Welcome to this week’s casual kōrero thread!
This post will be pinned in this community so you can always find it, and will stay for about a week until replaced by the next one.
It’s for talking about anything that might not justify a full post. For example:
- Something interesting that happened to you
- Something humourous that happened to you
- Something frustrating that happened to you
- A quick question
- A request for recommendations
- Pictures of your pet
- A picture of a cloud that kind of looks like an elephant
- Anything else, there are no rules (except the rule)
So how’s it going?
Oh I get you now, I’ve met email addresses like that too. Some people though you google them and a blank page with one or two sentences appears, those are the ones that frustrate me.
It would be cool to have a zombo like entity but might attract the attackers?
Thanks I hate it. Mainly because you’re probably right - it will be like those “border control” and “disaster” reality shows only automated. Something to look forward to!😅
Yeah it’s really yucky, it feels like an arms race with endless bots, updates, stuff breaking, but when I decided to use a CMS it just seemed way easier than Joomla or Drupal which were the other main options back then. That said, I used to see malicious visits back when it was just an html website.
Do you get many bad actors hosting in the fediverse?
Realistically, having no page at the root domain is unlikely to have any real security benefit, except perhaps not bringing attention to yourself. Security people would say everything extra you add (such as hosting another web page at the root domain) adds to your attack surface, but I don’t think hosting one extra static page is likely to make a difference.
Mostly I just have no reason to put anything there.
I don’t host any wordpress sites but get (failed) hits to wordpress URIs because bots are just set to scan for any site and they attempt to access a known URI. E.g. if there is an exploit affecting the (made up) wordpress page at wordpresssite.com/settings/admin, then I see hits to mysite.nz/settings/admin even though such a page doesn’t exist. The bots just scan thousands of domains hoping for a hit.
I first noticed these when I blocked all access from outside NZ, and found all the now blocked URLs (mostly requests from from Russia or China).
In terms of actual malicious instances, not really. Mostly the issues with instances are instances abandoned by their admin (but for some reason still up) with open registrations, so trolls can just go there and make new accounts to their heart’s content.
The main issue we see though are AI scrapers. Sooooooo many. You can put in a robots.txt to ask ChatGPT, Amazon, Google, etc to stay away. But the start up AI companies are relentless. They ignore robots.txt, they lie about their user agent to avoid detection, and they make millions of requests with no throttling. It’s a cat and mouse game to block them via IP.
Cloudflare has an AI bot block mode, but it breaks federation so we can’t use it (admittedly, federation is basically bot traffic). They seem to die down traffic once blocked (I guess if they reach the first page, they try to follow links, but if they are blocked at the first point they can’t continue). But despite this, we have still blocked 30,000 AI bot requests in the last 24 hours.
I know some of the bigger servers like Lemmy.world are blocking IP ranges belonging to Alibaba and others (and adding to the list all the time), because the traffic is just insane.