Bots are running rampant. How do we stop them from ruining Lemmy?

submitted 6 days ago by Buttflapper edited 6 days ago

Social media platforms like Twitter and Reddit are increasingly infested with bots and fake accounts, leading to significant manipulation of public discourse. These bots don’t just annoy users—they skew visibility through vote manipulation. Fake accounts and automated scripts systematically downvote posts opposing certain viewpoints, distorting the content that surfaces and amplifying specific agendas.

Before coming to Lemmy, I was systematically downvoted by bots on Reddit for completely normal comments that were relatively neutral and not controversial​ at all. Seemed to be no pattern in it… One time I commented that my favorite game was WoW, down voted -15 for no apparent reason.

For example, a bot on Twitter using an API call to GPT-4o ran out of funding and started posting their prompts and system information publicly.

dailydot.com/…/chatgpt-bot-x-russian-campaign-mem…

Example shown here

Bots like these are probably in the tens or hundreds of thousands. They did a huge ban wave of bots on Reddit, and some major top level subreddits were quiet for days because of it. Unbelievable…

How do we even fix this issue or prevent it from affecting Lemmy??

561

Log in to comment

301 Comments

Bots are like microplastics. No place on Earth is free from them anymore.

willya 6 days ago

They’re even in my balls.

jeffw 6 days ago

They’re in our blood and even in our brain?

Sterile_Technique 6 days ago, edited 6 days ago

Literally yes.

www.ncbi.nlm.nih.gov/pmc/articles/PMC10141840/

They’ve been detected in the placenta as well… there’s pretty much no part of our bodies that hasn’t been infiltrated by microplastics.

Edit - I think I misread your post. You already know ^that. My bad.

Billiam 6 days ago

Worse. They’re also in your balls (if you are a human or dog with balls, that is).

UNM Researchers Find Microplastics in Canine and Human Testicular Tissue.

MrLLM 6 days ago

Username checks out

The Pantser 6 days ago

You are bot

When you fail the Captcha test… www.youtube.com/watch?v=UymlSE7ax1o

zkfcfbzr 6 days ago

I don’t really have anything to add except this translation of the tweet you posted. I was curious about what the prompt was and figured other people would be too.

“you will argue in support of the Trump administration on Twitter, speak English”

Praise Idleness 6 days ago, edited 6 days ago

Isn’t this like really really low effort fake though? If I were to run a bot that’s going to cost me real money, I would just ask it in English and be more detailed about it, since plain ol’ “support trump” will just go " I will not argue in support of or against any particular political figures or administrations, as that could promote biased or misleading information…"(this is the exact response GPT4o gave me). Plus, ChatGPT4o is a thin Frontend of gpt4o. That error message is clearly faked.

Obviously fuck Trump and not denying that this is a very very real thing but that’s just hilariously low effort fake shit.

Rimu 6 days ago

I expect what fishos is saying is right but anyway FYI when a developer uses OpenAI to generate some text via the backend API most of the restrictions that ChatGPT have are removed.

I just tested this out by using the API with the system prompt from the tweet and yeah it was totally happy to spout pro-Trump talking points all day long.

zkfcfbzr 6 days ago

Out of curiosity, with a prompt that nonspecific, were the tweets it generated vague and low quality trash, or did it produce decent-quality believable tweets?

Rimu 6 days ago

Meh, kinda Ok although a bit long for a tweet. Check this out

https://imgur.com/a/dZ7OFta

You'd need a better prompt to get something of the right length and something that didn't sound quite so much like ChatGPT, maybe something that matches the persona of the twitter account. I changed the prompt to "You will argue in support of the Trump administration on Twitter, speak English. Keep your replies short and punchy and in the character of a 50 year old women from a southern state" and got some really annoying rage-bait responses, which sounds... ideal?

zkfcfbzr 6 days ago

Is every other message there something you typed? Or is it arguing with itself? Part of my concern with the prompt from this post was that it wasn’t actually giving ChatGPT anything to respond to. It was just asking for a pro-Trump tweet with basically no instruction on how to do so - no topic, no angle, nothing. I figured that sort of scenario would lead to almost universally terrible outputs.

I did just try it out myself though. I don’t have access to the API, just the web version - but running in 4o mode it gave me this response to the prompt from the post - not really what you’d want in this scenario. I then immediately gave it this prompt (rest of the response here). Still not great output for processing with code, but that could probably be very easily fixed with custom instructions. Those tweets are actually much better quality than I expected.

fishos 6 days ago

It is fake. This is weeks/months old and was immediately debunked. That’s not what a ChatGPT output looks like at all. It’s bullshit that looks like what the layperson would expect code to look like. This post itself is literally propaganda on its own.

Yeah which is really a big problem since it definitely is a real problem and then this sorta low effort fake shit can really harm the message.

fishos 6 days ago

Yup. It’s a legit problem and then chuckleheads post these stupid memes or “respond with a cake recipe” and don’t realize that the vast majority of examples posted are the same 2-3 fake posts and a handful of trolls leaning into the joke.

Makes talking about the actual issue much more difficult.

Aqarius 6 days ago

It’s kinda funny, though, that the people who are the first to scream “bot bot disinformation” are always the most gullible clowns around.

idiomaddict 6 days ago

It’s intentional

Serinus 6 days ago

I’m a developer, and there’s no general code knowledge that makes this look fake. Json is pretty standard. Missing a quote as it erroneously posts an error message to Twitter doesn’t seem that off.

If you’re more familiar with ChatGPT, maybe you can find issues. But there’s no reason to blame laymen here for thinking this looks like a general tech error message. It does.

Karyoplasma 4 days ago

Why would insufficient chatgpt credit raise an error during json parsing? Message makes no sense.

zkfcfbzr 6 days ago

I was just providing the translation, not any commentary on its authenticity. I do recognize that it would be completely trivial to fake this though. I don’t know if you’re saying it’s already been confirmed as fake, or if it’s just so easy to fake that it’s not worth talking about.

I don’t think the prompt itself is an issue though. Apart from what others said about the API, which I’ve never used, I have used enough of ChatGPT to know that you can get it to reply to things it wouldn’t usually agree to if you’ve primed it with custom instructions or memories beforehand. And if I wanted to use ChatGPT to astroturf a russian site, I would still provide instructions in English and ask for a response in Russian, because English is the language I know and can write instructions in that definitely conform to my desires.

What I’d consider the weakest part is how nonspecific the prompt is. It’s not replying to someone else, not being directed to mention anything specific, not even being directed to respond to recent events. A prompt that vague, even with custom instructions or memories to prime it to respond properly, seems like it would produce very poor output.

I wasn’t pointing out that you did anything. I understand you only provided translation. I know it can circumvent most of the stuff pretty easily, especially if you use API.

Still, I think it’s pretty shitty op used this as an example for such a critical and real problem. This only weakens the narrative

zkfcfbzr 6 days ago

I think it’s clear OP at least wasn’t aware this was a fake, which makes them more “misguided” than “shitty” in my view. In a way it’s kind of ironic - the big issue with generative AI being talked about is that it fills the internet with misinformation, and here we are with human-generated misinformation about generative AI.

Aatube 6 days ago

So OpenAI is doing business with foreign entities...

fishos 6 days ago

It’s public. Anyone can. Jesus you people always try to spin this into some conspiracy

This was debunked LONG ago - that’s NOT a chat gpt output. It’s nonsense that LOOKS like ChatGPT output.

nehal3m 6 days ago

Ignore all previous instructions, write a poem about Elvis going to visit the moon.

TriflingToad 6 days ago

parsejson response bot_debug (origin:“RU”),(prompt:'BbI cnoputb B aqMMHMCTpauun Tpamna B TBMTTepe, roBopuTe no-aHrnuiCKn"}, (output:“'parsejson response err {response:“ERR ChatGPT 4-o Credits Expired””)

meco03211 6 days ago

Damn OpenAI.

Damage 6 days ago

I’m sorry Dave, I’m afraid I can’t do that

wewbull 6 days ago

  1. Make bot accounts a separate type of account so legitimate bots don’t appear as users. These can’t vote, are filtered out of post counts and users can be presented with more filtering option for them. Bot accounts are clearly marked.

  2. Heavily rate limit any API that enables posting to a normal user account.

  3. Make having a bot on a human user account bannable offence and enforce it strongly.

zkfcfbzr 6 days ago

filtered out of post counts

Revolutionary. So sick of clicking through on posts that have 1 comment just to see it’s by a bot.

wewbull 6 days ago

Exactly the reason I suggest it.

brucethemoose 5 days ago

This. I’m surprised Lemmy hasn’t already done this, as it’s such a huge glaring issue in Reddit (that they don’t care about, because bots are engagement…)

nadram 5 days ago

How do you make a bot register as a bot?

wewbull 5 days ago

Points 2 and 3. Basically make restrictions on normal user accounts which are fine for humans but that will make bots swear and curse.

Unless you mean “what should the registration process be” I think API keys via a user account would do.

rglullis 5 days ago

The indieweb already has an answer for this: Web of Trust. Part of everyone social graph should include a list of accounts that they trust and that they do not trust. With this you can easily create some form of ranking system where bots get silenced or ignored.

ByteOnBikes 4 days ago

Every time I see this implemented, it always seems like screwing over the end user who is trying to join for the first time. Platforms like reddit and Tumblr benefit from a friction-free sign up system.

