Yes. As you can see, a few large instances like lemm.ee, lemmy.ca and others have already updated: https://fedidb.org/software/lemmy?version=0.19.11

Hopefully others will follow soon

unfortunately we can't just apply the update quickly, as this introduces sending emails on rejected applications. we already send rejection emails separately and with custom text, while the text implemented in the update is currently not configurable.

i'll see if we can deploy updated lemmy-ui without updating lemmy already this weekend, but i need to check if there were any api changes first, as we'd then have to backport them to lemmy first.

we've already applied the security patch about 2 weeks ago.

For anti-spam efforts, I think that there are a variety of potential partial solutions. No complete fixes, but some:

• Rate-limiting the comment frequency on new accounts. IIRC, Reddit used this tactic. It does create some issues for (legitimate) use of throwaway accounts in anonymous posts, but there's no legitimate reason for a new account to blast hundreds of messages an hour, I think. This might already be present, but if not, it'd be a good start. This can be defeated by generating new accounts for each new message or batch of.

• Rate-limiting new account creation from a given IP address, if not already present. An attacker could defeat this via use of a commercial VPN, and if too low, it could create issues for some commercial VPNs.

• Hashing of messages to red-flag identical messages being posted en masse. As best I could tell, the spammer here was posting many identical messages. This can be defeated by a spammer having software slightly modify each message.

• Fuzzy-hashing of messages to red-flag almost identical messages being posted en masse. This can be defeated via text generation methods that are carefully tailored to the fuzzy hashing mechanism to modify messages such that each fuzzy-hashes to a different value.

• A mechanism to permit an account to share blacklists of IP or message hashes and trigger removal of messages on other instances, preferably associated with a specific identifier or account. This permits any other instances to leverage antispam work by one instance; if I want to trust a given antispam admin or bot on lemmy.world, I can. Let an instance admin review and override such removals, maybe. It creates abuse potential for malicious use or inadvertent false positives spanning instances, but I think that it's necessary to avoid having each instance fight its own lonely antispam battles. Otherwise, new and personal instances risk being buried by a deluge of direct message spam. The same mechanism, if exposed to users and not just instance admins, would also permit for subscribable content filters for people who don't want to see content of a given sort (e.g. profanity or pornographic content of a particular sort or whatever, not just spam), which is another issue.

Fortunately, as far as I see as a user, we're not yet at the point that there is much spam on here yet, so this isn't yet a serious problem. Maybe it'll never happen, if the userbase never grows much. But if the userbase gets considerably bigger, increasingly-problematic spam will inevitably follow.

https://lemmy.today/post/27248848/15501047

For anyone not clicking the link, but wondering what this reply means... it's a link to the user's comment (right below, within this comment chain) about a lemmy update

I was confused for a sec and probably would've skipped over all of the context because I didn't continue reading first (and I hesitate to click links randomly), so maybe someone else with no attention span will benefit as well

"Lemmy update v0.19.11 provides 'Dont render images in private message'

Not every instance is updated to this version, but it should stop the current method of spam (if updated). I'm wordy, I know; but maybe it'll help someone