Defederation isn’t new

For years, as email operators struggled to keep unsolicited messages out of their users’ inboxes, the notion of “block lists” emerged. Implemented as lists of IP and domain name lists stored within DNS, email operators would subscribe to curated lists (either for free, or for pay) in order to reject the messages outright, or mark them as spam and divert them away from the INBOX.

Email operators aren’t interested in maintaining their own lists – this takes a lot of time and effort, as each email operator will likely be hit by the same spam gangs as many other operator. Curating custom block lists has a diminishing return vs the effort it takes to keep those lists up to date and clean of false positives.

Email operators delegate this responsibility to organizations like Spamhaus to maintain high quality lists of IP and DNS based block lists.

Mastodon isn’t all that different.

And yet it is. It’s still early days for mastodon operators. We’re figuring out how to find high quality lists to block before troll sites harass our users. It doesn’t make sense to wait for the abuse to show up if it’s coming from an instance that doesn’t mind this type of behaviour on the internet.

But there are no mature systems for delegating block lists. That’s changing, but it’s not quite there yet.

mastodon is API first

Mastodon has a limited cli utility to help operators manage their systems, in addition to the web based admin interface of the main ui. But new features in the mastodon server are often released as an API first, without a clean way to navigate it. This is where third party opensource tooling comes in to help.

Discovering other block lists

Mastodon defederate is a new python based utility that allows people to query remote instances’ advertised domain blocks. You can use this to pull in lists from instances that you trust to be doing a good job of content moderation, and subsequently feed into your system’s block lists.

Installing is fairly simple. pip install defederate will install it into the local python context. I recommend running a virtualenv to keep your system tidy, but regardless the uility can be pointed towards an instance and run like:

defederate show hachyderm.io

as an example. Capture the output and collect the domain names. Take note of the SUSPEND vs SILENCE columns. You can use this to inform what type of block you wish the domains to have on your server.

Importing block lists

Mastodont is a node based utility that can communicate with the new block API provided by mastodon 4+. The Installation page of the project’s github walks you through how to create a mastodon application, which will provide you with a token that can be used to authenticate mastodont with. Be very careful with this: if someone gets a hold of this token, they effectively have admin access to your instance.

You’ll need to install Node 16 onto your system, so ensure that you’re not running an older version of node when trying to run mastodont. Once your system is ready, you can provide either a URI with a list of domains, or a local file and import the instance blocks into your server, using either SILENCE or SUSPEND. Run mastodont once and supply it with the uri of your instance and your token. This will create a config file on your system storing this information (be careful with the token) and you can run followup runs easily

$ mastodon
                                                                                                              
    88b           d88                                                  88                                     
    888b         d888                        ,d                        88                          ,d         
    88`8b       d8'88                        88                        88                          88         
    88 `8b     d8' 88 ,adPPYYba, ,adPPYba, MM88MMM ,adPPYba,   ,adPPYb,88  ,adPPYba,  8b,dPPYba, MM88MMM      
    88  `8b   d8'  88 ""     `Y8 I8[    ""   88   a8"     "8a a8"    `Y88 a8"     "8a 88P'   `"8a  88         
    88   `8b d8'   88 ,adPPPPP88  `"Y8ba,    88   8b       d8 8b       88 8b       d8 88       88  88         
    88    `888'    88 88,    ,88 aa    ]8I   88,  "8a,   ,a8" "8a,   ,d88 "8a,   ,a8" 88       88  88,        
    88     `8'     88 `"8bbdP"Y8 `"YbbdP"'   "Y888 `"YbbdP"'   `"8bbdP"Y8  `"YbbdP"'  88       88  "Y888      
                                                                                                              
            Blocklist importer for Mastodon by @[email protected] (https://kibitz.cloud)                
Requires an API access token with `admin:read:domain_blocks`/`admin:write:domain_blocks` and a blocklist file.     
                                       See README.md for more info.                                           
                                                                                                                                  

✔ Loading config.
✔ Blocklist filepath or URL: … hac
✔ Public comment: … 
✔ Private comment: … Imported by Mastodont on 2022-11-25T22:39:33.283Z
✔ Validating endpoint.
✔ Validating credentials.
  Querying instance blocks.
✔ Querying instance blocks.
✔ Updating instance blocks.
ℹ Opening browser to instance blocklist...          

Hooray!