Spam via Codeberg #1786

kissg commented 2025年02月12日 08:44:31 +01:00

Comment

I got this mail:

Date: 2025年2月12日 06:34:21 +0000
From: truth noreply@codeberg.org
To: [e-mail disclosed]
Subject: [truth/truth] NIGGER BALLS (Issue #195)

@truth mentioned you:

@spotifydownloaders ( https://codeberg.org/spotifydownloaders ) @mbrubeck (
https://codeberg.org/mbrubeck ) @anhminhpainting (
https://codeberg.org/anhminhpainting ) @breetlee9211 (
https://codeberg.org/breetlee9211 ) @exodia ( https://codeberg.org/exodia )
@mos_8502 ( https://codeberg.org/mos_8502 ) @stoneselection01 (
https://codeberg.org/stoneselection01 ) @Otyr ( https://codeberg.org/Otyr )
@kissg ( https://codeberg.org/kissg ) @datify ( https://codeberg.org/datify
...
[further hundred users listed here]
...

---

View it on Codeberg.org ( truth/truth#195 ).
Codeberg e.V. – Arminiusstraße 2-4 – 10551 Berlin – Germany
Registered at registration court Amtsgericht Charlottenburg VR36929.

I guess this is some new kind of spam.
I suggest to discard notification if more than five users are mentioned in a post.

Gabor

### Comment I got this mail: > Date: 2025年2月12日 06:34:21 +0000 > From: truth <noreply@codeberg.org> > To: [e-mail disclosed] > Subject: [truth/truth] NIGGER BALLS (Issue #195) > > *@truth* mentioned you: > > @spotifydownloaders ( https://codeberg.org/spotifydownloaders ) @mbrubeck ( > https://codeberg.org/mbrubeck ) @anhminhpainting ( > https://codeberg.org/anhminhpainting ) @breetlee9211 ( > https://codeberg.org/breetlee9211 ) @exodia ( https://codeberg.org/exodia ) > @mos_8502 ( https://codeberg.org/mos_8502 ) @stoneselection01 ( > https://codeberg.org/stoneselection01 ) @Otyr ( https://codeberg.org/Otyr ) > @kissg ( https://codeberg.org/kissg ) @datify ( https://codeberg.org/datify ... [further hundred users listed here] ... > > --- > View it on Codeberg.org ( https://codeberg.org/truth/truth/issues/195 ). > Codeberg e.V. – Arminiusstraße 2-4 – 10551 Berlin – Germany > Registered at registration court Amtsgericht Charlottenburg VR36929. I guess this is some new kind of spam. I suggest to discard notification if more than five users are mentioned in a post. Gabor

otz commented 2025年02月12日 09:13:24 +01:00

I also wanted to create the same issue. I have received 2 emails in the span of 2 minutes with the same content. Their profile is private and we can't see the repository they are using to mention people on.

I also wanted to create the same issue. I have received 2 emails in the span of 2 minutes with the same content. Their profile is private and we can't see the repository they are using to mention people on.

Electroboy111 commented 2025年02月12日 09:17:38 +01:00

I just had this happen to me not 5 minutes ago. I guess this explains it

I just had this happen to me not 5 minutes ago. I guess this explains it

BrunoBernardino commented 2025年02月12日 09:17:57 +01:00

Happened to me too, I'm sure others, as I see many mentioned usernames. It seems Codeberg might need to implement some content moderation. I run a product for that, but I won't link it here to avoid seeming like spam, and I believe you could get by with just directly implementing something like https://platform.openai.com/docs/guides/moderation

Happened to me too, I'm sure others, as I see many mentioned usernames. It seems Codeberg might need to implement some content moderation. I run a product for that, but I won't link it here to avoid seeming like spam, and I believe you could get by with just directly implementing something like https://platform.openai.com/docs/guides/moderation

otz commented 2025年02月12日 09:21:30 +01:00

I don't think content moderation is the fix here. This spammer is using the fact that you can mention people in a private repo even if they have not been given access to it. I think if they disable this behavior, then it will at least mitigate this vector.

I don't think content moderation is the fix here. This spammer is using the fact that you can mention people in a private repo even if they have not been given access to it. I think if they disable this behavior, then it will at least mitigate this vector.

Gusted commented 2025年02月12日 09:24:03 +01:00

The user and repository has been deleted, that's why it shows 404. You wouldn't receive a notification if it was on a private repository, that would otherwise be a security issue.

