[bug] MRF followers_only policy does not protect against spam DMs #541

New issue

Closed

opened 2023-05-14 20:27:55 +00:00 by smitten · 6 comments

smitten commented 2023-05-14 20:27:55 +00:00

Copy link

Your setup

OTP

Extra details

No response

Version

3.8.0-234-gb86b3a9e-develop hash b86b3a9e

PostgreSQL version

No response

What were you trying to do?

With increasing spam messages from bot accounts on mastodon.social, both snowdin.town and 0w0.is have set up SimplePolicy followers_only rule for all posts from that domain.

What did you expect to happen?

The intention was to block DMs from unfollowed users so that accounts sending spam links would not be visible.

What actually happened?

However the policy does not do that, and DMs from users there still come through as normal.

This has caused confusion from both admins and users, and we weren't sure if we're misunderstanding the policy or if it's a bug.

I read the relevant section of simple_policy_test.exs and it seems to be removing address from the to field, so I wonder if maybe another piece of code is adding it back in.

See https://snowdin.town/notice/AVeeCiVkpABqOvz1WK

Logs

No response

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

• I have double-checked and have not found this issue mentioned anywhere.

### Your setup OTP ### Extra details _No response_ ### Version 3.8.0-234-gb86b3a9e-develop hash b86b3a9e ### PostgreSQL version _No response_ ### What were you trying to do? With increasing spam messages from bot accounts on mastodon.social, both snowdin.town and 0w0.is have set up SimplePolicy followers_only rule for all posts from that domain. ### What did you expect to happen? The intention was to block DMs from unfollowed users so that accounts sending spam links would not be visible. ### What actually happened? However the policy does not do that, and DMs from users there still come through as normal. This has caused confusion from both admins and users, and we weren't sure if we're misunderstanding the policy or if it's a bug. I read the relevant section of simple_policy_test.exs and it seems to be removing address from the `to` field, so I wonder if maybe another piece of code is adding it back in. See https://snowdin.town/notice/AVeeCiVkpABqOvz1WK ### Logs _No response_ ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

smitten added the

bug

label 2023-05-14 20:27:55 +00:00

floatingghost commented 2023-05-14 21:04:26 +00:00

Owner

Copy link

you have misinterpreted the function of followers_only

essentially what this mrf does is downgrade public posts to followers only - direct messages are below the visibility of followers only, so would not be affected by this

see https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple

you have misinterpreted the function of followers_only essentially what this mrf does is downgrade public posts to followers only - direct messages are below the visibility of followers only, so would not be affected by this see https://docs.akkoma.dev/stable/configuration/cheatsheet/#mrf_simple

smitten commented 2023-05-14 21:22:40 +00:00

Author

Copy link

you have misinterpreted the function of followers_only

Thanks so much for the quick reply. So it sounds like what we really want is mrf_rejectnonpublic policy with allow_followersonly on and allow_direct off?

> you have misinterpreted the function of followers_only Thanks so much for the quick reply. So it sounds like what we really want is `mrf_rejectnonpublic` policy with `allow_followersonly` on and `allow_direct` off?

floatingghost commented 2023-05-15 09:06:54 +00:00

Owner

Copy link

yes, though since rejectnonpublic is boolean, you'll probably want to use it in combination with subchain

config :pleroma, :mrf_rejectnonpublic,
  allow_direct: false


config :pleroma, :mrf_subchain, match_actor: %{
  ~r/https:\/\/example.com/s => [Pleroma.Web.ActivityPub.MRF.RejectNonPublic]
}

should work

replace example.com with whatever you need

yes, though since `rejectnonpublic` is boolean, you'll probably want to use it in combination with subchain ```elixir config :pleroma, :mrf_rejectnonpublic, allow_direct: false config :pleroma, :mrf_subchain, match_actor: %{ ~r/https:\/\/example.com/s => [Pleroma.Web.ActivityPub.MRF.RejectNonPublic] } ``` should work replace example.com with whatever you need

datn commented 2023-05-18 02:45:18 +00:00

Copy link

Is there a way to block DMs from non-followed accounts generally, without specifying a host to which it applies?

Is there a way to block DMs from non-followed accounts generally, without specifying a host to which it applies?

floatingghost commented 2023-05-18 03:45:59 +00:00

Owner

Copy link

no

no

👍 1

smitten commented 2023-05-24 15:13:10 +00:00

Author

Copy link

I think this is resolved by d310f99d6a

I think this is resolved by https://akkoma.dev/AkkomaGang/akkoma/commit/d310f99d6aa777aa03215c29f469140221716f9f

smitten closed this issue 2023-05-24 15:13:10 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

translations

customizable-docker-db

stable

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#541

No description provided.