New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No longer any remote follows on instance, but inexplicable content from remote accounts still appearing in Federated timeline #30162
Comments
Mastodon will display in the “public timeline” public posts that are known to it, not only those that were boosted. This means if a local or followed user replied to a remote post, this remote post will be fetched. It is difficult making any theory without more data, I think it would help having examples of posts that have reached your instance with no obvious path. |
I'm the only user on the instance, and I'm not following any remote accounts, so the only way remote posts could be known to my instance is through boosting and replying and URL searches? I haven't interacted in any way with most of the posts in Federated. For example I haven't interacted in any way with any of these, but they are in my Federated timeline: https://indieauthors.social/@Klepsis/112391540624592317 ...these are just randomly taken from the top of the latest Federated feed, there are lots more posts like this from other accounts on many different remote instances. |
@ClearlyClaire I just talked with @FediVideos and they allowed me to share any details you need to debug this situation. Feel free to ping me if you think that would be helpful. Thanks. |
Looking at some of these:
Those posts are pinned posts, so they would be pulled whenever discovering their author account (e.g. through a post that mentions them). This one seems to have been pulled because of this reply: https://social.growyourown.services/@elmussol@streams.elsmussols.net/112384120317230513 This one seems to have been pulled because of this reply: https://social.growyourown.services/@elmussol@streams.elsmussols.net/112382825912701927 Might have been pulled from https://social.growyourown.services/@billstatler@forum.statler.ws/112384554089486587 Seems to have been pulled from https://social.growyourown.services/@elmussol@streams.elsmussols.net/112376428699670315 So I think at least Looking at the database confirms that posts from |
Thank you so much for taking the time to check this, really appreciated 🙏 Does that mean Streams accounts could be used to spam a Masto instance? 😬 I have never followed either of these accounts, and never heard of them before. AFAIK I have never interacted with them. It sounds like my instance is accepting whatever they want to send, without any reason to do so? Sounds like a security vulnerability if remote instances can push unrequested content like this by using custom software? (Obviously hope I'm wrong about this, just this is what it sounds like?) |
Okay, it looks like the Streams software sends content to follows instead of just followers: https://codeberg.org/streams/streams/issues/144 If a Streams user follows you, they may unknowingly send content to your instance even if you have never followed or interacted with them, even if the Streams user hasn't mentioned you in the post. UPDATE: Looks like Streams is investigating this, followers' content isn't supposed to go to Mastodon accounts, only Streams accounts. |
...and now the Streams dev has changed their mind and says they aren't going to fix it, they say it's Mastodon's fault for accepting the content: https://codeberg.org/streams/streams/issues/144#issuecomment-1813593 Is there anything that can be done apart from blocking/defederating Streams accounts/instances? |
Hi! I added more information to that issue, and had Hugo add some instrumentation code so that we can investigate further on the next message from |
Thank you for looking into this further, and for working with Hugo on this. Let's hope some more information comes to light. |
Streams have now locked their thread on this issue and accused me of not knowing who I was following: https://codeberg.org/streams/streams/issues/144 I guess there is nothing more Mastodon can do from this end? If so, I will close the issue. |
Update on this: I suspended all of the Streams instances that I could find federating with me, and immediately all of the unexplained posts stopped. Not just Streams posts but all of the unexplained posts from non-Streams accounts too. My instance's federated timeline is now totally back in my control. So, it was 100% definitely Streams accounts following me that were the root cause of this. Streams accounts were pushing content to me from Streams, Mastodon, Friendica, GoToSocial etc that I had no connection with, but it was only the Streams instances that I had to suspend in order to stop all of it happening. (I didn't have to block any non-Streams instances, so the non-Streams instances were not doing this at all.) As Streams developers are refusing to engage on this, I guess the only recommendation is admins who are receiving unwanted unexplained content to their instances should try seeing if it's connected to Streams instances and potentially suspend them if necessary. I'll close this issue. Thanks again for your time @ClearlyClaire, it would have been impossible to know it was Streams causing it without your analysis of all this 🙏 and thank you also @hugogameiro for being so proactive about checking the database etc 👏 |
Some more information on this:
|
In particular, this line makes any activity delivered directly to a personal inbox pass the relevancy test:
I think we should be able to just remove this line, but this might possibly cause some activities from other implementations to be wrongfully rejected…? |
Ahh okay, thank you for the follow-up! I've reopened this for these loose ends to be dealt with.
