A few days ago, there was a spammer going around instances spamming randomly generated text along with a series of images of the spine-chilling bone-tingling Simpson’s character by the name of Sneed, some of them including George Floyd photoshopped between his ass cheeks. This spam reached many comment sections, typically those of recently created posts.
The spammer managed to create thousands of comments within a few minutes, which definitely shouldn’t be possible, especially on such a new account. I have noticed from the lemmy source code that it indeed does have rate limits, but only on IPs, not on accounts. It’s possible that the spammer used proxies, perhaps scraped from a public list to bypass the simple rate limits already in place.
The spammer seemed to have only a few accounts, therefore, adding a rate limit on accounts could help slow down such bots and minimize the damage they might cause. Another options I could think of are a more advanced form of spam detection and, albeit a bit scummy, reddit-style shadowbans, maybe a combination of a few such methods.
Implementing such measures will help lemmy become a more usable platform and less of an easy target for trolls and 'channers with nothing better to do.
I see these additional rate limits as a minor form of mitigation for instances to protect primarily themselves. As for federation, I think there could be some more advanced form of spam detection for incoming posts from ActivityPub, though I’m not sure how it would be implemented in practice.