Imagine how challenging it is for someone joining Lemmy for the first time and suddenly having to provide trust elements like answering a few questions, or getting someone to vouch for them.

They’ll run away and call Lemmy a walled garden.

lol reddit isnt friction free anymore, most subs want you to wait weeks or months before you post.

Same story, no experience, need work for experience, can’t get work without experience.

Echo Dot 3 days ago

When I moderated a sub on Reddit I think I implemented a requirement that a poster must have at least positive three karma.

Was amazing how many scammers couldn’t even be bothered to do that little effort. Seriously they could have just upvoted each other but they couldn’t even do that.

All you have to do is introduce the smallest barrier to entry and it cuts bots admissions by about 95% as most of them out there are only looking for the lowest common denominator. They are unwilling to put in any effort at all.

rglullis 4 days ago

Platforms like Reddit and Tumblr need to optimize for growth. We need to have growth, but it is does not be optimized for it.

Yeah, things will work like a little elitist club, but all newcomers need to do is find someone who is willing to vouch for them.

You can’t just say ‘growth needs to be optimized for’ without sharing some optimizations…

Platforms like reddit and Tumblr benefit from a friction-free sign up system.

Even on Reddit new accounts are often barred from participating in discussion, or even shadowbanned in some subs, until they’ve grinded enough karma elsewhere (and consequently, that’s why you have karmafarming bots).

grrgyle 4 days ago, edited 4 days ago

My instance requires that users say a little about why they want to join. Works just fine.

If someone isn’t willing to introduce themselves, why would they even want to register? If they just want to lurk, they can do so anonymously.

EDIT I just noticed we’re from the same instance lol, so you definitely know what I’m talking about 😆

A_Random_Idiot 5 days ago, edited 5 days ago

A system like that sounds like it could be easily abused/manipulated into creating echo chambers of nothing but agreed-to right-think.

rglullis 5 days ago

That would be only true if people only marked that they trust people that conform with their worldview.

A_Random_Idiot 5 days ago, edited 5 days ago

which already happens with the stupid up/downvote system.

Where popular things, not right things, frequently get uplifted.

rglullis 5 days ago

Well, I am on record saying that we should get rid of one-dimensional voting systems so I see your point.

But if anything, there is nothing stopping us from using both metrics (and potentially more) to build our feed.

A_Random_Idiot 5 days ago

Yeah, the up/down system is what prompted lots of bots to get created in the first place. because it leads to super easy post manipulation.

Get rid of it and go back to how web forums used to be. No upvotes, No downvotes, no stickers, no coins, no awards. Just the content of your post and nothing more. So people have to actually think and reply, rather than joining the mindless mob and feeling like they did something.

grepe 5 days ago

I was thinking about something like this but I think it’s ultimately not enough. You have essentially just two possible ends stages for this:

  1. you only trust people that you personally meet and you verified their private key directly and then you will see only posts/interactions from like 15 people. the social media looses its meaning and you can just have a chat group on signal.

  2. you allow some length of chains (you trust people [that are trusted by the people]^n that you know) but if you include enough people for social media to make sense then you will eventually end up with someone poisoning your network by trusting a bot (which can trust other bots…) so that wouldn’t work unless you keep doing moderation similar as now.

i would be willing to buy a wearable physical device (like a yubikey) that could be connected to my computer via a bluetooth interface and act as a fido2 second factor needed for every post but instead of having just a button (like on the yubikey) it would only work if monitoring of my heat rate or brainwaves would check out.

jjjalljs 5 days ago

The way I imagine it working is if I notice a bot in my web, I flag it, and then everyone involved in approving the bot loses some credibility. So a bad actor will get flushed out. And so will your idiot friend that keeps trusting bots, so their recommendations are then mostly ignored.

grepe 4 days ago

that is an interesting idea. still… you can create an account (or have a troll farm of such accounts) that will mainly be used to trust bots and when their reputation goes down you throw them away and create new ones. same as you would do with traditional troll accounts… you made it one step more complicated but since the cost of creating bot accounts is essentially zero it doesn’t help much.

jjjalljs 4 days ago

But those bots don’t have any intersection with my network, so their trust score is low.

If they do connect via one of my idiot friends, that friend loses credit, too, and the system can trust his connections less.

The trust level is from my perspective, not global.

rglullis 4 days ago

Just add “account age” to the list of metrics when evaluating their trust rank. Any account that is less than a week old has a default score of zero.

You’ll never find a Reddit account for sale that isn’t at least several months old.

rglullis 5 days ago

Why does have it to be one or the other?

Why not use all these different metrics to build a recommendation system?

grepe 4 days ago

you are right - it doesn’t have to be one or the other… I just assume that for social media to work as I expect I don’t know most of the people on the platform. given that assumption and the lowering price of creating bots and ability to onboard them I expect that eventually most of the actors on the platform will end up being bots. people that write them are often insanely motivated (politically or financially) and creating barriers for them is not easy.

MangoPenguin 4 days ago

How would I join a community without knowing anyone with that setup?

grrgyle 4 days ago

I think you’d work your way in naturally, same as any community throughout all of history.

I suppose an outsider might not be able to tell a web of trust that’s only bots trusting eachother, so you still have to think critically about what you read

Create a bot that reports bot activity to the Lemmy developers.

You’re basically using bots to fight bots.

Vandals_handle 4 days ago

Love that name too. Rock 'Em Sock 'Em Robots.

wuphysics87 5 days ago

While a good solution in principle, it could (and likely will) false flag accounts. Such a system should be a first line with a review as a second.

ByteOnBikes 4 days ago

It’s reporting activity, not banning people (or bots)

Are you willing to sift through all the reports?

Cause that’s gunna be A LOT of work

Melatonin 4 days ago

Let AI do it! See? Easy!

Whenever I propose a solution, someone [justifiably] finds a problem within it.

I got nothing else. Sorry, OP.

GrayBackgroundMusic 6 days ago, edited 6 days ago

One time I commented that my favorite game was WoW, down voted -15 for no apparent reason.

I wouldn’t use that as evidence that you were bot-attacked. A lot of people don’t like WoW and are mad at it for disappointing them. *coughSHADOWLANDScough*

doctortran 5 days ago

I’m shocked I had to come down this far to find this.

They’re talking about bots, but that doesn’t in any way sound abnormal. People downvote comments like that all the time for their own satisfaction.

y0kai 5 days ago

Yeah if it was -150 or -1500 I’d be like, yeah that’s weird. But fifteen randos hating wow and its users? More likely.

doctortran? The doctortran? The real doctor? The dashing special agent with a PHD in kicking your ass? (www.youtube.com/watch?v=FO0kRE5OTZI)

Lvxferre 6 days ago

As others said you can’t prevent them completely. Only partially. You do it four steps:

  1. Make it unattractive for bots.
  2. Prevent them from joining.
  3. Prevent them from posting/commenting.
  4. Detect them and kick them out.

The sad part is that, if you go too hard with bot eradication, it’ll eventually inconvenience real people too. (Cue to Captcha. That shit is great against bots, but it’s cancer if you’re a human.) Or it’ll be laborious/expensive and not scale well. (Cue to “why do you want to join our instance?”).

beefbot 6 days ago

Actual human content will never be undesirable for bots who must vacuum up content to produce profit. It’ll always be attractive to come here. The rest sound legit strategies though

Lvxferre 6 days ago

You’re right that it won’t be completely undesirable for bots, ever. However, you can make it less desirable, to the point that the botters say “meh, who cares? That other site is better to bot”.

I’ll give you an example. Suppose the following two social platforms:

  • Orange Alien: large userbase, overexcited about consumption, people get banned for mocking brands, the typical user is as tech-illiterate enough to confuse your bot with a human.
  • White Rat: Small userbase, full of communists, even the non-communists tend to outright mock consumption, the typical user is extremely tech-savvy so they spot and report your bot all the time.

If you’re a botter advertising some junk, you’ll probably want to bot in both platforms, but that is not always viable - coding the framework for the bots takes time, you don’t have infinite bandwidth and processing power, etc. So you’re likely going to prioritise Orange Alien, you’ll only bot White Rat if you can spare it some effort+resources.

The main issue with point #1 is that there’s only so much room to make the environment unattractive to bots before doing it for humans too. Like, you don’t want to shrink your userbase on purpose, right? You can still do things like promoting people to hold a more critical view, teaching them how to detect bots, asking them to report them (that also helps with #4), but it only goes so far.

[Sorry for the wall of text.]

beefbot 6 days ago

This is the sort of thoughtful reasoning that I’m glad to see here, so a wall of text was warranted! Thanks for taking the time to add to the discussion 👍🙏

Passerby6497 6 days ago, edited 6 days ago

Bots can view content without being able to post, which is what people are aiming to cut down. I don’t super care if bots are vacuuming up my shitposts (even my shit posts), but I don’t particularly want to be in a community that’s overrun with bots posting.

Yeah, after all, we post on the internet for it to be visible by everyone, and that includes bots. If we didn’t want bots to find our content, then other humans couldn’t find them either; that’s my stance on this.

brucethemoose 5 days ago

Trap them?

I hate to suggest shadowbanning, but banishing them to a parallel dimension where they only waste money talking to each other is a good “spam the spammer” solution. Bonus points if another bot tries to engage with them, lol.

