My matrix server had 2626 accounts ...

… and 2621 of those were spam bots.

So long story shory: I cultivated over the last year a really nice hoard of spam bots on my experimental matrix server.

What happened?

I got poked by $randomdude that some users from my homeserver are raiding one of his room. He sent me a screenshot with proof that a random account named is one of them. At this point I was getting really nervous.
I checked the database … 2626 accounts 🔥💥

On this server there are only 5 legitimate accounts, all of them created before 2021. The first “external user” was created in Juni 2021, and from there onwards the list goes on and on. In late April there was a bunch of new users created and one of them made one of the admins suspicious. This dude was the one contacting me ultimately. Thank you for that.

How could this happen?

I use this server to test and play around with dendrite and do not consider a production-ready system. Because of that I never established a good monitoring scheme which would (hopefully) have caught this.

The culprit was easily found:

  # Prevents new users from being able to register on this homeserver, except when
  # using the registration shared secret below.
  registration_disabled: false

Probably when registering one of my own accounts I forgot to disable the registration. Also there was no captcha set, so my server was basically serving free lunch to any spammer out there. Registration can be automated and my server provided them an infinite amount of new users.

Whoopsie … 💩💩💩

What have been the mitigation steps?

First: I immediately shutdown the server after being contacted. I don’t want to host spam bots and it’s in the reasonability of the server admin to react to such things immediately.

Then I went on to investigate what happened and since when I was cultivating such a nice and pleasant pack of blood-sucking leeches. Once realizing that there is little hope for the server to be saved (He’s dead Jim) I contacted all affected people and we came to the conclusion that this server needs to be exterminated.

For now and the mid future: ceases to exists. The DNS entry got removed and the server instance got nuked from orbit. There is little but Scorched Earth left behind and there was little to save.

Second: This server has been razed and will never be used again. The URL probably got (rightfully) banned from any legitimate server and every spammer in the world knows now about this spam bot farm.

Third: I instantiated a new server with disabled registration AND captcha turned on on a different subdomain. I will look into collecting metrics from this server and establish a meaningful monitoring to prevent another happy spam bot farm.