Tag Archives: Mastodon Safety

Importing ready-made server blocklists on your own Mastodon server

by

Mastodon servers can choose to block other servers, and by default this is done manually one at a time. However, this can get cumbersome if there are lots of servers you need to block quickly, especially if you’re running a new server with no blocks at all yet.

To make the process easier, servers admins can import pre-written server-level blocklists from sites such as oliphant.social ⧉. Once you have a blocklist downloaded, here’s how to add it to your own server:

  1. Log in on your server’s website using your admin account.
  2. Go to Preferences > Moderation > Federation
  3. Click the Import button at the top
  4. Browse for the blocklist’s .csv file, then click Upload
  5. You will be presented with a list of servers to block. If there are servers with existing connections to your server, they will be automatically unticked. If you want to include these in the block, tick them.
  6. When you want to implement the blocklist, click Import in the top right corner of the list and click OK to confirm.

Once the list is successfully imported, the blocks will appear alongside your existing blocks. If necessary, you can remove blocks from the list just like any manually added block.

Will it block people that have already followed me, or that I already follow?

Before any blocks happen, the blocklist import process will highlight servers on the list that your server already has connections to. You will be given the option of either going ahead with blocking those servers, or leaving them off the blocklist. By default it will leave them off the blocklist, unless you choose to add them back in.

If you block a particular server, then all the follows and followers from that particular server will lose their connections to your server.

↩ Back to the front page

Creating an isolated server on Mastodon and the Fediverse

by

Servers on the Fediverse don’t have to communicate with each other. They can be run as totally isolated silos if the owner wants, and some people do this to get an extra layer of user safety.

If you want to do this with Mastodon, there’s a web page with instructions and tips here ⧉ and there’s a technical description of “Limited Federation Mode” ⧉ in the official documentation.

↩ Back to the front page

“Authorized Fetch”

by

This is a bit technical, but there’s a little-known feature on Mastodon called “Authorized Fetch”, aka “Secure Mode”. By default it is switched off as it uses more resources and can cause compatibility problems with servers running older software.

However, if it is switched on it makes user blocks more effective, as it makes it harder for blocked people on other servers to interact with public posts from people who blocked them. (It only really helps with public posts, private posts are already protected against trolls.)

It can only be activated by your server’s administrator. It might be worth asking them if they have Authorized Fetch switched on in order to better protect their users. There’s a technical description of Authorized Fetch here ⧉ which they might find useful.

Authorized Fetch cannot be switched on from the graphical interface, it requires manually editing a certain file on the server. If a server is on a managed hosting service, the server admin can ask the managed hosting company to switch it on for them.

↩ Back to the front page

Is Mastodon end-to-end encrypted?

by

No. Mastodon isn’t E2EE yet.

If you’re needing to send sensitive information, use an E2EE messaging system instead.

In theory, the owner of your server could read at your DMs in the server’s database, and you’ll often hear people say “The admin can read your DMs”. This is not quite the whole story. An admin would need a certain level of technical skill, as there is no way to view DMs in Mastodon’s admin interface. The server owner would have to look directly at the database itself to read a DM, and ignore Mastodon’s interface completely.

↩ Back to the front page

Using Two Factor Authentication (2FA) on Mastodon

by

To keep your Mastodon account extra safe, you can activate 2FA by logging in through your server’s website, then going to ⚙️ Preferences > Account > Two Factor Auth, then follow the instructions.

Activating 2FA means that even if someone finds out your password they still cannot log into your account, as logins will also require the code from your 2FA app or physical security key. The 2FA code from an app will change each time you log in, so only someone with access to your 2FA app or key can log into your account. 2FA apps are available for all types of phones and computers.

You only need to use a 2FA app when you log in, so if you stay logged in it won’t ask for your 2FA.

