Pleroma can be used to attack other instances (by not requiring email confirmation)
Someone was automatically creating thousands of accounts and using them to flood other instances with thousands of posts, tagging particular remote users:
This attack came from a few servers:
- https://pl.anjara.eu/main/public
- https://ally.koodaacraft.org/main/public
- https://lis.pgw.jp/main/public
- https://pleroma.soupwhale.com/main/public
- https://beeping.town/main/public
- https://lynn.mikorizal.org/
- https://villa.pendorwright.com/main/public
- https://pleroma.dyomedea.com/main/all
- https://p.testitfor.me/main/public
And was targeted at users on these servers:
- spinster.xyz
- glindr.org
- neenster.org
I believe the servers themselves did not condone these attacks, but were vulnerable to being attacked this way. In other words, the attacker took advantage of these servers.
Because Pleroma does not require email confirmation, it was easy for an attacker to do this. As a server admin there's not much that can be done to mitigate this except playing a cat and mouse game of blocking servers.