> Kinky Kobolds,
> 
> User has reported [redacted] View:
> https://meow.example/reports/3898

Again. Another spam bot. This wasn’t the first time this had happened on the Fediverse, though. The kobolds knew how to handle it from those previous experiences. The sounds of yipping echoed through the hallways as the small scaly creatures got to work.

It was the same pattern of crap as last time: Japanese language nonsense, a link to an obviously phishy website, and posts that use the same five hashtags before @ mentioning as many people as could fit in the post. The sources? A handful of domains that hadn’t been properly maintained and were for spambots to abuse. This was *precisely* why Mastodon changed the default configuration a few updates ago: If nobody with moderation permissions had signed on in 30 days, then new sign-ups would require moderator approval. If those servers hadn’t been updated to that new policy, though, they were still vulnerable to abuse.

First, the kobolds attacked existing report queue, which contained about fifty of the frickin’ things already, with the help of the site’s lead moderator. All the offending accounts were suspended for spam in four clicks each: open the ticket, claim the ticket, suspend the account, and confirm the action. However, the hashtag common to the spam already had two hundred hits, so there was plenty more work to do.

The starting point? Figure out the most common sources. Most of the domains were ones the kobolds hadn’t seen before; suspending those domains was an easy decision. A few, however, were ones other site users interacted with. Suspending those servers would break those follower/following relationships; doing nothing would let the spam continue through. They left those servers for now; they’d come back to it later if it remained a problem.

The kobolds wanted to do more, though. They were fired up and ready to remove the spam from the entire domain with all the fury of [Tucker’s Kobolds](https://dungeonsdragons.fandom.com/wiki/Tucker%27s_kobolds) driving adventurers from their home. They searched the hashtag the spam was coming from and reported every post they could find. Another hundred posts reported and dealt with; another dozen domains suspended for being used exclusively for spam. Within an hour, every public post had been dealt with.

There was still more, though. Just dealing with all the *public* posts wouldn’t address the entire problem. Mastodon allows unlisted posts: Posts that are hidden in the public timeline and searches but still visible to anyone who does a bit more digging. This is where another weakness of the attack came into play: All the accounts were less than a few hours old, lacked profile pictures, and had ten-character alphanumeric nonsense. By just searching the list of new accounts from across the Fediverse in the moderation interface, they stood out like a dagger in dark vision.

It was almost too easy to sneak attack those accounts before they took initiative. They’d have made dozens of posts, of which only one or two appeared in the mod feed, @ mentioning local users who likely hadn’t seen the spam yet. Another flurry of clicks handled those with extreme prejudice.

While any D&D rage effects would have long-since worn off, the kobolds were still growling at the new reports list, looking for any stragglers who hadn’t gotten caught in the previous rounds. More than two hundred posts had been deleted; the only two left were people using the tag to warn others.

Only one thing would snap the kobolds out of that: A lunch break. Rumbling stomachs demanded attention. The smoldering hole of spam was a perfect place to roast some snacks.