Setting up 2FA is slightly tricky, and it will require you to keep a permanent copy of a special code in a safe place, preferably printed out and kept at home with your other important documents. This special code lets you access your account if you lose access to your 2FA app or key. If you’re not technically minded, you might want to get help from a trusted friend or relative in setting it up. Make sure they are people you trust, as the backup code would allow them access to your account.

Once it has been set up, 2FA is extremely easy to use: the 2FA app displays a code and you simply type this in when you log in with your normal password.

There are many, many apps that work with 2FA on Mastodon. For example Raivo and Aegis are popular. Apple’s keychain also includes built-in 2FA support. The technical name for these kinds of apps is “TOTP” or “Authenticator”, and you may see them listed under these keywords in your favourite app store.

Also, just to make clear, 2FA apps do not know what you are doing with them. They just passively display a list of security codes based on a particular timestamp and account keys. 2FA apps are essentially elaborate clocks, but instead of displaying the time they display ever-changing access codes. Your account’s server also knows what time it is, and that’s how it knows whether your 2FA access code is correct at the moment you log in.

↩ Back to the front page

How to prevent your account being suggested to others in Mastodon

by

On Mastodon, there’s a feature that automatically suggests accounts to follow when people first join a server, and when they click on the For You tab in Explore or Search. It is based on how many people on that server follow the account and boost its posts, and server admins can optionally add suggestions manually too.

If you don’t want your account suggested to others:

  1. log in through your server’s website
  2. Go to Edit Profile > Suggest account to others
  3. Make sure the box is unticked and click Save changes. (If you want your account suggested, tick the box and save instead.)

↩ Back to the front page

Filtering your Mastodon timeline to automatically hide posts containing certain words, phrases or hashtags

by

On Mastodon, you can set your timeline to automatically hide or block posts featuring certain words, phrases, or hashtags. You can choose to block them completely, or hide them behind a warning that you can open manually.

This isn’t just about offensive posts, it can be filtering for any reason at all. Some people use filters to hide Wordle posts for example. Your filters are private, and they will apply in the apps as well as on the website.

To add a filter:

  1. Log in through your server’s website
  2. Go to ⚙️ Preferences > Filters (On the mobile website you have to click ⚙️ and then ☰ and then Filters, on the computer desktop website the Filters link will be on the left side of the Preferences page.)
  3. Click the Add new filter button
  4. Choose the settings you want, then click Save new filter

Some tips which might help with creating filters:

  • The Title section at the start of a filter is just a name you want to give the filter so you remember what it does. It isn’t the actual words the filter uses.
  • You can add the filtered words and phrases in the Keywords section at the bottom. They aren’t case sensitive.
  • The filter will look for these keywords in entire posts, including the actual content, hashtags, account addresses or web addresses mentioned in posts.
  • Filters work retrospectively, so posts made before the filter was created will also be filtered.
  • You can add more words and phrases to the same filter by clicking the + Add keyword link at the bottom of the page. The filter will be triggered if any of the words or phrases are present.
  • You don’t need to include # on filtered hashtags, these will automatically be blocked if they contain a filter’s keyword.
  • You can make filters temporary by setting the Expire after section. By default this is set to “never” which means the filter is permanent.
  • The Filter contexts section lets you apply the filter to specific parts of Mastodon. If you want it applied everywhere, tick all the boxes.
  • If you have the Whole word option on the filter ticked, it means the filter only applies to posts containing exactly that word. If you UN-tick this option, the filter will also apply to posts that have that word with other letters or numbers next to it without spaces, for example within another word, or a different form of the same word.
  • You can edit or delete filters at any time by going back to the Filters section in ⚙️ Preferences.

↩ Back to the front page

How to use Content Warnings (CWs) on Mastodon and the Fediverse

by

Content Warnings (CWs) are optional Fediverse features which hide the content of a post behind a warning message. The post can be revealed by clicking on the warning.

Content warnings are for any kind of content where the person reading may not want to read it right that minute, but they may want to read later. It could be something serious like upsetting news, or less serious like film spoilers. There’s also a very strong Fediverse tradition that those who are able to should use CWs when talking about emotive topics such as politics or religion. It is also often used for potentially “not safe for work” content such as gore or nudity.

