Spam sign-ups are a persistent problem for public Mastodon instances. Automated bots and malicious actors create fake accounts to spread unwanted content, send direct message spam, and disrupt local timelines. This issue drains moderator time and can drive away legitimate users. This article explains how to configure Mastodon’s built-in anti-spam tools, set email domain blocks, and use moderation workflows to stop spam sign-ups before they cause harm.
Key Takeaways: Blocking Spam Sign Ups on Mastodon
- Settings > Administration > Server Settings > Registrations: Disable open registration or set approval-required mode to filter new accounts manually.
- Settings > Administration > Server Settings > Email Domain Blocks: Block entire email domains commonly used by bots, such as disposable address providers.
- Settings > Administration > Moderation > Invites: Generate limited-use invite links to control who can join your instance.
Why Spam Sign-Ups Happen on Mastodon Instances
Mastodon instances that allow open registration are vulnerable to automated sign-up scripts. Bots scan public instances for registration endpoints and submit fake profiles using disposable email addresses. Once inside, these accounts can follow local users, boost spam posts, and send unsolicited messages. The root cause is the combination of open registration and the lack of a CAPTCHA system in Mastodon’s default configuration.
Mastodon does have a built-in anti-spam system called the Spam Check API. It analyzes profile text and post content for spam patterns. However, this check only runs after an account is created. It does not prevent the initial sign-up. To block spam at the door, you must use pre-registration controls: email domain blocks, IP-based rate limiting, and registration mode changes.
How Spam Accounts Typically Register
Spam sign-up scripts follow a pattern. They generate random usernames, fill profile fields with SEO spam text, and use email addresses from domains like mailinator.com or guerrillamail.com. Some scripts bypass email verification if the instance allows unconfirmed accounts. Others use a single IP address to create hundreds of accounts in minutes. Understanding this pattern helps you choose the right block method.
Steps to Block Spam Sign-Ups Using Mastodon Settings
Follow these steps in order. Each method adds a layer of protection. Start with the most restrictive setting that fits your instance’s goals.
Method 1: Change Registration Mode to Approval Required
- Log in as an admin
Use an account with the Administrator role. Only admins can change server settings. - Open Server Settings
Click the gear icon in the top right corner of the Mastodon web interface. Then select Administration from the dropdown menu. - Navigate to Registrations
In the left sidebar, click Server Settings. Then click the Registrations tab. - Set Registration Mode
Under Registration mode, select Approval required for sign up. This option allows anyone to submit a registration request, but an admin must approve each account before it can log in and post. - Save the change
Click the Save changes button at the bottom of the page.
After enabling approval mode, check Settings > Administration > Moderation > Pending accounts regularly. Approve only users who provide a genuine reason for joining. Reject suspicious requests.
Method 2: Block Disposable Email Domains
- Open Email Domain Blocks
In the Administration sidebar, click Server Settings. Then click the Email Domain Blocks tab. - Add a disposable email domain
In the text field, type a domain name such as mailinator.com. Do not include the @ symbol or any spaces. - Choose the block action
Select Block sign-ups from this domain from the dropdown. Optionally, check Block media from this domain to prevent existing accounts from that domain from uploading files. - Save the block
Click the Add Domain Block button. Repeat for other known disposable domains like guerrillamail.com, 10minutemail.com, and tempmail.com.
Maintain a current list of disposable email domains. Services like disposable-email-domains provide an updated block list. You can import this list via Mastodon’s API or manually add entries.
Method 3: Use Invite-Only Registration
- Close open registration
In Server Settings > Registrations, set Registration mode to Closed for new accounts. Save the change. - Generate an invite link
Go to Settings > Administration > Moderation > Invites. Click the Generate invite link button. - Set invite limits
Configure the invite to expire after a set number of uses or after a specific date. For example, set Max uses to 10 and Expires after to 7 days. - Share the invite
Copy the generated link and send it to trusted users who can then share it with their contacts. Do not post the invite link publicly to avoid spam bots capturing it.
Invite-only mode stops all automated sign-ups because there is no public registration form. This method is best for small, private communities.
Method 4: Configure IP-Based Rate Limiting
- Access the server shell
SSH into your Mastodon server. You need root or sudo access to modify configuration files. - Edit the environment file
Open the.env.productionfile in a text editor (for example,nano .env.production). - Add rate limit variables
Add these lines to the file:MAX_ACCOUNT_CREATION_RATE=1MAX_ACCOUNT_CREATION_PERIOD=3600
This limits sign-ups to one account per IP address per hour. - Restart Mastodon services
Runsystemctl restart mastodon-webto apply the new limits.
Rate limiting prevents bulk account creation from a single IP. Adjust the values based on your instance’s expected growth. A limit of 1 per hour is strict. A limit of 3 per hour is more lenient.
Common Mistakes When Blocking Spam Sign-Ups
Blocking Legitimate Email Domains by Mistake
Some admins block entire email providers like Gmail or Outlook because a few spammers use them. This action blocks legitimate users who rely on those services. Instead of blocking large providers, use the approval-required mode or invite-only registration to filter manually.
Not Monitoring the Pending Accounts Queue
If you enable approval-required mode but never check the pending accounts list, no new users will be admitted. Assign a dedicated moderator to review requests daily. Use Mastodon’s notification settings to receive an alert when a new registration request arrives.
Relying Only on the Spam Check API
The Spam Check API is reactive, not preventive. It flags spam after the account exists and may have already posted. Combine it with pre-registration blocks for better protection. To enable the Spam Check API, go to Server Settings > Content Retention and turn on Spam check.
Using a Single Block Method
A spammer who uses a unique email domain and a different IP address can bypass a single block. Use a layered approach: email domain blocks plus approval mode plus rate limiting. This combination makes automated sign-up much harder.
Registration Controls Comparison: Open vs Approval vs Invite-Only
| Item | Open Registration | Approval Required | Invite-Only |
|---|---|---|---|
| Spam protection level | None | Medium | High |
| Moderator workload | Low | Medium | Low |
| User sign-up friction | None | Low | High |
| Best for | Large public instances with active moderation | Medium-sized communities | Private or small groups |
Open registration is the most vulnerable. Approval-required mode adds a human gatekeeper. Invite-only mode is the most secure but limits growth. Choose the mode that matches your instance’s purpose and moderation capacity.
You now have a clear set of tools to block spam sign-ups on your Mastodon instance. Start by changing the registration mode to approval-required and blocking the top 10 disposable email domains. Then configure IP-based rate limiting for extra protection. For advanced control, explore Mastodon’s moderation API to automate domain block list updates.