spam?

grin

grin@fika.grin.hu

Google knows me. (This is my #friendica instance.)

Pest, Hungary

grin@xmpp.grin.hu

http://wikipedia.hu/

spam?

!Friendica Support

Is this good for me? Don't feel like.

> select count(*) from gserver where url LIKE '%troll.cf%';
+----------+
| count(*) |
+----------+
| 13837755 |
+----------+
1 row in set (1 min 20.495 sec)

| 172846 | https://30m1uebec.activitypub-troll.cf | http://30m1uebec.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:17 | 0001-01-01 00:00:00 | 2023-01-03 20:01:25 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:25 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172847 | https://1ml1up799.activitypub-troll.cf | http://1ml1up799.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn

!Friendica Support

Is this good for me? Don't feel like.

> select count(*) from gserver where url LIKE '%troll.cf%';
+----------+
| count(*) |
+----------+
| 13837755 |
+----------+
1 row in set (1 min 20.495 sec)

| 172846 | https://30m1uebec.activitypub-troll.cf | http://30m1uebec.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:17 | 0001-01-01 00:00:00 | 2023-01-03 20:01:25 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:25 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172847 | https://1ml1up799.activitypub-troll.cf | http://1ml1up799.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:18 | 0001-01-01 00:00:00 | 2023-01-03 20:01:26 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:26 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172848 | https://2ckkegfqs.activitypub-troll.cf | http://2ckkegfqs.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:20 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:28 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172849 | https://q2g4bs0i.activitypub-troll.cf  | http://q2g4bs0i.activitypub-troll.cf  |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:21 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:28 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

!Friendica Support

Anders Rytter Hansen likes this.

Friendica Support reshared this.

Jonas ✅

1 year ago from Fedilab •

Content warning: spam?

@grin @Friendica Support

Friendica Support reshared this.

Lorenz

1 year ago •

is it possible via cli as well? It takes hours doing in chunks

Friendica Support reshared this.

Jonas ✅

1 year ago •

@Lorenz@grin I don't think so. You can block it via cli but it does not purge the corresponding entries in the database.

@grin @Lorenz

Friendica Support reshared this.

Lorenz

1 year ago •

thanks, so that was quick:
bin/console serverblock add *.activitypub-troll.cf spam

This entry was edited (1 year ago)

Friendica Support reshared this.

grin

1 year ago

Yes but that haven't cleaned the db, have it.

Friendica Support reshared this.

Lorenz

1 year ago •

no but at least there will be no activity fram from those servers, I hope

Friendica Support reshared this.

grin

1 year ago

didn't stop for me at all.

Friendica Support reshared this.

Lorenz

1 year ago •

The queue is empty, wow, there were more than 100 000 elements in the queue before!!

Friendica Support reshared this.

Lorenz

1 year ago •

now i have the command running from here to empty the database https://github.com/friendica/friendica/issues/12705#issuecomment-1398887054

like this

Friendica Support reshared this.

grin

1 year ago

I also emptied worker queue matching these patterns.

Lorenz

1 year ago •

@Roland Häder Was the command wrong? Not sure if it had deleted anything, it just replied with
Query OK, 13779424 rows affected (1 hour 16 min 19.826 sec)

@Roland Häder

This entry was edited (1 year ago)

Friendica Support reshared this.

Anders Rytter Hansen

1 year ago •

Oh damn. I guess I should block that on my server.

Friendica Support reshared this.

Lorenz

1 year ago •

@Roland Häder Ok, thanks. I don't see any difference in the available space on the server, though.

@Roland Häder

Friendica Support reshared this.

Lorenz

1 year ago •

@Roland Häder Wow, I feel honoured ;) It is only a small instance, just for me, on a VPS with 2GB RAM

@Roland Häder

Friendica Support reshared this.

Lorenz

1 year ago •

@Roland Häder Thanks! I am not fluent in mysql / mariadb. There are lots of optimization commands, it seems. Which one should I use?

@Roland Häder

Friendica Support reshared this.

Nordnick :verified:

1 year ago •

@lk @roland@f.haeder.net @grin

I guess, you are aware of the EXPLAIN command?

@grin @Lorenz

Lorenz

1 year ago •

And now an attack by gab.best! Have to block them now as well

grin likes this.

Friendica Support reshared this.

grin

1 year ago

I am not sure bans stop filling gserver table.

Lorenz

1 year ago •

thanks @Roland Häder is it the gserver table that I have to optimize?

@Roland Häder

Friendica Support reshared this.

Lorenz

1 year ago •

@Roland Häder I run
OPTIMIZE TABLE gserver; and it deleted more than 3GB!

@Roland Häder

Anders Rytter Hansen likes this.

Friendica Support reshared this.

grin

1 year ago

So no, optimize table doesn't do anything for innodb. Copying/renaming is painful for huge tables.

Correction: after removing (better) optimize started, and recreated in a flash. Thanks!

grin

1 year ago

Deleting from the table took 2 hours. Still wondering how to shrink it since it's too big for having another copy.

Anders Rytter Hansen

1 year ago •

if you enable innodb-file-per-table it wont keep unused space reserved.