You can add a content warning while writing a post by clicking on “CW” or “warning” or ⚠️ or other similar icons at the bottom of the editing window. Remember to write a warning that gives people a clear idea of what to expect within the post itself, without them having to actually open it. Try to very briefly say why they might not want to open it right that minute.

What if I want to open lots of CWs at once?

On Mastodon, you can make all the CWs in a thread open or close at once by clicking the eye icon in the top right corner of the thread.

If you don’t want to see any CWs at all, you can make Mastodon open all CW posts by default by going to Preferences > Always expand posts marked with content warnings, tick the box and click Save changes.

Is it compulsory to use CWs?

No one is forced to use CWs, but it is considered polite and considerate to do so. Imagine going into a restaurant and shouting loudly at others about your political opinions, you could do it but others may not appreciate it. In extreme cases you might be asked to leave.

CWs are also an accessibility feature, as they allow people who have traumas triggered by certain topics to read potentially triggering posts when they are mentally prepared to do so. It’s important to emphasise the point that CWs are not about avoiding topics, it’s exactly the opposite: CWs make triggering posts accessible to people who would otherwise have to avoid them, in the same way that text descriptions make images accessible to blind people. They widen your post’s audience.

Having said that, it is a bad idea to call people out for not using CWs! Some people will have legitimate reasons for not using CWs, for example someone who is currently going through a serious personal trauma, or perhaps is being persecuted or under threat of violence. It is not appropriate to demand CWs from someone who is going through something really horrific in their real world life. They may have much bigger things to worry about than social media, and we should help them deal with these bigger things however we can.

Even if someone should be using CWs, having public arguments about rules is not necessarily the best way to get someone to obey them, especially if they’re new to the Fediverse.

If there’s a post you think should be CWed and there’s no obvious reason why it isn’t, check the rules on your server and then ask your server admin for advice on what to do. They set the rules, and they are ultimately the ones that decide what is allowed on there.

In short, CWs are a balancing act, and require a lot of social skill (that’s why this section is so long!). The existence of CWs brings the Fediverse a tiny bit closer to the complexities of everyday life in the real world, where reading the room is essential to getting on with people. No one is going to get this right all the time, but simply being aware of CWs as an option and using them when you feel appropriate and able will make the Fediverse a much more accessible and pleasant place to be.

How do I add a CW to a post I want to share?

You can’t add CWs to someone else’s post. The reason for this is such a feature could be mis-used to quote the post, which is deliberately not available on Mastodon.

A workaround is to do a reply to the post with a CW telling people to read the post above, and then share your reply.

↩ Back to the front page

Hiding your posts from search engines on Mastodon and the Fediverse

by

If you use a public visibility setting on a post, it will be visible to everyone, even people who aren’t Fediverse members. This means the post may be indexed by search engines.

You can either make your posts invisible to search engines, or ask search engines not to index your public posts.

Prevent a post being visible to search engines

The surest and safest way to prevent a post ending up on a search engine’s index is to use a non-public visibility setting. Followers-only and Mentioned settings cannot be seen by search engines, so they will not be indexed.

Ask search engines not to index your posts

Mastodon also has an option to request that search engines don’t index your public posts:

  1. Log in through your server’s website
  2. Go to Preferences > Other > Opt out of search engine indexing
  3. Tick the box and click Save changes

However, bear in mind it’s up to a search engine to decide if it wants to honour this request, and less honest search engines may decide to ignore your request. If you want a post to remain off search engines, it’s much safer to use a non-public setting.

↩ Back to the front page

How to hide your follows and followers in Mastodon

by

If you’re on a Mastodon server, you can keep your lists of follows and followers hidden on your profile if you want to:

  1. Log in through your server’s website
  2. Go to Edit profile > Hide your social graph
  3. Tick the box and click Save changes.

