Hallole.eu Friendica Social Network

spam?

!Friendica Support

Is this good for me? Don't feel like.

> select count(*) from gserver where url LIKE '%troll.cf%';
+----------+
| count(*) |
+----------+
| 13837755 |
+----------+
1 row in set (1 min 20.495 sec)

| 172846 | https://30m1uebec.activitypub-troll.cf | http://30m1uebec.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:17 | 0001-01-01 00:00:00 | 2023-01-03 20:01:25 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:25 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172847 | https://1ml1up799.activitypub-troll.cf | http://1ml1up799.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:18 | 0001-01-01 00:00:00 | 2023-01-03 20:01:26 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:26 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172848 | https://2ckkegfqs.activitypub-troll.cf | http://2ckkegfqs.activitypub-troll.cf |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:20 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:28 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

| 172849 | https://q2g4bs0i.activitypub-troll.cf  | http://q2g4bs0i.activitypub-troll.cf  |         |           |      |               0 |                0 |      |          | unkn    |          |               0 |             | 2022-12-03 19:51:21 | 0001-01-01 00:00:00 | 2023-01-03 20:01:28 | 0001-01-01 00:00:00 |              0 |                0 |      0 | 2023-02-03 20:01:28 |     NULL |              NULL |               NULL |                  NULL |        NULL |           NULL |

!Friendica Support

This entry was edited (1 year ago)

Anders Rytter Hansen likes this.

in reply to grin

Jonas ✅

in reply to grin • 1 year ago from Fedilab • •

Content warning: spam?

@Friendica Support @grin

in reply to grin

Lorenz

in reply to grin • 1 year ago •

is it possible via cli as well? It takes hours doing in chunks

Friendica Support reshared this.

in reply to Lorenz

Jonas ✅

in reply to Lorenz • 1 year ago • •

@Lorenz @grin I don't think so. You can block it via cli but it does not purge the corresponding entries in the database.

@Lorenz @grin

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

thanks, so that was quick:
bin/console serverblock add *.activitypub-troll.cf spam

Friendica Support reshared this.

in reply to Lorenz

grin

in reply to Lorenz • 1 year ago • •

Yes but that haven't cleaned the db, have it.

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

no but at least there will be no activity fram from those servers, I hope

Friendica Support reshared this.

in reply to Lorenz

grin

in reply to Lorenz • 1 year ago • •

didn't stop for me at all.

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

The queue is empty, wow, there were more than 100 000 elements in the queue before!!

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

now i have the command running from here to empty the database https://github.com/friendica/friendica/issues/12705#issuecomment-1398887054

like this

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

@Roland Häder Was the command wrong? Not sure if it had deleted anything, it just replied with
Query OK, 13779424 rows affected (1 hour 16 min 19.826 sec)

Friendica Support reshared this.

in reply to grin

Anders Rytter Hansen

in reply to grin • 1 year ago • •

Oh damn. I guess I should block that on my server.

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

@Roland Häder Ok, thanks. I don't see any difference in the available space on the server, though.

@Roland Häder

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

@Roland Häder Wow, I feel honoured ;) It is only a small instance, just for me, on a VPS with 2GB RAM

@Roland Häder

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

@Roland Häder Thanks! I am not fluent in mysql / mariadb. There are lots of optimization commands, it seems. Which one should I use?

@Roland Häder

Friendica Support reshared this.

in reply to Lorenz

Nordnick :verified:

in reply to Lorenz • 1 year ago • •

@lk @roland@f.haeder.net @grin

I guess, you are aware of the EXPLAIN command?

@Lorenz @grin

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

And now an attack by gab.best! Have to block them now as well

grin likes this.

Friendica Support reshared this.

in reply to Lorenz

grin

in reply to Lorenz • 1 year ago • •

I am not sure bans stop filling gserver table.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

thanks @Roland Häder is it the gserver table that I have to optimize?

@Roland Häder

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

@Roland Häder I run
OPTIMIZE TABLE gserver; and it deleted more than 3GB!

@Roland Häder

Anders Rytter Hansen likes this.

Friendica Support reshared this.

Unknown parent

Anders Rytter Hansen

Unknown parent • 1 year ago • •

if you enable innodb-file-per-table it wont keep unused space reserved.

Friendica Support reshared this.

in reply to grin

grin

in reply to grin • 1 year ago • •

I also emptied worker queue matching these patterns.

in reply to Lorenz

grin

in reply to Lorenz • 1 year ago • •

Deleting from the table took 2 hours. Still wondering how to shrink it since it's too big for having another copy.

Unknown parent

grin

Unknown parent • 1 year ago • •

So no, optimize table doesn't do anything for innodb. Copying/renaming is painful for huge tables.

Correction: after removing (better) optimize started, and recreated in a flash. Thanks!

This entry was edited (1 year ago)

Unknown parent

grin

Unknown parent • 1 year ago • •

I'm honoured.

:blush:

in reply to grin

grin

in reply to grin • 1 year ago • •

I have banned and purged sbcloud.cc from everywhere, based on this

2023-01-29T10:27:59Z worker [INFO]: Server peer update start {"url":"https://fed.sbcloud.cc","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"UpdateServerPeers.php","line":54,"function":"execute","uid":"a33038","process_id":295381}
2023-01-29T10:27:59Z worker [INFO]: Server is unknown. Start discovery. {"Server":"https://1chs090ty.activitypub-troll.cf","worker_id":"85e31dd","worker_cmd":"UpdateServerPeers"} - {"file":"GServer.php","line":358,"function":"check","uid":"a33038","process_id":295381}

Since then worker doesn't pull in spambots again.

