Add suspicious-signup sweep: suspend flagged signups with no activity
Watches every account flagged by IP-scrutiny or email-domain scrutiny at signup and, once it goes live, records a baseline post/follow count. A scheduled sweep (app/suspicious_sweep.py, run via cron on admin.yttrx.com) suspends any watch past SUSPICIOUS_GRACE_HOURS with zero new posts and zero new follows since that baseline; any activity clears the watch. Works whether yttrx is open-registration or requires moderator approval, since the watch starts at whichever event actually makes the account live (account.created vs account.approved), same dual handling the welcome flow already uses. Needs ABUSE_BOT_TOKEN re-minted with admin:read:accounts.
This commit is contained in:
@@ -12,11 +12,18 @@ A FastAPI webhook server. One Mastodon admin webhook delivers `account.created`,
|
||||
(datacenter/hosting) signups get more scrutiny (held welcome, ip_blocks
|
||||
registration, DM to moderator) before falling through to a normal welcome.
|
||||
- **account.approved** → always DM the welcome (dedup-safe; this is what
|
||||
releases a held welcome once a human clears the approval queue).
|
||||
releases a held welcome once a human clears the approval queue). Also where
|
||||
a held, flagged signup's suspicious-watch baseline gets captured.
|
||||
- **report.created** → classify the reported account, count distinct reporters,
|
||||
and auto-**silence** young/dormant accounts past the threshold — lowered for
|
||||
accounts with a flagged signup IP (see README).
|
||||
|
||||
A separate scheduled module, `app/suspicious_sweep.py` (run via
|
||||
`python -m app.suspicious_sweep`, not part of the webhook server), suspends
|
||||
any IP- or email-flagged signup that shows zero new posts and zero new
|
||||
follows within `SUSPICIOUS_GRACE_HOURS` of going live. See README.md's
|
||||
"Suspicious-signup sweep" section for the full policy.
|
||||
|
||||
| Where | What |
|
||||
|---|---|
|
||||
| Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) |
|
||||
@@ -170,12 +177,18 @@ as an error; nothing else in the bot is affected).
|
||||
report-triggered suspend override) will 403 (logged as an error; the suspend
|
||||
itself still goes through since that only needs `admin:write:accounts`).
|
||||
|
||||
**The suspicious-signup sweep (`app/suspicious_sweep.py`) needs another scope,
|
||||
`admin:read:accounts`**, to `GET /api/v1/admin/accounts/:id` (fetches current
|
||||
post/follow counts + role/suspended state to decide whether to suspend) —
|
||||
without it every sweep run 403s per-account (logged as an error, that account
|
||||
is simply retried next run; nothing else in the bot is affected).
|
||||
|
||||
Mint a correctly-scoped token from the Rails console on mammut:
|
||||
|
||||
```bash
|
||||
ssh mammut 'docker exec $(docker ps -f name=live-web-1 -q) bin/rails runner "
|
||||
acct = Account.find_local(%q{bot})
|
||||
scopes = %q{read:statuses write:statuses admin:read:reports admin:write:accounts admin:write:ip_blocks admin:write:email_domain_blocks}
|
||||
scopes = %q{read:statuses write:statuses admin:read:reports admin:write:accounts admin:write:ip_blocks admin:write:email_domain_blocks admin:read:accounts}
|
||||
app = Doorkeeper::Application.create!(name: %q{Abuse handler vN}, scopes: scopes, redirect_uri: %q{urn:ietf:wg:oauth:2.0:oob})
|
||||
tok = Doorkeeper::AccessToken.create!(application_id: app.id, resource_owner_id: acct.user.id, scopes: scopes)
|
||||
puts tok.token
|
||||
@@ -213,6 +226,14 @@ curl -s -o /dev/null -w "%{http_code}\n" -X POST \
|
||||
https://yttrx.com/api/v1/admin/email_domain_blocks
|
||||
```
|
||||
|
||||
And for `admin:read:accounts` (`403` = missing scope; `200`/`404` = authorized):
|
||||
|
||||
```bash
|
||||
curl -s -o /dev/null -w "%{http_code}\n" \
|
||||
-H "Authorization: Bearer $ABUSE_BOT_TOKEN" \
|
||||
https://yttrx.com/api/v1/admin/accounts/0
|
||||
```
|
||||
|
||||
## Mastodon side (mammut)
|
||||
|
||||
- The webhook (Administration → Webhooks) is already subscribed to
|
||||
|
||||
Reference in New Issue
Block a user