You will still be able to see your follows and follower lists when you look at your profile while logged in, but other people will not be able to see them.

↩ Back to the front page

Restricting who can follow you in Mastodon

by

On Mastodon, you can use a follow request system to restrict who can follow you. When it’s switched on, no one can follow you unless you manually approve their request. This can be used to screen who follows you, for example some people use it to screen out spammers.

To restrict who can follow you:

  1. Log in through your server’s website
  2. Go to Edit profile > Require follow requests, tick the box and click Save changes

After you’ve done this, a padlock icon 🔒 will appear next to your username on your profile. Anyone who clicks follow will send a friend request that you have to approve before the follow is activated.

If you change your mind about using friend requests, go back to Edit profile > Require follow requests, untick the box and click Save changes.

Blank profile pictures do NOT mean spammers

Don’t screen followers out just because they have blank profile pictures. Many blind users don’t use profile pictures, but they will have text in their profile. The best way to screen potential followers is to read what they have written about themselves and what they have posted.

↩ Back to the front page

Blocking and muting on Mastodon

by

It is totally fine to block or mute people on Mastodon and the Fediverse. It is not considered rude or unusual to do so. Use it as freely as you want!

To block or mute someone on Mastodon:

  1. Either click ⋯ on one of their posts, or go to their profile and click the ⋯ or︙ button at the top
  2. Select Mute, Block or Block domain, depending on what you want
  3. If you change your mind, do the same thing again but select Unmute or Unblock

Here’s what these options mean:

  • Mutes are the softest option. When you mute someone you will no longer see their posts and you won’t see posts that mention them. You can also optionally mute notifications from them. People who are muted will not know they are muted, and they will still be able to follow you, see your posts and interact.
  • Blocks are the harder option. When you block someone, it does everything a mute does but also prevents them following you and hides your posts from them while they are logged in.
  • Domain blocks are the most extreme option, and they will block not only that account but all accounts using the same server, and remove any follows from that server. You probably don’t need to do this. The only times this is advisable is if a server is full of nasty people and the server administrator is refusing to do anything about it, or if the server is actually owned by the person you want to block.

⚠️ Important: If you are posting public posts they will still be visible to the blocked person when they log out, because public posts are visible to everyone on the internet. To restrict the audience for a post, use followers-only or mentions visibilities.

How do I keep track of who I’ve muted and blocked?

To view lists of all of your blocks and mutes:

  1. Log in through your server’s website
  2. Go to your profile page and click ︙
  3. Select Muted Users, Blocked Users or Blocked Domains
  4. If you want to remove a mute or block, click the icon next to a name on the list

How do I do a temporary mute?

To have a temporary mute on Mastodon, log in through your server’s website and it will offer you the option of setting a duration when you’re confirming the mute. Set the duration to however long you want the mute to last.

How do I mute just someone’s boosts?

On Mastodon, if you follow someone and you want to see their posts but not their boosts, you can hide just their boosts without blocking or muting them. This doesn’t affect their normal posts, and they have no way of knowing you’re doing it.

  1. Open your Mastodon app or log in through your server’s website
  2. Go to the profile of the person whose boosts you want to hide
  3. Click on the ︙or ⋯ button at the top and select Hide boosts from… (or Hide reblogs on some apps)
  4. If you change your mind, go back to their profile and select Show boosts from… (or Show reblogs)

This only works on accounts you follow.

What happens to DMs sent by someone I’ve muted or blocked?

If you mute or block someone, you won’t see any DMs from them by default. However if you decide to browse their profile you will see any DMs sent to you in their profile timeline.

If you remove a mute or block, DMs will start arriving as normal, but any DMs sent during the mute or block will only be visible by going to their profile.

How do I block DMs from people I don’t follow?

  1. Log onto your server’s website
  2. Click ⚙️ Preferences
  3. Click Notifications (on the mobile website click ☰ and then Notifications)
  4. Tick the box marked “Block direct messages from people you don’t follow”
  5. Click the Save Changes button

If you change your mind, repeat these steps but untick the same box.

