Mastodon instances often receive spam account registrations that pollute the local timeline and waste moderator time. The platform includes built-in anti-spam heuristics that automatically flag suspicious sign-ups before they become active. Enabling these heuristics reduces manual review workload and prevents bots from posting unwanted content. This article explains how to activate the anti-spam heuristics in your Mastodon instance admin panel and adjust sensitivity levels.
Key Takeaways: Mastodon Anti-Spam Heuristics Configuration
- Administration > Server Settings > Registrations: Toggle “Enable anti-spam heuristics for sign-ups” to activate automatic spam detection.
- Administration > Server Settings > Registrations > Spam score threshold: Set the numeric threshold that determines when a sign-up is automatically rejected.
- Moderation > Pending Accounts: Review flagged registrations manually after heuristics are enabled.
How Mastodon Anti-Spam Heuristics Work
Mastodon anti-spam heuristics evaluate new sign-ups against a set of rules that detect bot-like behavior. The system checks registration patterns such as rapid repeated attempts, disposable email domains, known spam IP ranges, and suspicious display names. Each heuristic assigns a numeric score to the registration attempt. When the total score exceeds the configured threshold, the account is automatically rejected or placed into a pending review state.
The heuristics are part of Mastodon core and do not require external services or plugins. They run during the registration process before the account is created. The default threshold is set conservatively to avoid false positives for legitimate users. Instance administrators can adjust the threshold to be more aggressive if spam volume is high.
Mastodon also applies rate limiting to registration attempts from the same IP address. This rate limit works alongside the heuristics to slow down bulk registration tools. Both features together significantly reduce automated spam sign-ups without requiring captcha services.
Prerequisites for Enabling Heuristics
Before enabling anti-spam heuristics, ensure your Mastodon instance is running version 4.0 or later. Check your version in Administration > About > Version. You must also have admin access to the instance. If you run a single-user instance, the heuristics still apply but may have less impact since sign-ups are rare.
Steps to Enable Anti-Spam Heuristics in Mastodon
Follow these steps to activate and configure the anti-spam heuristics for sign-ups in your Mastodon instance.
- Log in as an administrator
Use the Mastodon web interface and sign in with an account that has the admin role. Only admin accounts can access server settings. - Open Administration menu
Click the hamburger menu icon in the upper left corner. Select “Administration” from the sidebar menu. - Navigate to Server Settings
In the Administration menu, click “Server Settings”. This opens the main configuration page for your instance. - Select Registrations tab
Inside Server Settings, click the “Registrations” tab. This tab controls all sign-up related options including approvals and spam detection. - Enable anti-spam heuristics
Find the toggle labeled “Enable anti-spam heuristics for sign-ups”. Click the toggle to turn it on. The toggle changes from gray to blue when active. - Adjust spam score threshold
Below the toggle, locate the field “Spam score threshold”. The default value is 2.0. Enter a lower number such as 1.0 to block more registrations. Enter a higher number such as 3.0 to allow more through. Click “Save changes” at the bottom of the page. - Test the configuration
Attempt to register a new account from a known disposable email domain or with a generic username like “user123”. The registration should be rejected or placed in pending status if the threshold is set correctly.
Reviewing Pending Accounts After Enabling Heuristics
After enabling heuristics, some legitimate sign-ups may be flagged incorrectly. Review pending accounts regularly to approve or reject them.
- Open Moderation menu
In the Administration sidebar, click “Moderation”. - Select Pending Accounts
Click “Pending Accounts” in the Moderation submenu. This shows all registrations that were flagged by heuristics or require manual approval. - Review each account
Check the display name, email domain, IP address, and registration timestamp. Approve accounts that appear genuine. Reject obvious spam accounts. - Approve or reject in bulk
Select multiple accounts using the checkboxes. Use the “Approve selected” or “Reject selected” buttons to process them together.
Common Mistakes When Configuring Anti-Spam Heuristics
Setting the spam score threshold too low
A threshold below 1.0 blocks nearly all new registrations including those from real users. This effectively closes your instance to new sign-ups. Start with the default 2.0 and lower it only if spam volume remains high. Monitor the pending accounts list daily after changing the threshold.
Not enabling manual approval alongside heuristics
When heuristics are enabled but manual approval is off, flagged registrations are rejected silently. Legitimate users receive no feedback and may assume the instance is broken. Enable manual approval in Server Settings > Registrations by checking “Require manual approval for new accounts”. This creates a pending status for flagged accounts that you can review.
Ignoring rate limit settings
The anti-spam heuristics work best when combined with registration rate limits. In Server Settings > Registrations, set “Registration rate limit” to a value between 1 and 5 per hour. This prevents bots from submitting many sign-ups in a short period.
Forgetting to save changes
After enabling the heuristics toggle and adjusting the threshold, click “Save changes” at the bottom of the page. If you navigate away without saving, the settings revert to their previous values. A green confirmation banner appears when changes are saved successfully.
Mastodon Anti-Spam Heuristics vs Manual Approval
| Item | Anti-Spam Heuristics | Manual Approval |
|---|---|---|
| Description | Automatically scores sign-ups based on bot-like patterns | Requires admin to approve every new account |
| Setup effort | Single toggle plus threshold setting | One checkbox in server settings |
| False positive rate | Low with default threshold, adjustable | Zero false positives because admin reviews each |
| Admin workload | Low after configuration, moderate for pending reviews | High for instances with many sign-ups |
| User experience | Legitimate users may be rejected if threshold is too low | Users wait for manual approval which can take hours |
Both features can be enabled together. Heuristics filter obvious spam, and manual approval catches the rest. This combination provides the strongest protection while keeping the review workload manageable.
You can now enable and tune the anti-spam heuristics in your Mastodon instance to automatically block bot registrations. Start with the default threshold of 2.0 and enable manual approval for flagged accounts. Review the pending accounts list weekly to adjust the threshold if needed. For instances with persistent spam problems, combine heuristics with a registration rate limit of 2 per hour. This layered approach keeps your instance clean without blocking genuine users.