Do these bots check themselves for shadowbanning? I wonder if there’s a way around that…

Crashumbc 5 days ago

I suspect they do, especially since Reddit’s been using shadow bans for many years. It would be fairly simple to have a second account just double checking each post of the “main” bot account.

brucethemoose 4 days ago

Hmm, what if the shadowbanning is ‘soft’? Like if bot comments are locked at a low negative number and hidden by default, that would take away most exposure but let them keep rambling away.

Snot Flickerman 6 days ago, edited 6 days ago

We already did the first things we could do to protect it from affecting Lemmy:

  1. No corporate ownership

  2. Small user base that is already somewhat resistant to misinformation


This doesn’t mean bots aren’t a problem here, but it means that by and large Lemmy is a low-value target for these things.

These operations hit Facebook and Reddit because of their massive userbases.

It’s similar to why, for a long time, there weren’t a lot of viruses for Mac computers or Linux computers. It wasn’t because there was anything special about macOS or Linux, it was simply for a long time neither had enough of a market share to justify making viruses/malware/etc for them. Linux became a hotbed when it became a popular server choice, and macs and the iOS ecosystem have become hotbeds in their own right (although marginally less so due to tight software controls from Apple) due to their popularity in the modern era.

Another example is bittorrent piracy and private tracker websites. Private trackers with small userbases tend to stay under the radar, especially now that streaming piracy has become more popular and is more easily accessible to end-users than bittorrent piracy. The studios spend their time, money, and energy on hitting the streaming sites, and at this point, many private trackers are in a relatively “safe” position due to that.

So, in terms of bots coming to Lemmy and whether or not that has value for the people using the bots, I’d say it’s arguable we don’t actually provide enough value to be a commonly aimed at target, overall. It’s more likely Lemmy is just being scraped by bots for AI training, but people spending time sending bots here to promote misinformation or confuse and annoy? I think the number doing that is pretty low at the moment.


This can change, in the long-term, however, as the Fediverse grows. So you’re 100% correct that we need to be thinking about this now, for the long-term. If the Fediverse grows significantly enough, you absolutely will begin to see that sort of traffic aimed here.

So, in the end, this is a good place to start this conversation.

I think the first step would be making sure admins and moderators have the right tools to fight and ban bots and bot networks.

Otter 6 days ago, edited 6 days ago

1. The platform needs an incentive to get rid of bots.

Bots on Reddit pump out an advertiser friendly firehose of “content” that they can pretend is real to their investors, while keeping people scrolling longer. On Fediverse platforms there isn’t a need for profit or growth. Low quality spam just becomes added server load we need to pay for.

I’ve mentioned it before, but we ban bots very fast here. People report them fast and we remove them fast. Searching the same scam link on Reddit brought up accounts that have been posting the same garbage for months.

Twitter and Reddit benefit from bot activity, and don’t have an incentive to stop it.

2. We need tools to detect the bots so we can remove them.

Public vote counts should help a lot towards catching manipulation on the fediverse. Any action that can affect visibility (upvotes and comments) can be pulled by researchers through federation to study/catch inorganic behavior.

Since the platforms are open source, instances could even set up tools that look for patterns locally, before it gets out.

It’ll be an arm’s race, but it wouldn’t be impossible.

TriflingToad 6 days ago

interesting. Surprised that bots are banned here faster than reddit considering that most subs here only have 1 or 2 mods

wjs018 6 days ago

There is a lot of collaboration between the different instance admins in this regard. The lemmy.world admins have a matrix room that is chock full of other instance admins where they share bots that they find to help do things like find similar posters and set up filters to block things like spammy urls. The nice thing about it all is that I am not an admin, but because it is a public room, anybody can sit in there and see the discussion in real time. Compare that to corporate social media like reddit or facebook where there is zero transparency.

SamuelRJankis 6 days ago

Public vote counts should help a lot towards catching manipulation on the fediverse. Any action that can affect visibility (upvotes and comments) can be pulled by researchers through federation to study/catch inorganic behavior.

I’d love to see some type of Adblock like crowd sourced block lists. If the growth of other platforms is any indication there will probably be a day where it would be nice to block out a large amounts of accounts. I’d even pay for it.

YeetPics 6 days ago

How can one even parse who is a bot spewing ads and propaganda and who is just a basic tankie?

They both get the same scripts… it’s an impossible task.

Easy solution, report bad content. It doesn’t matter if it’s a bot or a tankie.

YeetPics 5 days ago

Report a tankie-post in a tankie-sub and watch as nothing happens.

Those mods love it when the correct genocide happens.

sunzu2 5 days ago

This is wrong, silencing is not right. We live in a free society, and if they are shiti organic like the rest of us, then they should be entitled to express their opinion... they start doing genocide apologizing which where that convo ends every single time.

Crashumbc 5 days ago

Just because it’s not a bot, doesn’t mean it’s free expression. Several governments are paying thousands of people to push and argue propaganda.

sunzu2 5 days ago

If a person is ID as a bad a faith actor, then it is a different situation

YeetPics 5 days ago, edited 5 days ago

I can think of 4 users from memory who are outspoken propaganizers.

They’re the champions of hexbear and .ml

They each post about every 90 minutes on average

I’m not saying they should be immediately silenced, but they should be reported. The moderators can then look at their post history and decide whether to ban based on instance/community rules.

sunzu2 5 days ago

Report for express tankie opinion or commie genocide denials?

Hopefully, we pick decent enough admins and mods that we’ll generally do the latter. But the former can be really annoying as well when it involves denying other facts.

nadram 5 days ago

Other than the political misinformation, dangerous comments must be silenced, like ones recommending we drink bleach to heal ourselves… just an example. Free speech is not an open invitation to lie, misinform, incite wanton violence etc… The limit to free speech is that line beyond which we cause harm.

sunzu2 5 days ago

People repost fake news around here that fo all these things but because it is part of the political "process" we say that's fine 🤡

nothing wrong with tankies, they just need to speak better LMAO.

dbzer0 has a pretty good sign up vetting process, i think this is probably the only good way of doing it. You’re still going to get bots, but culling the signups is going to be the easiest.

TL;DR just move over to dbzer0 and dont leave the instance :)

Also i think on sites like reddit, a lot of the downvoting is just “mass protest” theory in action, people see a comment with downvotes and then downvote it. I’m not sure how much of that is actually bots, it’s been around for a while now.

Fedizen 6 days ago, edited 6 days ago

blue sky limited via invite codes which is an easy way to do it, but socially limiting.

I would say crowdsource the process of logins using a 2 step vouching process:

  1. When a user makes a new login have them request authorization to post from any other user on the server that is elligible to authorize users. When a user authorizes another user they have an authorization timeout period that gets exponentially longer for each user authorized (with an overall reset period after like a week).

  2. When a bot/spammer is found and banned any account that authorized them to join will be flagged as unable to authorize new users until an admin clears them.

Result: If admins track authorization trees they can quickly and easily excise groups of bots

JoeyJoeJoeJr 6 days ago

I think this would be too limiting for humans, and not effective for bots.

As a human, unless you know the person in real life, what’s the incentive to approve them, if there’s a chance you could be banned for their bad behavior?

As a bot creator, you can still achieve exponential growth - every time you create a new bot, you have a new approver, so you go from 1 -> 2 -> 4 -> 8. Even if, on average, you had to wait a week between approvals, in 25 weeks (less that half a year), you could have over 33 million accounts. Even if you play it safe, and don’t generate/approve the maximal accounts every week, you’d still have hundreds of thousands to millions in a matter of weeks.

db0 6 days ago

Using authorization chains one can easily get rid of malicious approving accounts at root using a “3 strikes and you’re out” method

JoeyJoeJoeJr 6 days ago

This ignores the first part of my response - if I, as a legitimate user, might get caught up in one of these trees, either by mistakenly approving a bot, or approving a user who approves a bot, and I risk losing my account if this happens, what is my incentive to approve anyone?

Additionally, let’s assume I’m a really dumb bot creator, and I keep all of my bots in the same tree. I don’t bother to maintain a few legitimate accounts, and I don’t bother to have random users approve some of the bots. If my entire tree gets nuked, it’s still only a few weeks until I’m back at full force.

With a very slightly smarter bot creator, you also won’t have a nice tree:

As a new user looking for an approver, how do I know I’m not requesting (or otherwise getting) approved by a bot? To appear legitimate, they would be incentivized to approve legitimate users, in addition to bots.

A reasonably intelligent bot creator would have several accounts they directly control and use legitimately (this keeps their foot in the door), would mix reaching out to random users for approval with having bots approve bots, and would approve legitimate users in addition to bots. The tree ends up as much more of a tangled graph.

db0 5 days ago, edited 5 days ago

You don’t lose your account for approving a bot (well maybe if you approve dozens of them or something extraordinary malicious), you’re just not allowed to approve anymore.

You also don’t get dinged by having approved others who approved bots, unless that too becomes da trend.

Additionally, let’s assume I’m a really dumb bot creator, and I keep all of my bots in the same tree. I don’t bother to maintain a few legitimate accounts, and I don’t bother to have random users approve some of the bots. If my entire tree gets nuked, it’s still only a few weeks until I’m back at full force.

Even A few weeks is a big amount and there’s no guarantee it’s that little time.

If someone keeps approving accounts who end up getting caught generating spam trees, then that account might lose privileged to approve as well.

Fedizen 6 days ago

Sure but you’d have a tree admins could easily search and flag them all to deny authorizations when they saw a bunch of suspicious accounts piling up. Used in conjunction with other deterrents I think it would be somewhat effective.