Also, if you are blocking DMs from strangers, you might want to mention this on your profile description to avoid any misunderstandings. (This avoids situations where people are trying to contact you for legitimate reasons but think you’re ignoring them.)

Another thing to bear in mind is it will also block private replies in threads from people you don’t follow, as these are technically the same as DMs on Mastodon.

↩ Back to the front page

How do I contact the people who run my server? How do I find out what my server’s rules are?

by

If you have any problems with the server which can’t be addressed through the reporting system, you can email the administrator (or “admin”) of your server directly.

On Mastodon, you can find the public email address of your server admin on the server’s About page. The same page also lists the server’s rules. To find it, go to your server’s website and click on “Learn More”. You don’t need to be logged in. The email address will be listed in the top half of the About page, just above the list of rules. It is worth reading the rule list as it varies from server to server, and it is usually written in plain language that is easy to understand.

↩ Back to the front page

Reporting problematic content to moderators on the Fediverse

by

Reporting anti-social accounts is a good idea as it’s the main way server administrators find out about nasty behavour. Once admins are made aware of a problem, they can take action using special blocking tools that are not available to ordinary users.

How do I report posts or accounts on Mastodon?

  • To report a post click ⋯ on the bottom of the post and select Report.
  • To report an account, go to its profile and click ︙ or ⋯, then select Report.

Remember to include examples!

Whatever you’re reporting, it’s really important to include examples of what the account has done wrong. Simply reporting the account with no examples creates a lot of work for the moderators, and it may make it impossible for them to moderate effectively.

On Mastodon, the reporting wizard includes options to select posts from that account, and if you’re reporting via a post then that post will be automatically selected as an example to include on the report.

If possible, tell the account’s own server too

Mastodon reporting forms include the option to also send an anonymous report to the server of the account that wrote the post. This is usually a good idea, because only a user’s home server has the power to suspend or delete their account. Other servers can block accounts, but in the worst cases it may be better that a nasty account is deleted at source.

However, there is a caveat to this: if the problematic user’s entire server is also problematic, it may be best not to include them in the report. Such servers tend to lash out when people report their behaviour. Your own server admin will be able to block problematic servers completely, which is usually the best way of dealing with such servers.

What do I do about accounts that just boost nasty stuff?

If there’s an account that boosts lots of problematic posts, go to their profile and report them from there (by clicking ︙ or ⋯). If you do this though, remember to mention in the comments section of the report the boosts that are problematic and why, so that the moderator can locate them more easily.

What exactly ARE the rules on the Fediverse?

Each server is totally independent and sets its own rules for acceptable behaviour. If you go to a server’s about page you should see a copy of its rules. If possible, it’s worth reading this before you sign up on a server, as it can tell you a lot about their approach to moderation.

If there’s something bad happening and it isn’t covered by the rules, report it. There will often be bad situations that could not have been anticipated by the admin when writing the rules, and they depend on user reports to find out about them.

If you’re in any doubt about what is acceptable, ask your server’s admin for advice. If there’s something wrong with their approach or attitude, you might want to consider transferring your account to another server.

↩ Back to the front page

Do I need to use my real name or real photo?

by

No.

You don’t need to reveal any kind of personal information about yourself on the Fediverse. Use any name you want, and any picture (or no picture at all).

The only information you need to give when signing up on a Fediverse server is an email address, and you can use an email alias if you want to keep it secret. The only other data a Fedi server might see is your computer’s or phone’s IP address, but this is hidden if you’re using a VPN or Tor.

Revealing personal information on the internet is a bad idea in general, as it makes unwanted tracking and identity theft much more likely.