I think they do follow my account, but I have never followed (or heard of) any of them. I didn't think them following me was relevant for content appearing in my Federated timeline? |
Ah, well, I was going to double-check but you blocked them so I can't 😅
It's not for Mastodon but it might be for Streams. And even if the inconsistency isn't causing this specific issue, such an inconsistency would be a significant issue on its own. |
Oh, sorry, I thought you'd finished! 😦 I'd checked with Hugo that the custom script had been removed first. I am pretty sure they were following me because Mastodon alerted me to losing followers when I suspended their instance. |
Okay, although Federated is almost silent now, a couple of new inexplicable posts have appeared: https://wetdry.world/@fish/112439688889831458 https://hachyderm.io/@voyager/112437291516437753 They do both follow me, but they're following from Mastodon. Can't see any other connections and can't see Streams accounts in their followers. |
...and another inexplicable post, this time with a reply from a Streams instance but it's an instance I'd already suspended: https://antifa.style/@walsonde/112440037098068683 Perhaps the reply was delivered to another Streams instance which I haven't blocked, and then spammed to my instance? If so this could be an almost impossible game of whackamole to do manually 😫 Would be great if there was some barrier on Mastodon to prevent this kind of delivery. |
This is a pinned post for that account, which may have been pulled for any number of reasons. |
Some more inexplicable posts have started appearing, they do seem to be mainly pinned posts: https://catwithaclari.net/notes/9thh82gqazom01xk ...but there is one non-pinned post: https://astrodon.social/@schuh/112467770247736167
I get that pinned posts are backfilled (which is great by the way! 👍 ) but I thought that only happened if I did something myself, such as me bringing up their profile on my instance, or me following them, or me interacting with them in some way? Do pinned posts get backfilled simply from them following me, or them boosting me or them favouriting me? Even if I've never interacted with them? |
Pinned posts get backfilled when your server discovers about the account, for any reason (them interacting with you, them being mentioned in a post that reaches your server, and so on) |
Ahhh okay. So, for example, if someone mentioned me and mentioned the other account in the same post, that would backfill the other account's pinned post and make it appear on my Federated? |
yes |
Hi, I am the I do have a connection with @FediVideos -- or I did, before I got blocked. My channel connected to In Streams, connections are based on a set of permissions, and this model doesn't map well onto Mastodon's follower/following model. It's more like "friending" someone on Facebook. If I send you a Facebook "friend" request, and you accept, we will see each other's posts. (Unless you take the additional step of "unfollowing" me without "unfriending" me.) So my billstatler channel sent a connection request to LooseEnds, saying basically "Here are a bunch of permissions I will grant to you, related to seeing my posts, commenting on them, seeing my photos, etc. Will you accept, and will you grant me permissions for your posts/photos/etc?" This request was accepted, at which point we were (in Mastodon terms) following each other. Thereafter, my server correctly sent my activity to LooseEnds. In the example posted earlier, I commented on a post by I have never used Mastodon, so I don't know what this looks like from your end. Is there a way to see who you're following, or to verify whether you intend to follow somebody when you approve a connection request? Anyway, blocking all Streams users isn't a good or sufficient solution. You'd probably also have to block all Hubzilla users, and maybe Friendica, and perhaps other projects that I don't know about. The lead Streams developer has added some code to reduce unwanted deliveries, but it can't fix a situation like this where somebody is actually following a Streams user (even if they don't know it). |
@BillStatler hi! Mastodon uses the base ActivityStreams vocabulary and ActivityPub semantics regarding follow relationships. Basically, you send a If I understand what you suggest, you sent a |
Thanks for the reply, @ClearlyClaire I'm afraid my technical understanding of ActivityStreams/ActivityPub is pretty limited, so I can't tell you how it became a bidirectional connection. But my instance believed that it was. I recovered some information from a backup of my In this table, "Their Settings" are the permissions granted by Now that I have been blocked, all the "Their Settings" YES's have become NO's. So logically, I can only see three possibilities:
That's the best information I can offer. I know Mike Macgirvin has made some recent changes related to deliveries, and he is working on more changes. So we may see fewer unwanted deliveries in the future. But in my particular case, I'm not convinced there was a delivery error. |
Steps to reproduce the problem
...
Expected behaviour
If there are no remote follows, the federated timeline should only show remote posts if they're boosted by local accounts
Actual behaviour
The federated timeline shows unboosted remote posts
Detailed description
I run a single-user instance which is mainly for posting advice and answering questions. My personal account is not on it.
To save resources I unfollowed all remote accounts, this was several weeks ago. The instance is on a managed hosting service and the hosting company verified from the database that there are zero remote follows. When I browse the Federated timeline, am expecting to only see remote posts that I've boosted, but am actually seeing unboosted posts from many remote accounts.
I do not have any relays set up.
One possible theory: Some of Federated is recent posts from accounts I used to follow a long time ago, and the other recent posts are the kind of content these ex-follows might be boosting now. It seems like for some reason my instance is still pulling in content from remote accounts I used to follow a long time ago?
Is Mastodon's federation system not unfollowing accounts properly? Or does it keep federating an account's content if it's ever been followed, even if no one on the instance is following that account?
(By the way, I discussed this first with the managed hosting company, they looked into it and they had no idea why this was happening. They encouraged me to file an issue for this, and to let them know the link so they can resolve this if needed.)
Mastodon instance
social.growyourown.services
Mastodon version
v4.2.8
Technical details
If this is happening on your own Mastodon server, please fill out those:
(I am not sure about Ruby and NodeJS versions, it's running on the managed hosting service masto.host.)
The text was updated successfully, but these errors were encountered: