[foaf-dev] FOAF-based whitelisting project

Kjetil Kjernsmo kjetil at kjernsmo.net
Mon Mar 12 21:00:19 UTC 2007


On Monday 12 March 2007 17:25, Tom Heath wrote:
> I quite like the idea of a 0-1 score (rather than 0-100),

OK, I'm willing to go along with 0-1. The reason why I liked 0-100 was 
that we could do fine with integers, whereas 0-1 would imply that we 
were dealing with floats. Not a big issue. 

> and in 
> common with Steve's mail that's just arrived, I'm also skeptical
> about negative trust ratings; what would we *actually* do with them?.
> Surely all we need is a score somewhere between 0 and 1, or NULL
> where we don't have any data?

Well, as I allready coded in the qpsmtpd plugin:
  return DENY if ($trust <= 
($self->qp->config('foaftrust_black') || -101)); # blacklist the sender

so, you'd outright deny the email if the trust metric is a sufficiently 
large negative value. It would require topical, quantitative trust 
relationships, though. That's something I hope to do, but yeah, I've 
just said that it won't be for v1.0, so lets think more carefully about 
it.... :-)  

>
> Lastly, overcoming the risk of spam foaf:knows statements (SpOAF?)
> should simply be a case of combining a user preference
> "TrustSendersUpToHops: X" (or "TrustSendersWithTrustScoreGreaterThan:
> X) with a heuristic that only attends to foaf:knows relations that
> run from the email recipient outwards, but not the reverse. So if I
> get email from someone who someone I know says they know, that's fine
> (if hops threshold > 2), but if email arrives from someone who says
> they know someone who knows me, but my FOAF doesn't corroborate this,
> then this mail should be rejected (however 'true' the statements
> are). Perhaps this directionality should also be a user option.

Hmmm, that sounds like a relatively expensive check. 

Allthough I like the idea of a setting that says something about how far 
apart they would trust a user, or some setting that says how much the 
trust metric declines for each hop, I think we just have to be careful 
about what we accept.

One of the big use cases for this is that is to be able to accept images 
from anybody in first email. Some colleagues said that the image spam 
problem is trivial, just reject all emails coming from a sender that is 
not in your addressbook. Allthough I think that images is better suited 
for other things than email, I think a lot of people would say that it 
is nice to be able to accept an email from the cute girl you met at a 
party, even if she's not in your address book yet... :-) 

I'm not quite sure if I did understand your proposal though. I think the 
problem is this: I trust danbri, and so do a lot of other people. Thus, 
it is a great incentive for a spammer to sneak in a :danbri foaf:knows 
spammer into the database, and then go spamming everyone that trusts 
danbri. That's the thing we must prevent.

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Programmer / Astrophysicist / Ski-orienteer / Orienteer / Mountaineer
kjetil at kjernsmo.net
Homepage: http://www.kjetil.kjernsmo.net/     OpenPGP KeyID: 6A6A0BBC


More information about the foaf-dev mailing list