I have taken the advice from this post and blocked all instances with > 10,000 users, from this list: https://docs.google.com/spreadsheets/d/e/2PACX-1vRthB7RtY4Rr0t5fhVKaliJnwSmptMc5oJi7uha_OBcF4wpu4eElxAxNzaCqjlq6NsOE9GpgSnMzZ2x/pubhtml
I will continue to monitor things and will make another announcement if more blocks are necessary.
If anybody is interested in getting a cleaned up instance federated again, feel free to contact me over DM (if you’re currently blocked, you can contact me on Matrix: @smorks:40to.ca).
You’ll find this on any service. Even a proprietary software that is hosting some inconsequential site will get hammered if it has any kind of signup/contact form/content submission.
It takes nothing to deploy a spam bot, and many just cruising around looking for forms. There are tools and libraries out there that described over simplified: simulate a browser and you record a macro on how to populate the fields. If they hit one site or service that has an admin asleep at the wheel and spam gets through it is worth the (largely automated) effort. I’m actually surprised there isn’t MORE of it happening.
Personally I don’t think monoliths are really overly worried about federated platforms (even if they should be), and I don’t think they’d risk the legal aspects of getting caught messing with another system. Then again, not many instances have published a TOS so it could be argued there is no legal consequence, and some monoliths have engaged in practices I was surprised at, so who knows.