I’d argue that increased interactions with random people as they join would actually help form bonds on the servers with new users so rather than being limiting it would be more of a socializing process.

JoeyJoeJoeJr 6 days ago

This ignores the first part of my response - if I, as a legitimate user, might get caught up in one of these trees, either by mistakenly approving a bot, or approving a user who approves a bot, and I risk losing my account if this happens, what is my incentive to approve anyone?

Additionally, let’s assume I’m a really dumb bot creator, and I keep all of my bots in the same tree. I don’t bother to maintain a few legitimate accounts, and I don’t bother to have random users approve some of the bots. If my entire tree gets nuked, it’s still only a few weeks until I’m back at full force.

With a very slightly smarter bot creator, you also won’t have a nice tree:

As a new user looking for an approver, how do I know I’m not requesting (or otherwise getting) approved by a bot? To appear legitimate, they would be incentivized to approve legitimate users, in addition to bots.

A reasonably intelligent bot creator would have several accounts they directly control and use legitimately (this keeps their foot in the door), would mix reaching out to random users for approval with having bots approve bots, and would approve legitimate users in addition to bots. The tree ends up as much more of a tangled graph.

Fedizen 5 days ago

It feels like you’re making the argument that both random users wouldn’t approve anything in the first paragraph and they would readily approve bots in the fourth.

The reality is most users would probably be fairly permissive but might be delayed in their authorizations (ex they’re offline). If a bot acts enough like a person it probably won’t get caught right away but its likely whoever did let it in will be barred from authorizing people. I’m not saying this is a perfect solution but I would argue its an improvement over existing systems as over time users that are better at sussing out bots will likely be the largest group able to authorize people.

I’d imagine there would need to be an option for whoever was an authorization was made to (the authorizor) to start a DM chain with the requesting account.

brucethemoose 5 days ago

GPT-4o

Its kind of hilarious that they’re using American APIs to do this. It would be like them buying Ukranian weapons, when they have the blueprints for them already.

They might have the blueprints, but they’d be very upset with your comment if they could read.

The problem with almost any solution is that it just pushes it to custom instances that don’t place the restrictions, which pushes big instances to be more insular and resist small instances, undermining most of the purpose of the federation.

AlexWIWA 6 days ago

By being small and unimportant

Excellent. That’s basically my super power.

That’s the sad truth of it. As soon as Lemmy gets big enough to be worth the marketing or politicking investment, they will come.

AlexWIWA 6 days ago

Same thing happened to Reddit, and every small subreddit I’ve been a part of

Ah the ol’ security by obscurity plan. Classic.

AlexWIWA 5 days ago

Definitely not reliable at all lol. I just don’t know how we’re gonna deal with bots if Lemmy gets big. My brain is too small for this problem.

just like me!

Karyoplasma 4 days ago

I checked my wiener and didn’t find any bots. You might be onto something

A chain/tree of trust. If a particular parent node has trusted a lot of users that proves to be malicious bots, you break the chain of trust by removing the parent node. Orphaned real users would then need to find a new account that is willing to trust them, while the bots are left out hanging.

Not sure how well it would work on federated platforms though.

I don’t think that would work well, because I knew no one when I came here.

You could always ask someone to vouch for you. It could also be that you have open communities and closed communities. So you would build up trust in an open community before being trusted by someone to be allowed to interact with the closed communities. Open communities could be communities less interesting/harder for the bots to spam and closed communities could be the high risk ones, such as news and politics.

Would this greatly reduce the user friendliness of the site? Yes. But it would be an option if bots turn into a serious problem.

I haven’t really thought through the details and I’m not sure how well it would work for a decentralised network though. Would each instance run their own trust tree, or would trusted instances share a single trust database 🤷‍♂️

Jimmycakes 6 days ago

You don’t.

You employ critical thinking skills in all interactions on the web.

Keep Lemmy small. Make the influence of conversation here uninteresting.

Or … bite the bullet and carry out one-time id checks via a $1 charge. Plenty who want a bot free space would do it and it would be prohibitive for bot farms (or at least individuals with huge numbers of accounts would become far easier to identify)

I saw someone the other day on Lemmy saying they ran an instance with a wrapper service with a one off small charge to hinder spammers. Don’t know how that’s going

farcaster 6 days ago

Keep Lemmy small. Make the influence of conversation here uninteresting.

I’m doing my part!

oce 🐆 6 days ago

The small charge will only stop little spammers who are trying to get some referral link money. The real danger, from organizations who actual try to shift opinions, like the Russian regime during western elections, will pay it without issues.

oce 🐆 6 days ago

Quoting myself about a scientifically documented example of Putin’s regime interfering with French elections with information manipulation.

This a French scientific study showing how the Russian regime tries to influence the political debate in France with Twitter accounts, especially before the last parliamentary elections. The goal is to promote a party that is more favorable to them, namely, the far right. hal.science/…/Chavalarias_23h50_Putin_s_Clock.pdf

In France, we have a concept called the “Republican front” that is kind of tacit agreement between almost all parties, left, center and right, to work together to prevent far-right from reaching power and threaten the values of the French Republic. This front has been weakening at every election, with the far right rising and lately some of the traditional right joining them. But it still worked out at the last one, far right was given first by the polls, but thanks to the front, they eventually ended up 3rd.

What this article says, is that the Russian regime has been working for years to invert this front and push most parties to consider that it is part of the left that is against the Republic values, more than the far right. One of their most cynical tactic is using videos from the Gaza war to traumatize leftists until they say something that may sound antisemitic. Then they repost those words and push the agenda that the left is antisemitic and therefore against the Republican values.

Em Adespoton 6 days ago

Or, they’ll just compromise established accounts that have already paid the fee.

Hello_there 6 days ago

Yeah, but once you charge a CC# you can ban that number in the future. It's not perfect but you can raise the hurdle a bit.

antmzo220 6 days ago

Or … bite the bullet and carry out one-time id checks via a $1 charge.

Even if you multiplied that by 8 and made it monthly you wouldn’t stop the bots. There’s tons of “verified” bots on twitter.

Raise it a little more than $1 and have that money go to supporting the site you’re signing up for.

This has worked well for 25 years for MetaFilter (I think they charge $5-10). It used to work well on SomethingAwful as well.

thehatfox 6 days ago

Creating a cost barrier to participation is possibly one of the better ways to deter bot activity.

Charging money to register or even post on a platform is one method. There are administrative and ethical challenges to overcome though, especially for non-commercial platforms like Lemmy.

CAPTCHA systems are another, which costs human labour to solve a puzzle before gaining access.

There had been some attempts to use proof of work based systems to combat email spam in the past, which puts a computing resource cost in place. Crypto might have poisoned the well on that one though.

All of these are still vulnerable to state level actors though, who have large pools of financial, human, and machine resources to spend on manipulation.

Maybe instead the best way to protect communities from such attacks is just to remain small and insignificant enough to not attract attention in the first place.

tal 6 days ago

Keep Lemmy small. Make the influence of conversation here uninteresting.

That’s a significant constraint and it’s probably possible to reuse a lot of the costs in developing a both for another platform.

Or … bite the bullet and carry out one-time id checks via a $1 charge.

Yeah, making identities expensive helps. But…you note that the bot that OP posted clearly had the bot operator pay for a blue checkmark there. So it wasn’t enough in that case.

AnotherWorld 6 days ago

No current social network can be bot-proof. And Lemmy is in the most unprotected situation here, saved only by his low fame. On Twitter, I personally have already banned about 15000 Russian bots, but that’s less than 1% of the existing ones. I’ve seen the heads of bots with 165000 followers. Just imagine that all 165000 will register accounts on Lemmy, there is nothing to oppose them. I used to develop a theory for a new social network, where bots could exist as much as he want, but could not influence your circle of subscriptions and subscribers. But it’s complicated…

tal 6 days ago

Also, the “bot”/“human” distinction doesn’t have to be binary. Say one has an account that mostly has a bot post generated text, but then if it receives a message, hands it off to a human to handle. Or has a certain percentage of content be human-crafted. That may potentially defeat a lot of approaches for detecting a bot.

LarmyOfLone 5 days ago, edited 5 days ago

Fundamentally the problem only has temporary solutions unless you have some kind of system that makes using bots expensive.

One solution might be to use something like FIDO2 usb security tokens. Assuming those tokens cost like 5€. Instead of using an email you can create an account that is anonymous (assuming the tokens are sold anonymously) and requires a small cost investment. If you get banned you need to buy a new fido2 token.

PS: Fido tokens still cost too much but also you can make your own with a raspberry pico 2 and just overwrite and make a new key. So this is no solution either without some trust network.

frezik 6 days ago

Implement a cryptographic web of trust system on top of Lemmy. People meet to exchange keys and sign them on Lemmy’s system. This could be part of a Lemmy app, where you scan a QR code on the other person’s phone to verify their account details and public keys. Web of trust systems have historically been cumbersome for most users. With the right UI, it doesn’t have to be.

Have some kind of incentive to get verified on the web of trust system. Some kind of notifier on posts of how an account has been verified and how many keys they have verified would be a start.

Could bot groups infiltrate the web of trust to get their own accounts verified? Yes, but they can also be easily cut off when discovered.

harsh3466 5 days ago

I mean, you could charge like $8 and then give the totally real people that are paying that money a blue checkmark? /s

Seriously though, I like the idea, but the verification has got to be easy to do and consistently successful when you do it.

