Please. Captcha by default. Email domain filters. Auto-block federation from servers that don’t respect. By default. Urgent.
And yes, to refute some comments, this publication is being upvoted by bots. A single computer was needed, not “thousands of dollars” spent.
He explained it already. It looks for a ratio of number of users to posts. If your “small” instance has 5000 users and 2 posts, it would probably assume a lot of those users would be spam bots. If your instance has 2 users and 3 posts, it would assume your users are real. There’s a ratio, and the admin of each server that utilizes it can control the level at which it assumes a server is overrun by spam accounts.
The issue is that it could still be abused against small instances.
For example, I had a bit less than 10 bots trying to signup to my instance today (I had registration with approval on) and those account are reported as instance users even though I refused their registration.
So even if you don’t allow spam accounts to get into your instance, you can easily get blacklisted from that list because creating a few dozen thousands account registration requests isn’t that hard even against an instance protected by captcha.