We are aware of this and monitoring the situation.

The user and repository has been deleted, that's why it shows 404. You wouldn't receive a notification if it was on a private repository, that would otherwise be a security issue. We are aware of this and monitoring the situation.

otz commented 2025年02月12日 09:29:35 +01:00

OK, so it was a backlog of messages, not messages from a private repo. That makes more sense.

OK, so it was a backlog of messages, not messages from a private repo. That makes more sense.

boughtonp commented 2025年02月12日 15:03:50 +01:00

The two emails I got both contained 1000 usernames, and there was only a handful occurring in both.
(Also, none of the five commenters in this issue occurred in either of them.)

The number of people that can be "mentioned"/notified in a single message does not need to be that high.

The number of notifications that can be triggered by a single account (within a short timespan) also does not need to be that high.

Codeberg presumably has the ability to examine existing high-activity repos and determine realistic values to reduce these limits to. (Possibly with multiple tiers or dynamic thresholds depending on repo activity and/or account age, but probably that is unnecessary.)

The two emails I got both contained 1000 usernames, and there was only a handful occurring in both. (Also, none of the five commenters in this issue occurred in either of them.) The number of people that can be "mentioned"/notified in a single message does not need to be that high. The number of notifications that can be triggered by a single account (within a short timespan) also does not need to be that high. Codeberg presumably has the ability to examine existing high-activity repos and determine realistic values to reduce these limits to. (Possibly with multiple tiers or dynamic thresholds depending on repo activity and/or account age, but probably that is unnecessary.)

boughtonp commented 2025年02月12日 15:05:12 +01:00

I also went looking to see if there was an account setting which would have prevented this; there is not.

The email section of account settings has a single setting with four options: "Enable email notifications" / "And your own notifications" / "Only email on mention" / "Disable email notifications".

The second option is confusing and should be re-worded. Ideally the whole section should be re-done to give granular control over what actions trigger email notifications.

An additional setting to only allow notifications via people/repositories/organizations one has previously interacted with could also reduce such spam.

Update: there's a Forejo issue regarding this... forgejo/forgejo#6906

I also went looking to see if there was an account setting which would have prevented this; there is not. The email section of account settings has a single setting with four options: "Enable email notifications" / "And your own notifications" / "Only email on mention" / "Disable email notifications". The second option is confusing and should be re-worded. Ideally the whole section should be re-done to give granular control over what actions trigger email notifications. An additional setting to only allow notifications via people/repositories/organizations one has previously interacted with could also reduce such spam. Update: there's a Forejo issue regarding this... https://codeberg.org/forgejo/forgejo/issues/6906

boughtonp commented 2025年02月12日 15:22:15 +01:00

There is an official blog post here: https://blog.codeberg.org/we-stay-strong-against-hate-and-hatred.html

Since it states "in chunks of 100 each" I will clarify that the "1000" (one thousand) in my previous comment was not a typo.

There is an official blog post here: https://blog.codeberg.org/we-stay-strong-against-hate-and-hatred.html Since it states "in chunks of 100 each" I will clarify that the "1000" (one thousand) in my previous comment was not a typo.

maltfield commented 2025年02月12日 20:05:20 +01:00

This will be fun to try to mitigate when we have federated ActivityPub comments. See also:

• forgejo/forgejo#5207

This will be fun to try to mitigate when we have federated ActivityPub comments. See also: * https://codeberg.org/forgejo/forgejo/issues/5207

ssp6904 commented 2025年02月12日 20:55:54 +01:00

I also received the email at around 1 AM this morning (I live in a different time zone), and I wasn't aware of it before I got up to check my email

I also received the email at around 1 AM this morning (I live in a different time zone), and I wasn't aware of it before I got up to check my email

Cwpute commented 2025年02月12日 22:48:01 +01:00

I checked some of the accounts that got pinged and it's interesting to note that many of them seem to be spam accounts themselves !
Might be a coincidence, but prior to this i hadn't seen any tpam account and didn't expect to be many of them on Codeberg.

For example, these 5 at the start of one of the pings i received:
@tructianhinfo @jackrobin @newwishesquotes @StackUpTshirts @winslowstyle @reynoldsroofs

It may only be a coincidence though.

