you’ll want to follow https://github.com/LemmyNet/lemmy/issues/818 for that

Depends on the type of feature request.

For most feature requests the project issue trackers are likely the best place.

• Lemmy backend: https://github.com/LemmyNet/lemmy/issues
• Lemmy default web interface: https://github.com/LemmyNet/lemmy-ui/issues

Alternative UIs and apps have their own issue trackers as well.

If it’s something that’s just about configuration or something we have built ourselves [email protected] can be a good place for that.

Feel free to reply here though and I can tell you where it’s best placed.

we currently have our own solution to send emails with a custom text explaining why people were rejected and what they can do next. we’ll have to review whether the built-in solution would be capable of replacing this functionality adequately if we add rejection reasons to lemmy when rejecting the applications.

our current solution rejects applications and then deletes the user from the database to ensure that they can sign up again if they want, as denied applications only get deleted after a week or so and an appeal process would require support tickets and a lot more time to be spent by us on addressing those.

our application process is fully automatic and just depends on certain words to be provided and the email not being disposable.

The link is up there in the post for you to use.

The screenshot in my previous comment is directly from their abuse form at https://abuse.cloudflare.com/csam. Your email is specifically about their proactive scanner, not about abuse reports that are submitted.

They also explicitly state on their website that they forward any received CSAM reports to NCMEC:

Abuse reports filed under the CSAM category are treated as the highest priority for our Trust & Safety team and moved to the front of the abuse response queue. Whenever we receive such a report, generally within minutes regardless of time of day or day of the week, we forward the report to NCMEC, as well as to the hosting provider and/or website operator, along with some additional information to help them locate the content quickly.

they do, they just don’t require you to be registered with them anymore for their csam scanner:

potentially identifying information, such as addresses, must be removed. images of the person must either be heavily pixelated or entirely cut out.

with the content i’ve seen it gave me more of an impression of being captures of a live stream, but that’s just guessing

unless you operate the instance that is being used to send this material you can generally only work with the content that is being posted/sent in PMs. almost all identifying information is stripped when it leaves your local instance to be federated to other instances. even if there was a group of instances collaborating on e.g. a shared blocklist, abusers would just switch to other instances that aren’t part of the blocking network. there’s a reason why it’s not recommended to run a lemmy instance with open signups if you don’t have additional anti-spam measures and a decently active admin team. smaller instances tend to have fewer prevention measures in place, which results in a burden for everyone else in the fediverse that is on the receiving end of such content. unfortunately this is not an easy task to solve without giving up (open) federation.

I’m sorry, sometimes it’s hard to tell whether people actually mean it. I can totally see people commenting that and being serious.

mentally ill people can have plenty of time on their hands to invest this much effort in harassing others. people claiming that this can’t be harassment are effectively supporting the harassment, as that tries to further blame the likely victim of this. obviously this is just speculation, as we don’t know the full truth.

the problem with this spam and generally federated platforms is that you can only really try detecting it based on the content. the accounts tend to get created on another instance and then the messages federate over to you, which means you won’t see a lot of the identifying information you’d see for a local user, such as their IP address.

unfortunately we can’t just apply the update quickly, as this introduces sending emails on rejected applications. we already send rejection emails separately and with custom text, while the text implemented in the update is currently not configurable.

i’ll see if we can deploy updated lemmy-ui without updating lemmy already this weekend, but i need to check if there were any api changes first, as we’d then have to backport them to lemmy first.

we’ve already applied the security patch about 2 weeks ago.

That appears to be a baseless conspiracy theory.

Except for the gore pms, I believe all the images have been uploaded to Lemmy instances or Imgur, which means that the uploader has no way to track IPs accessing those images. The gore images were uploaded to another service that at least on the surface appears to be another regular image hoster that wouldn’t expose IP access logs to uploaders.

The woman depicted is very likely the target of harassment.

Agreed, but there is no proof of this. We also don’t know their true identity to check with them directly.

Sharing the images depicting violence is tantamount to a threat of violence.

The images did not depict violence directly, it was a gory image of a dead person. They were very likely sent by a copycat not involved in the original harassment campaign and intended to fuck up fediverse users more than anything else. They did not appear to imply any kind of threat.

you would have wasted 15 minutes

This would require a lot more than 15 minutes to file a proper report. First we have to collect all relevant information that we have available and compile them in a format that can be submitted. Once we have this information we have to identify a police department to report this to. We are legally based in NL, as that’s where our non-profit Fedihosting Foundation is located. I’m based in Germany, so it would also be an option to report it here. The depicted person is claimed to be in Canada, so maybe this should be reported to a police department over there. Or maybe to all of them.

All of this would easily add up to 2 hours or more if you want to do it properly and not just look for 3 online forms to write “hey there is someone sending spam”.
If this was a paid job and I was doing this during working hours I wouldn’t mind, but all the time I spend here is taken out of my personal time, the same as with anyone else on our team, and also the same you’ll see with most other fediverse instances.

perhaps Nicole has been trying to get a restraining order against some creep but has been unable to due to lack of evidence.

If we receive a request for information from (real) law enforcement we’ll be more than happy to provide relevant data, but doing this for the (perceived low) chance of that somehow being linked from a random police report is a fairly high time investment as described above.

we looked into it, we currently believe that to be a copycat not related to the other pms.

the lemmy.world account involved in that was most certainly compromised from an unrelated data breach and all connections originated from IPs linked to an anonymization service, so there’s also not much to follow up on.

we will reconsider this if it happens again.

I don’t know if others have, I only know that we (Lemmy.World, Fedihosting Foundation) have not reported it to the police.

I don’t have high hopes that the police would be able to do anything about this. For the harassment against the person shown in the images, that would likely have to be reported by them directly for the police to take that up.
For random online spam, as in harassment of fediverse users receiving the PMs, that seems like it would be an extremely low priority for police. It’s also likely fairly difficult to impossible to follow up on, considering that the person sending the PMs most likely used a VPN to access these accounts.

to be honest, this should have been done way earlier.

hi,

there was a bad cloudflare block rule from back in 2023 that blocked these requests.

i had previously disabled it to see if that had any bad impact but forgot to follow up on that to fully remove it, so it got reactivated in a later configuration change. it’s fully removed now.

this should be fixed now, Cloudflare was detecting a potential vbulletin exploit