Now, it would be neat to know:
1. What exatly happened (I don't know the protocol that deeply)
2. Who did what
3. How to prevent that from happening in the future (both network-wise and locally)

#spambot #spam

#spam #spambot

reshared this

in reply to grin

grin

in reply to grin • 1 year ago • •

@Roland Häder @Lorenz !Friendica Support The toot this one replies to would have been shared to the people mentioned here, but I cannot seem to have a way to edit it accordingly; editing doesn't expand name references, nor can seem to be able to tag people... I hope they can see the parent toot of this....
I am not sure I'll ever grok how this is supposed to work, who gets notified when and who see what where how.

@Lorenz @Roland Häder !Friendica Support

Friendica Support reshared this.

in reply to grin

Roland Häder

in reply to grin • 9 months ago • •

@grin sbcloud.cc is running element. I guess this isn't federating?

@grin

Unknown parent

grin

Unknown parent • 1 year ago • •

It seems sbcloud.cc was the origin. Problem is that you usually do not know which IP to ban, not easy to trace the problem, the logs don't help much.

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

hm.... sbcloud looks legit. The startpage is Element (for Matrix chat server), then there is fed.sbcloud.cc which is used only by five users

Friendica Support reshared this.

Unknown parent

grin

Unknown parent • 1 year ago • •

And you are saying...?

Friendica Support reshared this.

Unknown parent

grin

Unknown parent • 1 year ago • •

Why? You think that having dns is proof that no bad traffic comes from there? Especially since you seem to realise that the spammed addresses were fakes, yet you seem to expect "blocking" a non-existent server. You based your opinion on about zero amount of facts, but you seem to be quite assured that you are, somehow, right.

But anyway, stopped spam for me, you're free to do whatever you deem proper, including looking at the dns when the AP networks get abused. :shrug:

I wish there were useful logs: those would be better for abuse management than... dns.

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

Even after I have blocked these servers more than two weeks ago, the gserver table had more than 8GB! Now I run the same delete command again, and the table now has 10GB. What happened? Somebody knows what to do? Weird stuff.

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 37499832 rows affected (5 hours 46 min 51.045 sec)

UPDATE: I run OPTIMIZE TABLE gserver; - and now, wow! the table is nearly empty, just 31 MB, and now it seems I did not have to upgrade my VPS!

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

I tried to optimize all tables, but that lasted too long, so I stopped it.

I am surprised to hear that the avatar is not showing. What can be the reason? What can I do?

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

Thanks, I will try it next time with screen!

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

Was the error on my or your or Friendica's side? Last time I checked the photo showed up on Mastodon instances

Friendica Support reshared this.

Unknown parent

Lorenz

Unknown parent • 1 year ago •

Exception: Got a packet bigger than 'max_allowed_packet' bytes

Seems to be on your end then?

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

Two months later same issue:

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 38621191 rows affected (4 hours 3 min 46.706 sec)

more than 9GB freed up!

Friendica Support reshared this.

in reply to grin

Raroun

in reply to grin • 1 year ago • •

Running 2023-03-rc on the last commit.
86k server from *.gab.best.

select count(*) from gserver where url LIKE '%troll.cf%' OR `url` LIKE '%gab.best%';
+----------+
| 86378 |
+----------+
DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 86378 rows affected (1.143 sec)

Changed Block pattern from gab.best to *.gab.best.
Obiviously i missed the wildcard.

grin likes this.

Friendica Support reshared this.

in reply to Raroun

Lorenz

in reply to Raroun • 1 year ago •

The thing is I have added the wildcard and blocked the other troll-domain, and nevertheless, I still get all their spam.

so within one week the result:

MariaDB [friendicadb]> DELETE FROM `gserver` WHERE `url` LIKE '%activitypub-troll.cf%' OR `url` LIKE '%gab.best%';
Query OK, 17018290 rows affected (1 hour 48 min 11.643 sec)

Friendica Support reshared this.

in reply to Lorenz

OldKid

in reply to Lorenz • 1 year ago from sekretaerbaer.de • •

@Lorenz Please block only *.activitypub-troll.cf the other blocks should not do anything.

@Roland Häder if I remember correctly your fix was added to the 2023.03-rc branch. The instance of @Lorenz runs on 2023.01, so still without the fix.

@Lorenz @Roland Häder

Friendica Support reshared this.

in reply to OldKid

Lorenz

in reply to OldKid • 1 year ago from Fedilab •

@OldKid
Alright, I will upgrade to the RC the coming days, then. Thanks!
@Roland Häder @Friendica Support

@Friendica Support @Roland Häder @OldKid

Friendica Support reshared this.

in reply to grin

Lorenz

in reply to grin • 1 year ago •

@Roland Häder did you add the fix for 2023.01 - 1502 or the newest dev-releases?

@Roland Häder

Friendica Support reshared this.

in reply to grin

Raroun

in reply to grin • 1 year ago • •

@Roland Häder @OldKid @Lorenz
The pull request is marked in the 2023-03 Milestone, so I guess its in the actual RC and later in 2023-03-stable.
Link to pull request #12700

Blocked domains flood gserver entries by Quix0r · Pull Request #12700 · friendica/friendica

It has shown in the past that trolls from the infamous gab.best and also more recently activitypub-troll.cf domains have used a flaw in Friendica to flood the gserver table with millions (see this ...

^GitHub

@Lorenz @Roland Häder @OldKid

This entry was edited (1 year ago)

like this

Friendica Support reshared this.

⇧

grin 1 year ago — (47.1817585 19.5060937) • •

grin
1 year ago — (47.1817585 19.5060937) • •