↩ Back to the front page

Who can see my posts in Mastodon? How do I send DMs in Mastodon?

by

On Mastodon there are four types of post visibility. You can set the visibility of a post by clicking the icon that represents it in the row below the message editing window. It’s usually a 🌐, 🔒, 👥 or @ icon. You can set the default visibility by logging in through the website and going to Preferences > Other > Posting privacy, then set what you want as default in the menu and click Save changes.

Some more details about each setting:

  • Public – Anyone can see it, even people who aren’t on the Fediverse. If you go to a person’s public profile page you will see all their public posts. This is normally indicated by a globe icon 🌐.
  • Unlisted – Anyone can see it, but it won’t appear in the Explore section or the Local or Federated timelines, and won’t be searchable by hashtags. This can be useful for replying in threads, so that you’re not filling people’s timelines unnecessarily. Normally indicated by an open lock icon.
  • Followers-only – Only your followers can see these, normally indicated by a lock 🔒 or people 👥 icon. If you use this setting, it’s a good idea to switch on follower requests, otherwise anyone could follow you to see your followers-only posts. You can do this by logging in on your server’s website, going to Edit profile > Require follow requests, tick the box and click Save changes.
  • Mentioned – Only people you @ within the message can see this kind of post, it’s normally indicated by an @ symbol. This is the Mastodon equivalent of DMs. IMPORTANT: Only mention people if you want them to see the message. If you want to talk about an account without them seeing the message, don’t @ them.

Sending DMs in Mastodon

You can send DMs by setting a post’s visibility to Mentioned, then @ the people you want to receive the DM. If you log in through the website, there’s a Direct messages option in the menu which lets you see all your mentioned posts in an inbox.

If you @ someone in a DM, they will be able to see it

⚠️ In all modes including DMs, if you @ someone in a post, they will see that post! Be really careful who you @ in a post because it’s the same thing as sending them a message.

I can’t see Unlisted as an option on my app?

Unlisted is available as a visibility option on almost all versions of Mastodon including the websites and the third party apps, but not on the official apps. For some weird reason the developers of the official Mastodon apps decided to leave it out. If you’re comfortable using Github, you can let the developers know you want it added on the iOS version ⧉ and the Android version ⧉.

Setting your default post visibility

You can set which visibility is your default by logging in on your server’s website and going to Preferences > Other > Posting Privacy, choose the default you want and click Save changes. This is only a default, you can still override it for individual posts by clicking the visibility icon.

Is it possible to edit post visibility?

You cannot edit the visibility of a post after you’ve published it, so make sure you choose the correct visibility before posting! If you absolutely have to change the visibility, your only option is to delete the post and start again, which is most easily done by clicking ⋯ below the post and then Delete & re-draft. If you use this option, the original post will cease to exist, its boosts and bookmarks will disappear, links to it will break and its replies will be orphaned.

Who can see my boosts?

When you boost a post, it will immediately appear in the home timelines of all your followers. The original author of the post will also get a notification to say that you boosted their post.

When do replies appear in the Home timeline?

Replies will appear in your Home timeline if any one of these are true:

  • The reply mentions you
  • You wrote the reply
  • The reply is by someone you follow AND mentions someone else you follow
  • Someone you follow is replying to themselves to create a thread

When do Unlisted posts appear in the Home timeline?

Unlisted has a slightly complicated behaviour pattern in the Home timeline, and this isn’t officially documented for some reason. Here’s how it works:

Unlisted posts and replies from people you follow WILL appear in your Home timeline, unless they are a reply to someone you don’t follow. If they’re a reply to someone you don’t follow, they WILL NOT appear in your Home timeline.

Or if you want a complete list:

  • Unlisted posts (not replies) from people you follow WILL appear in your Home timeline
  • Unlisted posts and replies boosted by people you follow WILL appear in your Home timeline
  • Unlisted replies between two people you follow WILL appear in your Home timeline. This also includes a person you follow replying to themselves, for example if they are posting a thread.
  • Unlisted replies between a person you follow and another person you don’t follow WILL NOT appear in your Home timeline

↩ Back to the front page