just to keep things interesting, while the traffic i'm dealing with comes from OVH, it does not appear to be using Tor

@muffinista Would it be possible to block the IPs from registering accounts but not completely block them?

My forum is hosted on OVH, so it would need access to the public web UI to embed stuff, but that shouldn't mean it needs to *write* anything to your instance.

@ben yeah one option i'm considering is basically just to block the frontend. i think that might work?

@muffinista looks like you can ask TOR for a list of exit nodes that connected to your IP recently: https://check.torproject.org/cgi-bin/TorBulkExitList.py

@muffinista preventing traffic from https://check.torproject.org/exit-addresses to access the registration is probably sufficient and would allow existing users to login.

@sascha i'm going to explore something along those lines, thanks

@muffinista also, OVH, just like Hetzner, provide very very affordable hosting for dedicated boxes, which is great for running an actual scaling instance on the cheap... so I'd really want to prevent their net from getting unfederated

@muffinista the real issue will be when spammers figure out how to implement a minimal activitypub server... we're gonna have the issues email had 20-30 years ago all over again

@sascha ugggg yeah

@sascha @muffinista

not really, since email from a spam-only domain is easily blocked. and on Mastodon, that can happen retroactively.

the problem occurs when big email servers have some spam and some real accounts.

@ben @muffinista If you've ever run a MTA you know how inventive spammers can get, right now there isn't even a way to ban an entire domain (with subdomains), there's going to be an arms race and I'd rather someone that gets paid to do masto dev takes preemptive and not reactive action.

@sascha @muffinista the solution (that's working extremely well) for WTDWTF is that we require moderator approval for a user's first post and admin approval for any account made from an IP that has logged in in the past.

You also can't edit your public profile until you have at least one post.

Spammers seem to have given up (or at the very least, tried to make profile-only spam and failed because nobody can see it)

@sascha @muffinista (of course, WTDWTF is a forum that doesn't federate with anything, so
it's not a solution that will work identically here, but it felt good to know that a very minimal amount of work can remove any incentive spammers have to try to spam)

@ben @muffinista first contact with an instance approval sounds like it'd work for a while, but doesn't scale. Having a shared whitelist where anyone can OK a new instance seems like a good idea for the long run.

@sascha yeah, i agree, that was an oversight on my part. i'm sure there's a lot of legit boxes on their network

@bhtooefr i've thought about that, or simply preventing you from sending a DM immediately after creating an account, but i'm not sure it would help here. it's a good idea though.