I checked some of the accounts that got pinged and it's interesting to note that many of them seem to be spam accounts themselves ! Might be a coincidence, but prior to this i hadn't seen any tpam account and didn't expect to be many of them on Codeberg. For example, these 5 at the start of one of the pings i received: `@tructianhinfo @jackrobin @newwishesquotes @StackUpTshirts @winslowstyle @reynoldsroofs` It may only be a coincidence though.

pathurus commented 2025年02月13日 00:09:44 +01:00

possibly this guy?
https://codeberg.org/amadaluzia

possibly this guy? https://codeberg.org/amadaluzia

pathurus commented 2025年02月13日 00:10:32 +01:00

this https://codeberg.org/truth/truth

this https://codeberg.org/truth/truth

wren commented 2025年02月13日 07:35:41 +01:00

More spam sent.
https://codeberg.org/austedan/thisisatest1/issues

Someone made a bunch of new accounts and used each one to open an issue on an abandoned project belonging to an abandoned account.

Maybe limit pingable users to those who have already engaged with a project?
Or maybe limit pings to verified accounts with verification being having an accepted pull request on a project managed by a verified account?

More spam sent. https://codeberg.org/austedan/thisisatest1/issues Someone made a bunch of new accounts and used each one to open an issue on an abandoned project belonging to an abandoned account. Maybe limit pingable users to those who have already engaged with a project? Or maybe limit pings to verified accounts with verification being having an accepted pull request on a project managed by a verified account?

GanderPL commented 2025年02月13日 08:12:35 +01:00

in my opinion it is just getting started, testing the spam distribution channel

in my opinion it is just getting started, testing the spam distribution channel

GanderPL commented 2025年02月13日 08:20:29 +01:00

abandoned accounts may indicate that these are accounts to which access was stolen from leaks. These may be accounts to which no one has logged in for a long time. It would be necessary to impose restrictions on large mention, security should discourage attempts to use such accounts in an automated way, and I assure you that this will be the next step after these tests.

abandoned accounts may indicate that these are accounts to which access was stolen from leaks. These may be accounts to which no one has logged in for a long time. It would be necessary to impose restrictions on large mention, security should discourage attempts to use such accounts in an automated way, and I assure you that this will be the next step after these tests.

pathurus commented 2025年02月13日 10:00:10 +01:00

@GanderPL wrote in #1786 (comment):

abandoned accounts may indicate that these are accounts to which access was stolen from leaks. These may be accounts to which no one has logged in for a long time. It would be necessary to impose restrictions on large mention, security should discourage attempts to use such accounts in an automated way, and I assure you that this will be the next step after these tests.

although, is artur manuel actually the guy doing it? or is it simply just a stolen account?

@GanderPL wrote in https://codeberg.org/Codeberg/Community/issues/1786#issuecomment-2817078: > abandoned accounts may indicate that these are accounts to which access was stolen from leaks. These may be accounts to which no one has logged in for a long time. It would be necessary to impose restrictions on large mention, security should discourage attempts to use such accounts in an automated way, and I assure you that this will be the next step after these tests. although, is artur manuel actually the guy doing it? or is it simply just a stolen account?

TPH commented 2025年02月16日 04:24:55 +01:00

Uhhh, got someone saying some pretty whacky unpleasant words, and made an issue with such wording:
https://codeberg.org/splitjuniper7779
image

Uhhh, got someone saying some pretty whacky unpleasant words, and made an issue with such wording: https://codeberg.org/splitjuniper7779 

TPH commented 2025年02月16日 04:29:38 +01:00

@moderation above

@moderation above

Laxystem commented 2025年02月16日 05:39:08 +01:00

Yup, the above issues were the attacker testing their method, they now created thousands of repos named (sorry for the bluntness) "NIGGER BALLS"

Yup, the above issues were the attacker testing their method, they now created thousands of repos named (sorry for the bluntness) "NIGGER BALLS"

Laxystem commented 2025年02月16日 05:40:16 +01:00

Btw @moderation shouldn't be there some way for the community to press a big red button and wake up a staff member? Cause it's Sunday morning, 5:40 in Europe, the attack was most likely timed specifically for when all the mods are offline

Btw @moderation shouldn't be there some way for the community to press a big red button and wake up a staff member? Cause it's Sunday morning, 5:40 in Europe, the attack was most likely timed specifically for when all the mods are offline

pathurus commented 2025年02月17日 07:46:15 +01:00

what a coincidence I run into tph here after playing in the exile server

what a coincidence I run into tph here after playing in the exile server