 bots total before things start getting fishy if you’ve evenly distributed all of those addresses. If you’ve got 3,000 accounts at the same address, that’s very fishy. Addresses also change a lot less frequently than IP addresses, so a physical address ban is a much more strict deterrent.

Dark_Arc , 2 hours ago

Hm… I’m not sure if this is enough to defeat the strategy.

It looks like even with that service, you have to sign up for Form 1583.

Even if they’re willing in incur the cost, there’s a real paper trail pointing back to a real person or organization. In other words, the bot operator can be identified.

As you note, this is yet another additional cost. So, you’d have say … $2-3 for the card + an address for the account. If you require every unique address to have no more than 1 account … that’s $13 per bot plus a paper trail to set everything up.

That certainly wouldn’t stop every bot out there … but the chances of a large scale bot farms operating seem like they would be significantly deterred, no?

QuadratureSurfer , 2 hours ago

That’s a good point. I didn’t know about the USPS Form 1583 for virtual mailboxes… Although that is a U.S. specific thing, so finding a similar service in a country that doesn’t care so much might be the way to go about that.

Dark_Arc , 2 hours ago

True, though presumably users in those places would be stuck with the “less trustworthy” instances (and ideally, would be able to get their local laws changed to make themselves more trust worthy).

It’s definitely not perfectly moral… but little in the world is and maybe it’s sufficient pragmatic.

QuadratureSurfer , 2 hours ago

Yeah, the other thing I could see happening is a similar tactic used by scammers where they use Mules who pick up mail from various Airbnbs throughout whatever country, but this would definitely limit most bot operations… Unless some organization specializes in this and just offers some service to create a bunch of accounts for anyone willing to pay.

Also, how many accounts would you limit to a single address, and how long would you lock up an address before it could be used again (given that people do move around from time to time).

edit:typo.

Scribble902 , 1 hour ago

I was thinking physical mail too. But I think It definitely would require some sort of system that is either third party or government backed that annonomyses you like how the covid Bluetooth tracing system worked (stupidly called track and trace in the UK). Plus you’d have to interact with someone at a postal office to legitimise it. But I’m talking, just a worker at a counter.

So you’d get a one time unique annonomysed postal address. You go to a post office and hand your letter over to someone. You, and perhaps they, will not know the address, but the system will. Maybe a process which re-envelopes the letter down the line into a letter with the real address on.

This way, you’ve kept the server owner private and you’ve had to involve some form of person to person interaction meaning, not a bot!

This system could be used for all sorts of verification other than for socal media so may have enough incentive for governments/3rd partys to set up to use beyond that.

Could it be abused though and if how are there solutions to mitigate them?