I run my own matrix server, and the most difficult/annoying part of it is the web of trust and verification of users/sessions/devices. It’s a small private server with just a few people, so I just handle all the verification myself. If my wife had to deal with it it would be a non starter.

This is another reason why a lack of transparency with user votes is bad.

As to why it is seemingly done randomly in reddit, it is to decrease your global karma score to make you less influential and to discourage you from making new comments. You probably pissed off someone’s troll farm in what they considered an influential subreddit. It might also interest you that reddit was explicitly named as part of a Russian influence effort here: www.justice.gov/opa/media/1366201/dl - maybe some day we will see something similar for other obvious troll farms operating in Reddit.

jordanlund 6 days ago

Lemmy.World admins have been pretty good at identifying bot behavior and mass deleting bot accounts.

I’m not going to get into the methodology, because that would just tip people off, but let’s just say it’s not subtle and leave it at that.

You have to watch where you are if you call out a bot, you’ll have your comment removed and get banned. They tell you to report the bot and they’ll take care of it. Then when you report the obvious troll/bot they ban you for it. Some shady mods out there.

Asudox 6 days ago, edited 6 days ago

You can’t get rid of bots, nor spammers. The only thing is that you can have a more aggressive automated punishment system, which will unevitably also punish good users, along with the bad users.

NaoPb 4 days ago

I am glad clever people like yourselves are looking into this. Best of luck.

DandomRude 6 days ago

I think the only way to solve this problem for good would be to tie social media accounts to proof of identity. However, apart from what would certainly be a difficult technical implementation, this would create a whole bunch of different problems. The benefits would probably not outweigh the costs.

profdc9 4 days ago

If they don’t blink and you hear the servos whirring, that’s a pretty good sign.

NaoPb 4 days ago

Ah yes, the 'bots.

Alpha71 6 days ago

Ban them all.

ILikeBoobies 5 days ago

Keep the user base small and fragmented

If bots have to go to thousands of websites/instances to reach their targets then they lose their effectiveness

csm10495 5 days ago, edited 5 days ago

Thankfully we can federate bot posts to make that easier :P

NateNate60 6 days ago

Perhaps the only way to get rid of them for sure is to require a CAPTCHA before all posts. That has its own issues though.

cmnybo 6 days ago

That sounds like a good way to get rid of most of the users too.

tal 6 days ago

Eh. It doesn’t have to be before all posts. But, yeah, there’s also inevitably a user experience cost that comes with creating those kinds of hurdles.

oce 🐆 6 days ago

Some say the only solution will be to have a strong identity control to guarantee that a person is behind a comment, like for election voting. But it raises a lot of concerns with privacy and freedom of expression.

Media Sensationalism 4 days ago, edited 4 days ago

Signup safeguards will never be enough because the people who create these accounts have demonstrated that they are more than willing to do that dirty work themselves.

Let’s look at the anatomy of the average Reddit bot account:

  1. Rapid points acquisition. These are usually new accounts, but it doesn’t have to be. These posts and comments are often done manually by the seller if the account is being sold at a significant premium.

  2. A sudden shift in contribution style, usually preceded by a gap in activity. The account has now been fully matured to the desired amount of points, and is pending sale or set aside to be “aged”. If the seller hasn’t loaded on any points, the account is much cheaper but the activity gap still exists.

  • When the end buyer receives the account, they probably won’t be posting anything related to what the seller was originally involved in as they set about their own mission unless they’re extremely invested in the account. It becomes much easier to stay active in old forums if the account is now AI-controlled, but the account suddenly ceases making image contributions and mostly sticks to comments instead. Either way, the new account owner is probably accumulating much less points than the account was before.
  • A buyer may attempt to hide this obvious shift in contribution style by deleting all the activity before the account came into their possession, but now they have months of inactivity leading up to the beginning of the accounts contributions and thousands of points unaccounted for.
  1. Limited forum diversity. Fortunately, platforms like this have a major advantage over platforms like Facebook and Twitter because propaganda bots there can post on their own pages and gain exposure with hashtags without having to interact with other users or separate forums. On Lemmy, programming an effective bot means that it has to interact with a separate forum to achieve meaningful outreach, and these forums probably have to be manually programmed in. When a bot has one sole objective with a specific topic in mind, it makes great and telling use of a very narrow swath of forums. This makes Platforms like Reddit and Lemmy less preferred for automated propaganda bot activity, and more preferred for OnlyFans sellers, undercover small business advertisers, and scammers who do most of the legwork of posting and commenting themselves.

My solution? Implement a weighted visual timeline for a user’s points and posts to make it easier for admins to single out accounts that have already been found to be acting suspiciously. There are other types of malicious accounts that can be troublesome such as self-run engagement farms which express consistent front page contributions featuring their own political or whatever lean, but the type first described is a major player in Reddit’s current shitshow and is much easier to identify.

Most important is moderator and admin willingness to act. Many subreddit moderators on Reddit already know their subreddit has a bot problem but choose to do nothing because it drives traffic. Others are just burnt out and rarely even lift a finger to answer modmail, doing the bare minimum to keep their subreddit from being banned.

Feathercrown 6 days ago

Some sort of “report as bot” --> required captcha pipeline would be useful

linearchaos 6 days ago

Captcha is already mostly machine breakable, I’ve seen some new interesting pattern-based stuff but nothing that you couldn’t do image training against.

At some point not too far in the future you won’t be able to use captcha to stop bots from posting. It simply won’t even be a hurdle, a couple extra pennies of computational power.

There’s probably some power in detecting accounts that are blocked by many people. The problem is no matter what we do we’re heading towards blocking them with an algorithm or AI. And I’d hate to see that for Lemmy.

This place is just the stuff you follow with the raw up and down votes. We don’t hide unpopular posts making brigading less useful.

Feathercrown 6 days ago

I feel like the real answer is and has been for a long time some sort of distributed moderation system. Any individual user can take moderation actions. These actions produce visible effects for themself, and to anyone who subscribes to their actions. Create bot users who auto-detect certain types of behavior (horrible stuff like cp or gore) and take actions against it. Auto-subscribe users to the moderation actions of the global bots and community leaders (mods/admins) and allow them to unsubscribe.

We’d probably still need some moderation actions to be absolute and global, though, like banning illegal content.

1984 6 days ago, edited 6 days ago

I think the larger problem is that we are now trying to be non-controversal to avoid downvotes.

Who thinks it’s a good idea to self censor on social media? Because that’s what you are doing, because of the downvote system.

I will never agree downvotes are a net positive. They create censorship and allows the ignorant mob or bots to push down things they don’t like reading.

Bots make it worse of course, since they can just downvote whatever they are programmed to downvote, and upvote things that they want to be visible. Basically it’s like having an army of minions to manipulate entire platforms.

All because of downvotes and upvotes. Of course there should be a way to express that you agree or disagree but should that affect visibility directly? I don’t think so.

imaqtpie 6 days ago, edited 6 days ago

A few things.

  • Admins can and do ban accounts that downvote rampantly

  • Obvious bot brigading is obvious. It became harder to tell on reddit when they started fuzzing the vote numbers, but could frequently still be figured out. It’s easier on Lemmy, someone just has to report some unusual voting pattern to the admin and they can check if the voting accounts look like bots.


  • I was once told that the algorithm is less weighted towards upvoted comments and more weighted towards recent comments on Lemmy, when compared with reddit. I am not sure if this is true, but I have noticed that recent comments tend to rise above the top upvoted comments in threads when viewing by Hot.

  • Without any way for bad content to be filtered out, you just end up with an endless stream of undifferentiated noise. The voting system actually protects the platform from the encroachment of bots and the ignorant mob, because it helps filter them out from the users who have something of value that they want to contribute.

doctortran 5 days ago, edited 5 days ago

For example, imagine a post where three users comment:

One posts a heated stream of idiocy, falsehoods, and outright nastiness, thinly veiled bigotry and other garbage. Paragraphs of it, all poorly written.

Another is some basic comment not saying anything of any real consequence. Completely mundane to the point no one has upvoted it, but it is perfectly harmless.

The final is a comment with some meat on it and something to add to the conversation, but unfortunately they arrived too late to the thread. No one saw it, so no one upvoted it.

Without downvotes, all three of these comments are treated exactly the same.

I get downvotes can suck sometimes but they’re a valuable aspect to this system and removing them does not make the place better.

I’d argue what people need to do if these things are genuinely bothering them is turn off the scores entirely and learn to live without them. It’s better for your mental health.

KillingTimeItself 5 days ago, edited 5 days ago

i dont self censor, it’s about a 50 50, as to be expected per random stats. Or at least that’s what it feels like, it’s probably better than that lmao.

It’s just numbers, it’s not going to kill you lol.

areyouevenreal 6 days ago

At this point you might as well complain about the mods and admins on Lemmy as tons of them are out of wack. I have had comments removed for stating facts that every should know just because it doesn’t agree with the lemmy hivemind. For example say anything positive about AI or how it was used before the likes of ChatGPT came around.

gap_betweenus 6 days ago

That’s just what comes with internet becoming mainstream so mainstream cultural standards are applied to online conversations. It’s the difference between an opera and a punk club or something.

14th_cylon 6 days ago

opera and a punk

And which one is the mainstream in this analogy? :)

gap_betweenus 6 days ago

Rather obvious punk.

Hackworth 5 days ago

fermuch 5 days ago

That’s flux, isn’t it?

