Why is Spam on Mastodon Such a Heated Topic?

Good question. I want to talk about why it’s a problem, but first a brief aside about why we’re feeling the spam so strongly. Email has Bayesian spam filters so the hundreds of spam messages you get each day don’t show up in your inbox. Fediverse services such as Mastodon1 do not have this sort of prevention in place. It’s very obvious when these messages come in as they show up as push notifications and in your “inbox”.

Spam is generally sent from unrecognizable, more or less random domains. It is much less often sent via a reputable domain2 or even via custom domains using these reputable services. Email providers maintain a high level of trust between one another in part by making efforts to mitigate spam messages sent from their services. It’s nigh impossible to “break into” this web of trust at this point. This is why despite email being a decent metaphor for the Fediverse, you’d never be able to run a mail server that had any sort of reliable deliverability.

This sort of system where small and independent actors aren’t able to operate in the broader network is something the Fediverse aims to avoid. Instead, we have blocklists available to Fediverse and Mastodon server admins to defederate instances for various reasons. Email providers have the ability to block all email from a server regardless of whether individual messages are spam. Unfortunately with email, this is generally the default as good actor email servers are the exception and not the rule.

In the Fediverse, servers receive the benefit of the doubt and other servers treat their messages messages as safe. This means that existing servers will accept follows, likes, direct messages, boosts, etc. of an unknown server. Actual posts are only sent to an account’s followers in the absence of a relay.

If the largest email provider, Google (GMail + Google Apps), was regularly sending spam messages, other mail servers might reject its messages by default as well. To avoid this, it is incumbent on email providers to self-regulate their users.

While there are definitely efforts being made, ultimately mastodon.social is doing a poor job of mitigating outgoing spam based on last week. At least three different waves of Direct Message crypto spam going out resulting in the most populous instance having its federation limited temporarily. This limit meant that only actions targeted to followers of users on mastodon.social were federated. The action effectively cut off the spammers’ direct messages from our respective inboxes.

More importantly though, it’s useful to have folks move away from these super-instances in general. Not having these servers be such “tasty” targets might mean that spammers are less likely to flock to them. Hopefully they’d move to servers that are easier for other admins to defederate fully.

Mastodon.social is run by Mastodon gGmbH which in turn is run by the maintainer of the Mastodon software. This gives one person an outsized level of influence over thousands of Fediverse servers, including those not running the Mastodon software. It also makes this server a likely targets for acquisition. Such a purchase might move this outsized influence from a single person to a bad actor company such as Meta, Twitter, Medium, etc. which would likely spell the end of this model for social networking.

  1. non-Mastodon services may actually have some level of spam filtering; I haven’t done an exhaustive look into this. 

  2. gmail.com, yahoo.com, outlook.com, etc.