unfortunately we can't just apply the update quickly, as this introduces sending emails on rejected applications. we already send rejection emails separately and with custom text, while the text implemented in the update is currently not configurable.
i'll see if we can deploy updated lemmy-ui without updating lemmy already this weekend, but i need to check if there were any api changes first, as we'd then have to backport them to lemmy first.
we've already applied the security patch about 2 weeks ago.
The instance domains I've seen involved so far at least weren't set up specifically for this purpose at least. Most of the URLs were pointing to established services and not different per recipient.
While I can't rule out that individual users may have received a different URL in an attempt to extract their IP and information about their browser, this at least does not appear to have been done in a larger scale.
Except for the gore pms, I believe all the images have been uploaded to Lemmy instances or Imgur, which means that the uploader has no way to track IPs accessing those images. The gore images were uploaded to another service that at least on the surface appears to be another regular image hoster that wouldn't expose IP access logs to uploaders.
The woman depicted is very likely the target of harassment.
Agreed, but there is no proof of this. We also don't know their true identity to check with them directly.
Sharing the images depicting violence is tantamount to a threat of violence.
The images did not depict violence directly, it was a gory image of a dead person. They were very likely sent by a copycat not involved in the original harassment campaign and intended to fuck up fediverse users more than anything else. They did not appear to imply any kind of threat.
you would have wasted 15 minutes
This would require a lot more than 15 minutes to file a proper report. First we have to collect all relevant information that we have available and compile them in a format that can be submitted. Once we have this information we have to identify a police department to report this to. We are legally based in NL, as that's where our non-profit Fedihosting Foundation is located. I'm based in Germany, so it would also be an option to report it here. The depicted person is claimed to be in Canada, so maybe this should be reported to a police department over there. Or maybe to all of them.
All of this would easily add up to 2 hours or more if you want to do it properly and not just look for 3 online forms to write "hey there is someone sending spam".
If this was a paid job and I was doing this during working hours I wouldn't mind, but all the time I spend here is taken out of my personal time, the same as with anyone else on our team, and also the same you'll see with most other fediverse instances.
perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.
If we receive a request for information from (real) law enforcement we'll be more than happy to provide relevant data, but doing this for the (perceived low) chance of that somehow being linked from a random police report is a fairly high time investment as described above.
we looked into it, we currently believe that to be a copycat not related to the other pms.
the lemmy.world account involved in that was most certainly compromised from an unrelated data breach and all connections originated from IPs linked to an anonymization service, so there's also not much to follow up on.
I don't know if others have, I only know that we (Lemmy.World, Fedihosting Foundation) have not reported it to the police.
I don't have high hopes that the police would be able to do anything about this. For the harassment against the person shown in the images, that would likely have to be reported by them directly for the police to take that up.
For random online spam, as in harassment of fediverse users receiving the PMs, that seems like it would be an extremely low priority for police. It's also likely fairly difficult to impossible to follow up on, considering that the person sending the PMs most likely used a VPN to access these accounts.
there was a bad cloudflare block rule from back in 2023 that blocked these requests.
i had previously disabled it to see if that had any bad impact but forgot to follow up on that to fully remove it, so it got reactivated in a later configuration change. it's fully removed now.
afaik this is not something that we were involved in, but the lemmy devs implemented a threshold to exclude instances with 30% or more monthly active user share.
i don't mind it, better distribution of users across instances is good.
we all do this in our spare time. if we had set working hours then it would be easy to do so, but even then I don't think a daily maintenance window would be necessary when we don't changes that frequently.
we believed this change to be doable without downtime, otherwise we would've announced it ahead of time.
this change is important for our anti spam measures, especially if we tune it to be more aggressive, which might increase the false positive rate, it is important for us to be able to distinguish removed pms from user deleted pms in case we need to restore them at a later point.
due to that it's a somewhat urgent change that was fit in where we had spare time available to allow us to continue improving our efforts to combat pm spam effectively.
(mobile) apps could do this, but I don't think browser based apps would be able to. the generation of YouTube thumbnails works by requesting the html content of the YouTube page and then extracting a metadata component from it, where YouTube provides the actual preview image as a link. browsers set restrictions on how you can interact with other websites for security reasons and I dint think this would be allowed there.
manually this is of course doable, but it's rather cumbersome.
MrKaplan @ MrKaplan @lemmy.world Posts 0Comments 293Joined 1 yr. ago
unfortunately we can't just apply the update quickly, as this introduces sending emails on rejected applications. we already send rejection emails separately and with custom text, while the text implemented in the update is currently not configurable.
i'll see if we can deploy updated lemmy-ui without updating lemmy already this weekend, but i need to check if there were any api changes first, as we'd then have to backport them to lemmy first.
we've already applied the security patch about 2 weeks ago.