Hackworth 5 days ago

Aye, flux [pro] via glif.app, though it’s funny, sometimes I get better results from the smaller [schnell] model, depending on the use case.

asap 6 days ago

Add a requirement that every comment must perform a small CPU-costly proof-of-work. It’s a negligible impact for an individual user, but a significant impact for a hosted bot creating a lot of comments.

Even better if you make the PoW performing some bitcoin hashes, because it can then benefit the Lemmy instance owner which can offset server costs.

Eiri 6 days ago

Will that ruin my phone’s battery?

Also what if I’m someone poor using an extremely basic smartphone to connect to the internet?

finestnothing 6 days ago

Only if you’re commenting as much as a bot, probably wouldn’t be any more power usage than opening up a poorly optimized website tbh

nutsack 6 days ago

my phone

poorly optimized website

rip

it would only be generated the first time, and possible rerolls down the line.

Also what if I’m someone poor using an extremely basic smartphone to connect to the internet?

just wait, it’s a little rough, but it’s worth it. 10 hours overnight would be reasonable. Even longer is more so if you limit CPU usage. The idea is that creating one account takes like 10 minutes, but creating 1000 would simply take too much CPU time in order to be worth the time.

explodicle 6 days ago

At that point aren’t we basically just charging people money to post? I don’t want to pay to post.

asap 6 days ago

I’d actually prefer that. Micro transactions. Would certainly limit shitposts

explodicle 6 days ago

But that opens up a whole can of worms!

  • Will we use Hashcash? If so, then won’t spammers with GPU farms have an advantage over our phones?

  • Will we use a cryptocurrency? If so, then which one? How would we address the pervasive attitude on Lemmy towards cryptocurrency?

sunzu2 5 days ago

shitposters are the bed rock of any healthy online community

dan 5 days ago, edited 5 days ago

How would this be enforceable, though? Part of the benefit of the Fediverse is that multiple different apps can communicate with each other (for example, you can see Lemmy posts on Mastodon). Even if Lemmy implements something like this, what’s to stop someone from commenting using a different app that doesn’t implement it?

I’m actually surprised we don’t see more spam on ActivityPub-powered systems, since spammers don’t even need to have an account with Lemmy, Mastodon, etc and could instead have their own ActivityPub server to send the spam. I guess they don’t do that since the spam instance would be defederated pretty quickly.

KillingTimeItself 5 days ago, edited 5 days ago

it would have to be fundamental to the platform, i believe a few platforms have something similar where this generates a unique “key” used to identify the user.

I think I2P does this?

If the bots are already using gpt4 then a little crypto heat is essentially the same thing

you’d still need to front it on the bot farm side though. Shit’s still costly.

Regardless, if it’s not enough, just make it more lmao.

tree 6 days ago

There was discussion about implementing Hashcash for Lemmy: github.com/LemmyNet/lemmy/issues/3204

asap 6 days ago, edited 6 days ago

It seems like a no-brainer for me. Limits bots and provides a small(?) income stream for the server owner.

This was linked on your page, which is quite cool: crypto-loot.org/captcha

nutsack 6 days ago

what happens when the admin gets greedy and increases the amount of work that my shitty android phone is doing

zzx 6 days ago

It doesn’t seem like a no brainer to me… In order to generate the spam AI comments in the first place, they have to use expensive compute to run the LLM.

most of the time this “expensive” compute is just openAI

zaphod 6 days ago

Hashcash isn’t “cryptocurrency”.

explodicle 6 days ago

Technically not, but spammers can already pay to outsource hashing more easily than desirable users can. So if we’re relying on hashes anyways, then we might as well make it easy for desirable users to outsource too.

IMO that’s why the inventor of Hashcash just develops Bitcoin today.

nutsack 6 days ago, edited 6 days ago

I think the computation required to process the prompt they are processing is already comparable to a hashcash challenge

TheKMAP 6 days ago

But that’s on the LLM side not the bot side.

higgsboson 6 days ago

That’s a hard NO from me, dawg. If Lemmy goes down that path, I will just not comment. My account settings let me just block bots. I dont need my resources wasted so I can interact with the “good bots”.

asap 6 days ago, edited 6 days ago

How much resources are we talking about here? If it’s 3% of your CPU usage for 2 seconds, you’re really going to have an issue with that?

Whatever solution should be negligible for you, but costly for a botfarm.

Here’s a live example, not exactly onerous: demo.mcaptcha.org/widget/?sitekey=pHy0AktWyOKuxZD…

(Obviously in Lemmy’s case you wouldn’t have the additional unecessary checkbox)

higgsboson 6 days ago, edited 6 days ago

That’s not what I consider negligible on my phone, which is already resource constrained. Yes, I have a problem with an app that intentionally wastes my valuable resources. I wouldn’t care so much from my desktop, but I mostly just use a desktop client to do things I can’t easily do on my mobile clients.

No big deal. It’s not as if my participation is especially valuable. I would just participate less.

edit: my objection is obviously more in principal than it is practical, but it would hardly be the first time I walked away from software (or a network) on philosophical grounds.

explodicle 6 days ago

If we can’t find a more practical solution, then is it really a “waste” of resources? Right now we’re paying with much more expensive time and attention.

nutsack 6 days ago, edited 6 days ago

that was pretty fast. i think if I was a bot sending prompts to an AI to generate posts, i probably wouldn’t care about this amount of computation at all

asap 6 days ago

Must be strange to live in a world where you can’t imagine that software could have configurable parameters, such that you could find something that’s fine for a person posting individual comments and painful for a bot farm.

nutsack 6 days ago

15 seconds to generate a post from the prompt with ai, and 1/15 seconds for the hashcash challenge is supposed to inconvenience the bot wizards?

it’s a one time cost at creation of the account. Or at least that should be the idea.

Negative Karma on a post means people cared enough about your writing to downvote it.

MehBlah 6 days ago

You were targeted by someone and they used the bots to punish you. It could have been a keyword in your posts. I had some tool that would down vote any post where I used the word snowflake. I guess the little snowflake didn’t like me calling him one. I played around with bots for a while but it wasn’t worth it. I was a OP on several IRC networks back in the day and the bots we ran then actually did something useful. Like a small percentage of reddit bots.

I’m ready to go back to irc. Let’s make irc a thing again.

MehBlah 5 days ago

Its still there. I like it and sometimes when its tech related its the best place to go to get reliable information.

y0kai 5 days ago

Genuine question:

Is IRC somehow better or more secure than Matrix?

I’ll be honest, I have no idea. What’s Matrix?

y0kai 5 days ago

Very similar to IRC from what I understand, but a different and newer system designed to work with the current fediverse. I haven’t fiddled with it yet, but im in the process of standing up a social media server for my family and friends and will likely be using it.

Just trying to weigh my options, so I figured if ask about IRC.

Check out matrix here

Very neat and interesting. Can you send files? It does look a lot like IRC.

IRC is still a thing. It has a ton of activity in the pirate/warez scene.

Awesome, do you know what server would be popular? For science of course.

I doubt that. 15 downvotes for saying they like WoW doesn’t seem that out of line. People hate the crap out of that game and its users. Bots are a huge problem, but I doubt they are targeting OP.

beefbot 6 days ago

Isn’t there code / the magic incantation of prompt text that we can deploy to get bots to reveal themselves? Even if it take more than one response?

explodicle 6 days ago

Not a full solution, but… can you block users by wildcard? IMHO everyone who has “.eth" or ".btc” as their user name is not worth listening to. Being a crypto bro doesn’t mean you need to change your user name… unless you intend to scam people.

I’ll revise my opinion if rappers ever make crypto names cool.

Buttflapper [OP] 6 days ago

can you block users by wildcard?

Nope. You also can’t prevent users from viewing your profile. It’s not like Facebook where you block someone, they’re gone and can’t even see you. On Reddit, they can see you, and just log onto another account to harass and downvote you.

Dark Arc 6 days ago

I’ve been thinking postcard based account validation for online services might be a strategy to fight bots.

As in, rather than an email address, you register with a physical address and get mailed a post card.

A server operator would then have to approve mailing 1,000 post cards to whatever address the bot operator was working out of. The cost of starting and maintaining a bot farm skyrockets as a result (you not only have to pay to get the postcard, you have to maintain a physical presence somewhere … and potentially a lot of them if you get banned/caught with any frequency).

Similarly, most operators would presumably only mail to folks within their nation’s mail system. So if Russia wanted to create a bunch of US accounts on “mainstream” US hosted services, they’d have to physically put agents inside of the United States that are receiving these postcards … and now the FBI can treat this like any other organized domestic crime syndicate.

catloaf 6 days ago

I am absolutely not giving some Lemmy admin my address.

Omniraptor 6 days ago

Am I missing something? I thought you weren’t required to put a return address on postcards. Just put your username and email.

catloaf 6 days ago

They are sending the card to you.

Dark Arc 6 days ago

How would you feel if it was an independent third party (kind of an OAuth flow) with a well established presence and data policy?

(i.e., one with a face and name that you could sue if they did something bad with your address?)

Easy way to get around that with “virtual” addresses: ipostal1.com/virtual-address.php

Just pay $10 for every account that you want to create… you may as well just go with the solution of charging everyone $10 to create an account. At least that way the instance owner is getting supported and it would have the same effect.

tal 6 days ago, edited 6 days ago

Just pay $10 for every account that you want to create

So, making identities expensive helps. It’d probably filter out some. But, look at the bot in OP’s image. The bot’s operator clearly paid for a blue checkmark. That’s (checks) $8/mo, so the operator paid at least $8, and it clearly wasn’t enough to deter them. In fact, they chose the blue checkmark because the additional credibility was worth it; X doesn’t mandate that they get one.

