While looking for something completely different in Mastodon’s documentation, I came across an interesting thread on GitHub concerning a suggestion to introduce a limit on the number of accounts that can be followed from one account. It turns out that in 2017, the original Mastodonians noticed a problem with users sending massive amounts of requests to the API. These were bots set up to follow as many accounts as possible. Why? When it comes to the Internet, if you don’t know what it’s all about, it’s about spam! The mechanism was simple – the bot’s name and avatar contained advertising, and by following a particular user, the bot would automatically appear in their Notifications tab. Smart… But not smarter than the developers behind the Mastodon construction. The reaction to the suggestion was not immediate, but slightly over a year after the creation of the issue, a Commit (update) was made that introduced the appropriate limit.
Since then, the limit has been that from one account, you can follow 7500 accounts without any restrictions. After exceeding this value, an additional condition comes into play:
You can follow more than 7500 accounts if your number of followers multiplied by 1.1 is greater.
In practice, this means that to have the ability to follow the 7501st account, it is necessary to have (7501 / 1.1 =) 6820 followers. This, in practice, solved the problem, as bots of this type did not gain a comparable number of followers to the number of accounts they followed.
Finally, I would like to add that both the 7500 threshold and the 1.1 multiplier are modifiable in the case of having your own instance. Unfortunately, this opens the door to further abuses, but it should be remembered that such a „unlocked” spammer instance:
- is quite easy to block,
- having accounts with a large number of followers can severely clog up the disk space with data generated by those people,
- it makes it harder to maintain anonymity, as there is always the possibility of easier tracking of the spammer via their IP or even the registration data of the domain on which the instance is located.
Is it worth? I don’t know, I’m not a spammer.
Toot about this topic on Mastodon: