[foaf-dev] FOAF-based whitelisting project
kjetil at kjernsmo.net
Mon Mar 12 21:00:19 UTC 2007
On Monday 12 March 2007 17:25, Tom Heath wrote:
> I quite like the idea of a 0-1 score (rather than 0-100),
OK, I'm willing to go along with 0-1. The reason why I liked 0-100 was
that we could do fine with integers, whereas 0-1 would imply that we
were dealing with floats. Not a big issue.
> and in
> common with Steve's mail that's just arrived, I'm also skeptical
> about negative trust ratings; what would we *actually* do with them?.
> Surely all we need is a score somewhere between 0 and 1, or NULL
> where we don't have any data?
Well, as I allready coded in the qpsmtpd plugin:
return DENY if ($trust <=
($self->qp->config('foaftrust_black') || -101)); # blacklist the sender
so, you'd outright deny the email if the trust metric is a sufficiently
large negative value. It would require topical, quantitative trust
relationships, though. That's something I hope to do, but yeah, I've
just said that it won't be for v1.0, so lets think more carefully about
> Lastly, overcoming the risk of spam foaf:knows statements (SpOAF?)
> should simply be a case of combining a user preference
> "TrustSendersUpToHops: X" (or "TrustSendersWithTrustScoreGreaterThan:
> X) with a heuristic that only attends to foaf:knows relations that
> run from the email recipient outwards, but not the reverse. So if I
> get email from someone who someone I know says they know, that's fine
> (if hops threshold > 2), but if email arrives from someone who says
> they know someone who knows me, but my FOAF doesn't corroborate this,
> then this mail should be rejected (however 'true' the statements
> are). Perhaps this directionality should also be a user option.
Hmmm, that sounds like a relatively expensive check.
Allthough I like the idea of a setting that says something about how far
apart they would trust a user, or some setting that says how much the
trust metric declines for each hop, I think we just have to be careful
about what we accept.
One of the big use cases for this is that is to be able to accept images
from anybody in first email. Some colleagues said that the image spam
problem is trivial, just reject all emails coming from a sender that is
not in your addressbook. Allthough I think that images is better suited
for other things than email, I think a lot of people would say that it
is nice to be able to accept an email from the cute girl you met at a
party, even if she's not in your address book yet... :-)
I'm not quite sure if I did understand your proposal though. I think the
problem is this: I trust danbri, and so do a lot of other people. Thus,
it is a great incentive for a spammer to sneak in a :danbri foaf:knows
spammer into the database, and then go spamming everyone that trusts
danbri. That's the thing we must prevent.
Programmer / Astrophysicist / Ski-orienteer / Orienteer / Mountaineer
kjetil at kjernsmo.net
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
More information about the foaf-dev