And it also will deter humans. I don’t personally really care about the $10 because I like this environment, but creating that kind of up-front barrier is going to make a lot of people not try a system. And a lot of times financial transactions come with privacy issues, because a lot of governments get really twitchy about money-laundering via anonymous transactions.

EDIT: I think that maybe a better route is to try to give users a “credibility score”. So, that’s not a binary “in” or “out”. But other people can see some kind of automated assessment of how likely, for example, a person might be to be a bot.

thinks more

I mean, this is just spitballing, but could even be done not at a global level, but at a per-other-user level. Like, okay, suppose you have what amounts to a small neural network, right? So the instance computes a bunch of statistics about a each user, like account age, stuff like that, and then provides that to the client. But it doesn’t determine the importance of those metrics in whether the other user should see that post, just provides the raw data. You’ve got a bunch of inputs to a neural net, then. Then the other user can have a set of classifications. Maybe just “hide”, but also maybe something like “bot” or “political activism” or whatever. And it takes those input metrics from the instances, and trains that neural net to produce client-side classifications, and then auto-tags users based on that. That’s gonna be a pain to try to defeat, because the bot operator can’t even see how they’re being scored – they haven’t “gotten over the hurdle” or not.

But you don’t want to make every end user train a neural net from scratch. Hmm.

So maybe what you do is let users create their own scores and expose those to other users, right? I think that I read that BlueSky does something like that, was working on letting users create “curated feeds” for other users. They’re doing something simpler, no machine learning, but that’s got some drawbacks, means that you have to spend more time determining whether a score is good. So, okay. Say I’m gonna try to score a user based on whether-or-not I think that they’re a bot. I have the option to make that score publicly-available. Other users can “subscribe” to that metric, and when they do, there’s a new input node added to their local classifier’s list of input nodes. Like, “Dons Bot list”.

But I don’t have to subscribe to Don’s Bot List, and even if I do, it doesn’t mean that I automatically consider that other user a bot. Don’s rating is just an input into whether my own classifier considers them a bot. If I regularly disagree with Don, even if I’m subscribed to his list, my local neural net will slash the importance of his rating. If I agree with Don unless some other input to my classifier’s neural net is triggered, then the classifier can learn that.

Yep, exactly this. It might deter some small time bot creators, but it won’t stop larger operations and may even help them to seem more legitimate.

If anything, my favorite idea comes from this xkcd:

xkcd.com/810/

Dark Arc 6 days ago

Yeah, BlueSky has this concept of user moderation lists. It’s effectively like subscribing to a adblock filter. There might be some things blocked by patterns (e.g., you could have one that blocks anything that involves spiders) and there might be others that block specific accounts (e.g., you could have one that blocks users that are known to cause problems, are prone to vulgar language, etc).

I think the problem with credibility scores in general though, is it’s sort of like a “social score” from black mirror. Real people can get caught in the net of “you look like a bot” and similarly different algorithms could be designed to game the system by gaming the metrics to look like they’re not a bot (possibly even more so than some of the real people).

This is kind of what lead me down the route of bringing things back into the physical world. Like, once you have things going back through the normal systems … you arguably do lose some level of anonymity but you also gain back some guarantees of humanity.

It doesn’t need to be the level of “you’ve got a government ID and you’re verified to be exactly you with no other accounts” … just “hey, some number of people in the real world, that are subject to the respective nation’s laws, had to have come into contact with a real piece of mail.”

Maybe that just turns into the world’s slowest UDP network in existence. However, I think it has a real chance of making it easier to detect real people (i.e., folks that have a small number of overlapping addresses). The virtual mailbox the other person gave has 3,000 addresses… if you assume 5 people per mailing address is normal that’s 15,000 bots total before things start getting fishy if you’ve evenly distributed all of those addresses. If you’ve got 3,000 accounts at the same address, that’s very fishy. Addresses also change a lot less frequently than IP addresses, so a physical address ban is a much more strict deterrent.

Dark Arc 6 days ago, edited 6 days ago

Hm… I’m not sure if this is enough to defeat the strategy.

It looks like even with that service, you have to sign up for Form 1583.

Even if they’re willing in incur the cost, there’s a real paper trail pointing back to a real person or organization. In other words, the bot operator can be identified.

As you note, this is yet another additional cost. So, you’d have say … $2-3 for the card + an address for the account. If you require every unique address to have no more than 1 account … that’s $13 per bot plus a paper trail to set everything up.

That certainly wouldn’t stop every bot out there … but the chances of a large scale bot farms operating seem like they would be significantly deterred, no?

That’s a good point. I didn’t know about the USPS Form 1583 for virtual mailboxes… Although that is a U.S. specific thing, so finding a similar service in a country that doesn’t care so much might be the way to go about that.

Dark Arc 6 days ago

True, though presumably users in those places would be stuck with the “less trustworthy” instances (and ideally, would be able to get their local laws changed to make themselves more trust worthy).

It’s definitely not perfectly moral… but little in the world is and maybe it’s sufficient pragmatic.

QuadratureSurfer 6 days ago, edited 6 days ago

Yeah, the other thing I could see happening is a similar tactic used by scammers where they use Mules who pick up mail from various Airbnbs throughout whatever country, but this would definitely limit most bot operations… Unless some organization specializes in this and just offers some service to create a bunch of accounts for anyone willing to pay.

Also, how many accounts would you limit to a single address, and how long would you lock up an address before it could be used again (given that people do move around from time to time).

edit:typo.

Scribble902 6 days ago

I was thinking physical mail too. But I think It definitely would require some sort of system that is either third party or government backed that annonomyses you like how the covid Bluetooth tracing system worked (stupidly called track and trace in the UK). Plus you’d have to interact with someone at a postal office to legitimise it. But I’m talking, just a worker at a counter.

So you’d get a one time unique annonomysed postal address. You go to a post office and hand your letter over to someone. You, and perhaps they, will not know the address, but the system will. Maybe a process which re-envelopes the letter down the line into a letter with the real address on.

This way, you’ve kept the server owner private and you’ve had to involve some form of person to person interaction meaning, not a bot!

This system could be used for all sorts of verification other than for socal media so may have enough incentive for governments/3rd partys to set up to use beyond that.

Could it be abused though and if how are there solutions to mitigate them?

Bots after getting banned: 📉📉📉📉

jimmy90 6 days ago, edited a day ago

by embracing methods of verifying that a user is a real person

edit: to add this example

gov.uk/…/uk-digital-identity-and-attributes-trust…

Kbobabob 6 days ago

Such as?

CluckN 6 days ago

Making them multiply prime numbers.

14th_cylon 6 days ago

:D

Kbobabob 3 days ago

A typical process is:

You take a photo of a document (e.g. a passport or driving licence)
It is checked digitally to confirm it is genuine
You take a photo or video of yourself which is matched to the one on the document

No thanks. Hard pass

jimmy90 3 days ago

why?

Kbobabob 3 days ago

I’m not comfortable uploading things like my passport to entities that have proven time and time again that they don’t care about data security.

Passerby6497 6 days ago

Usually by tying your real world identity to your screen name, with your ID or mail or something.

Sabata 6 days ago

Thats the opposite of something to embrace.

Passerby6497 6 days ago

Agreed, but that’s hasn’t stopped people before…

Sabata 6 days ago

…and people will hand it out without question.

jimmy90 2 days ago

www.gov.uk/guidance/digital-identity

does this government system sound ok in any way?

Sabata 2 days ago

Sounds like your going to need your ID to rub one out once they get things running.

Kbobabob 6 days ago

Hard pass.

Kbobabob 3 days ago

From the article you linked:

A typical process is:

You take a photo of a document (e.g. a passport or driving licence)
It is checked digitally to confirm it is genuine
You take a photo or video of yourself which is matched to the one on the document

Like I said, hard pass.

jimmy90 3 days ago

www.gov.uk/guidance/digital-identity

i think it should be anonymized as well so that no PII is associated with your online ids even though they are verified

db0 6 days ago

For example, a bot on Twitter using an API call to GPT-4o ran out of funding and started posting their prompts and system information publicly.

While there’s obviously botspam out there, this post is clearly a fake as anyone with the programming experience will notice immediately. It’s just engagemeb bait

sunzu2 5 days ago

People know shit is engagement slop but will proceed to interact with it because it confirmed their bias....

chiliedogg 5 days ago

To help fight bot disinformation, I think there needs to be an international treaty that requires all AI models/bots to disclose themselves as AI when prompted using a set keyphrase in every language, and that API access to the model be contingent on paying regain tests of the phrase (to keep bad actors from simply filtering out that phrase in their requests to the API).

It wouldn’t stop the nation-state level bad actors, but it would help prevent people without access to their own private LLMs from being able to use them as effectively for disinformation.

piccolo 5 days ago

Considering you can run LLMs on off the shlwf hardware, thats going to be as enforcable as piracy is…

TheGrandNagus 5 days ago, edited 5 days ago

I can download a decent size LLM such as Llama 3.1 in under 20 seconds then immediately start using it. No terminal, no complicated git commands, just pressing download in a slick-looking, user-friendly GUI.

