@martin so the spam waves we're seeing are quite advanced and adaptive, it's not like the script kiddie spam from last year.

With this spam wave, I'm still analyzing the data, but:
- we've seen at least 13 different domains used for the phishing site
- we've seen them using CWs when spamming publicly
- we've seen them use multiple different scripts (what's written), including multiple languages

Regexp and publicly available lists of data are not something that would particularly help, as as soon as you publish & block keywords or domains, the attack changes.

If a server admin is not vigilant, then they should not have open registration (ex. Mastodon.social), but there's servers out there that are several versions out of date, so they don't get any of the new mitigation features or warnings (there's a big warning about open registration in the admin panel since 4.3.x)

@staff

would limiting rate of posts for new accounts help?

so you make a new account, you only get 3 posts on your first day for example

but... they'll just register and go dormant for a period of time

no, you could still do it:

rate limit number of first few posts, no matter account age

so... they post innocuous garbage to get past that hurdle

but that's still useful

put up these kinds of barriers to make spamming hard, while not interfering with regular users