Friendica Support reshared this.

grin

1 year ago

I have banned and purged sbcloud.cc from everywhere, based on this

2023-01-29T10:27:59Z worker [INFO]: Server peer update start {"url":"https://fed.sbcloud.cc","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"UpdateServerPeers.php","line":54,"function":"execute","uid":"a33038","process_id":295381}
2023-01-29T10:27:59Z worker [INFO]: Server is unknown. Start discovery. {"Server":"https://1chs090ty.activitypub-troll.cf","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"GServer.php","line":358,"function":"check","uid":"a33038","process_id":295381}

Since then worker doesn't pull in spambots again.

Now, it would be neat to know:
1. What exatly happened (I don't know the protocol that deeply)
2. Who did what
3. How to prevent that from happening in the future (both network-wise and locally)

#spambot #spam

#spam #spambot

Xantulon :mastodon: :pixelfed: likes this.

reshared this

grin

1 year ago

@Roland Häder @Lorenz !Friendica Support The toot this one replies to would have been shared to the people mentioned here, but I cannot seem to have a way to edit it accordingly; editing doesn't expand name references, nor can seem to be able to tag people... I hope they can see the parent toot of this....
I am not sure I'll ever grok how this is supposed to work, who gets notified when and who see what where how.

@Roland Häder @Lorenz !Friendica Support

Friendica Support reshared this.

grin

1 year ago

It seems sbcloud.cc was the origin. Problem is that you usually do not know which IP to ban, not easy to trace the problem, the logs don't help much.

Friendica Support reshared this.

Lorenz

1 year ago •

hm.... sbcloud looks legit. The startpage is Element (for Matrix chat server), then there is fed.sbcloud.cc which is used only by five users

Friendica Support reshared this.

grin

1 year ago

And you are saying...?

Friendica Support reshared this.

grin

1 year ago

Why? You think that having dns is proof that no bad traffic comes from there? Especially since you seem to realise that the spammed addresses were fakes, yet you seem to expect "blocking" a non-existent server. You based your opinion on about zero amount of facts, but you seem to be quite assured that you are, somehow, right.

But anyway, stopped spam for me, you're free to do whatever you deem proper, including looking at the dns when the AP networks get abused. 🤷

I wish there were useful logs: those would be better for abuse management than... dns.

Friendica Support reshared this.

Lorenz

1 year ago •

Even after I have blocked these servers more than two weeks ago, the gserver table had more than 8GB! Now I run the same delete command again, and the table now has 10GB. What happened? Somebody knows what to do? Weird stuff.

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 37499832 rows affected (5 hours 46 min 51.045 sec)

UPDATE: I run OPTIMIZE TABLE gserver; - and now, wow! the table is nearly empty, just 31 MB, and now it seems I did not have to upgrade my VPS!

Friendica Support reshared this.

Lorenz

1 year ago •

I tried to optimize all tables, but that lasted too long, so I stopped it.

I am surprised to hear that the avatar is not showing. What can be the reason? What can I do?

Friendica Support reshared this.

Lorenz

1 year ago •

Thanks, I will try it next time with screen!

Friendica Support reshared this.

Lorenz

1 year ago •

Was the error on my or your or Friendica's side? Last time I checked the photo showed up on Mastodon instances

Friendica Support reshared this.

Lorenz

1 year ago •

Exception: Got a packet bigger than 'max_allowed_packet' bytes

Seems to be on your end then?

Friendica Support reshared this.

Lorenz

1 year ago •

Two months later same issue:

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 38621191 rows affected (4 hours 3 min 46.706 sec)

more than 9GB freed up!

Friendica Support reshared this.

Raroun

1 year ago •

Running 2023-03-rc on the last commit.
86k server from *.gab.best.

select count(*) from gserver where url LIKE '%troll.cf%' OR `url` LIKE '%gab.best%';
+----------+
| 86378 |
+----------+
DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 86378 rows affected (1.143 sec)

Changed Block pattern from gab.best to *.gab.best.
Obiviously i missed the wildcard.

grin likes this.

Friendica Support reshared this.

Lorenz

1 year ago •

The thing is I have added the wildcard and blocked the other troll-domain, and nevertheless, I still get all their spam.

so within one week the result:

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 17018290 rows affected (1 hour 48 min 11.643 sec)

Friendica Support reshared this.

OldKid ⁂

1 year ago from sekretaerbaer.de •

@Lorenz Please block only *.activitypub-troll.cf the other blocks should not do anything.

@Roland Häder if I remember correctly your fix was added to the 2023.03-rc branch. The instance of @Lorenz runs on 2023.01, so still without the fix.

@Roland Häder @Lorenz

Friendica Support reshared this.

Lorenz

1 year ago from Fedilab •

@OldKid
Alright, I will upgrade to the RC the coming days, then. Thanks!
@Roland Häder @Friendica Support

@Friendica Support @Roland Häder @OldKid ⁂

Friendica Support reshared this.

Lorenz

1 year ago •

@Roland Häder did you add the fix for 2023.01 - 1502 or the newest dev-releases?

@Roland Häder

Friendica Support reshared this.

Raroun

1 year ago •

@Roland Häder @OldKid @Lorenz
The pull request is marked in the 2023-03 Milestone, so I guess its in the actual RC and later in 2023-03-stable.
Link to pull request #12700

@Roland Häder @OldKid ⁂ @Lorenz

This entry was edited (1 year ago)

like this

Friendica Support reshared this.

⇧

grin 1 year ago — (Hungary)

grin
1 year ago — (Hungary)