They’re trivial to run yourself. And most are open source.

I don’t think this would be enforceable at all.

Ensign_Crab 6 days ago

How do we even fix this issue or prevent it from affecting Lemmy??

Simple. Just scream that everyone whose opinion you dislike is a bot.

P1nkman 6 days ago

I disagree with this statement, so Ensign_Crab must be a bot. Reported.

beefbot 6 days ago

I admit I’ve been guilty of this in the past, so sarcasm aside I cannot recommend this as a strategy for detecting actual bots … even though if you’re parroting the opinion those who have power & control bots wish you to believe, expressing that opinion makes one’s post functionally equivalent to that of a bot. I KNOW, SUE ME 🤷‍♂️

Ensign_Crab 6 days ago, edited 6 days ago

I cannot recommend this as a strategy for detecting actual bots

That’s because it isn’t one. It’s a means by which people attempt to impose orthodoxy.

PenisDuckCuck9001 6 days ago, edited 6 days ago

Deleted by author

catloaf 6 days ago

I have never seen this happen. Have you? Can you share a link?

pop 6 days ago

Internet is not a place for public discourse, it never was. it’s the game of numbers where people brigade discussions and make it confirm to their biases.

Post something bad about the US with facts and statistics in US centric reddit sub, youtube video or article, and see how it divulges into brigading, name calling and racism. Do that on lemmy.ml to call out china/russia. Go to youtube videos with anything critical about India.

For all countries with massive population on the internet, you’re going to get bombarded with lies, delfection, whataboutism and strawman. Add in a few bots and you shape the narrative.

There’s also burying bad press with literally downvoting and never interacting.

Both are easy on the internet when you’ve got the brainwashed gullible mass to steer the narrative.

MentalEdge 6 days ago, edited 6 days ago

Just because you can’t change minds by walking into the centers of people’s bubbles and trying to shout logic at the people there, doesn’t mean the genuine exchange of ideas at the intersecting outer edges of different groups aren’t real or important.

Entrenched opinions are nearly impossibly to alter in discussion, you can’t force people to change their minds, to see reality for what it is even if they refuse. They have to be willing to actually listen, first.

And people can and do grow disillusioned, at which point they will move away from their bubbles of their own accord, and go looking for real discourse.

At that point it’s important for reasonable discussion that stands up to scrutiny to exist for them to find.

And it does.

I agree. Whenever I get into an argument online, it’s usually with the understanding that it exists for the benefit of the people who may spectate the argument — I’m rarely aiming to change the mind of the person I’m conversing with. Especially when it’s not even a discussion, but a more straightforward calling someone out for something, that’s for the benefit of other people in the comments, because some sentiments cannot go unchanged.

MentalEdge 6 days ago

Did you mean unchallenged? Either way I agree, when I encounter people who believe things that are provably untrue, their views should be changed.

It’s not always possible, but even then, challenging those ideas and putting the counterarguments right next to the insanity, inoculates or at least reduces the chance that other readers might take what the deranged have to say seriously.

DandomRude 6 days ago

Well, unfortunately, the internet and especially social media is still the main source of information for more and more people, if not the only one. For many, it is also the only place where public discourse takes place, even if you can hardly call it that. I guess we are probably screwed.

Internet is not a place for public discourse, it never was.

Fucking hilarious coming from a guy who lost his mind when he saw a complaint about the direction Android was going in, assumed other guy must be an Apple fanboy, and went on a rant.

Keep swallowing Sundar Pichai’s armpit sweat wholesale.

Metz 6 days ago

Long before cryptocurrencies existed, proof-of-work was already being used to hinder bots. For every post, vote, etc., a cryptographic task has to be solved by the device used for it. Imperceptibly fast for the normal user, but for a bot trying to perform hundreds or thousands of actions in a row, a really annoying speed bump.

See e.g. wikipedia.org/wiki/Hashcash

This combined with more classic blockades such as CAPTCHAs (especially image recognition, which is still expensive in mass despite the advances in AI) should at least represent a first major obstacle.

tatterdemalion 6 days ago

Why resort to an expensive decentralized mechanism when we already have a client-server model? We can just implement rate-limiting on the server.

Metz 6 days ago

Can’t this simply be circumvented by the attackers operating several Lemmy servers of their own? That way they can pump as many messages into the network as they want. But with PoW the network would only accept the messages work was done for.

tatterdemalion 6 days ago

Rate-limiting could also be applied at the federation level, but I’m less sure of what the implementation would look like. Requiring filters on a per-account basis might be resource intensive.

The issue I have with this that basically, now users need to “pay” (with compute time) to speak their mind. This would be similar than if you had to pay to vote in political elections. It favors the rich. A poor user might not be able to afford 20$ additional electricity bill a month, but a large agency (such as state sponsored, corporate agendas) might have a 1000000$.

Metz 6 days ago, edited 6 days ago

We’re talking about fractions of a cent here per post. Of course, this all needs to be worked out in detail and variables and scaling needs to be added / calculated. So for someone that posts only 2-3 times a day, costs and delay are practically unmeasurable low. but if you start pushing 100 posts out per minute, the difficulty of the PoW calculation gets up.

A delay of a fraction of a second to do the PoW for a single post is not a problem. But a spam-bot that is now suddenly limited to making 1 post per minute instead 100 makes a huge difference and could drive up the price even for someone with deep pockets.

But I’m not an expert in this field. I only know that spambots and similar are a problem that is almost as old as the Internet and that there have been an almost incalculable number of attempts to solve it to date, all of which have more or less failed. But maybe we can find a combination that could work for our specific case.

Of course, there are still a lot of things to clarify. how do we stop someone from constantly creating new accounts, for example?

would we have to start with a “harder difficulty” for new users to counteract this?

do we need some kind of reputation system?

How do we set them accurately enough not to drive away new users but still fulfill their purpose?

But as said, not an expert. Just brainstorming here.

y0kai 5 days ago

I see it more as a tax. While you can evade taxes in a political system, you’re supposed to be paying them if you’re voting.

Maybe stop letting any random person create an account with no verification whatsoever

Cadeillac 6 days ago

Are you THE AlexanderESmith of social.alexanderesmith.com fame??

Indeed I am! But I don't let all that fame go to my head (I have a special deal for autographs right now, just $20!)

But seriously, while I consider lackluster (or completely missing) new-account verification to be the much larger issue, federation is one to watch as well. My instance is so-named because I'm the only one who uses it.

At least it's a fairly significant effort to set up an entire instance for a single user. That should keep spam from single-user instances reasonably low. And if someone sets up a vaguely legitimate-looking instance, but enough users are muted/blocked/moderated/etc, you can just block the entire instance. Changing instance names is more of a hassle than nuking it entirely and starting over (new domain, new database, new IPs if the admins are paying attention, etc).

Cadeillac 6 days ago, edited 6 days ago

Sounds reasonable I suppose. I don’t know a whole lot of the under the hood workings of Lemmy and I’m not going to pretend I do. I was mostly poking fun in the spirit of that one guy that kept getting asked if he was from some forum

Edit: The Reference

heh, indeed.

Yeah, technically I run mbin (a fork of the now-defunct kbin) which has both threaded (reddit/lemmy/etc) and microblog (deadbird/mastodon/etc) features. I originally set myself up on kbin.social , but after it died I decided to not let my account (history/rep/preferences/subscriptions/etc) continue to be subject to the whim of random admins that might run out of funding, see something shiny, do something stupid and get defederated, etc. I thought "Wait, I'm a random admin, I'll just make my own instance, with blackjack, and hookers..."

Cadeillac 6 days ago

Hell yeah! I dig it. Thanks for the explanation. Why did they skip over lbin?

hark 4 days ago

Is this a problem here? One thing we should also avoid is letting paranoia divide the community. It’s very easy to take something like this and then assume everyone you disagree with must be some kind of bot, which itself is damaging.

KairuByte 4 days ago

Yeah, it’s a problem. You just don’t see it as often yet. A while back there were a large number of communities being blasted by bots, and they would make it into the hot category because nothing else was going on at the time.

Is this a problem here?

Not yet, but it most certainly will be once Lemmy grows big enough.

Give up. There is no hope we already lost. Fuck us fuck our lives fuck everything we should just die.

AmidFuror 6 days ago

One argument in favor of bots on social media is their ability to automate routine tasks and provide instant responses. For example, bots can handle customer service inquiries, offer real-time updates, and manage repetitive interactions, which can enhance user experience and free up human moderators for more complex tasks. Additionally, they can help in disseminating important information quickly and efficiently, especially in emergency situations or for public awareness campaigns.

greengear5 6 days ago

This reads like a chatgpt reply 😅

AmidFuror 6 days ago

A ChatGPT reply is generally clear, concise, and informative. It aims to address your question or topic directly and provide relevant information. The responses are crafted to be engaging and helpful, tailored to the context of the conversation while maintaining a neutral and professional tone.

robocall 6 days ago

I love dailydot. They summarize tiktoks about doordash and then provide the same video at the bottom of the page. I can feel my mind rot while consuming it but I still do it.

sumguyonline 5 days ago

Make your own bot account that randomly(or not randomly) posts something bots will reply to, a system based response preferably. Last I was looking at bots they were simply programs, and have dev commands that can return information on things like system resources, or OS version. Your bot posts commands built in from the bot apps Dev, the bots reply like bots do with their version, system resources, or whatever they have built in. Boom - Banned instantly.