Recent Changes - Search:
Stopm /

Stopm

Statistical Open Proxy Monitor (STOPM)

Contents

Motivation

We want a chat platform that normal people can use without reading manuals. We don't want a social network for elitists, we want a social network for normal users.

Most networks today use clumsy ways of dealing with spam and ban evasion. They do an IP address lookup and check if the IP is present on an RBL. If so, they ban the user. This unfortunately ends up banning a lot of innocent users. Users behind VPNs and tor are often banned, as are users who have bad ISPs.

Here are some examples:

  1. Some networks completely ban tor or force tor users to first register using a non-tor IP (which defeats the purpose of tor)
  2. Channel operators often set public channels to +R, which forces every use to register before they can chat. Some channels outright ban tor. This prevents unregistered users from chatting, which severely reduces privacy and makes it hard for new users to join.
  3. Users with bad residential ISPs are banned by default because their ISP has a reputation for spam; the entire IP range is placed on a blacklist.
  4. If you try to connect to Freenode from a blacklisted residential ISP, you are forced to install and authenticate using SASL (confusing for new users):
    16:45 !cherryh.freenode.net *** Notice -- You need to identify via SASL to use this server
16:45 -!- ERROR Closing Link: 10.0.0.1 (SASL access only)
  5. Forcing SASL authentication has caused over 95% of our znc users to quit using SimoSnap
  6. +l limits to prevent flooding may prevent normal users from joining if limits aren't updated
  7. +Z which bans non-SSL users will ban lots of mIRC 6.x users who lack SSL

UnrealIRCd and InspIRCd do not solve spam problems intuitively. They use almost a hundred different flags to ban innocent users in almost a hundred different ways. IRCNow bouncers were only recently banned by some inexperienced Unreal opers. Just a few days ago, they gave us express permission to connect with an iline, then recently Z-lined our IPs by accident for being proxies.

Accidental banning happens on a daily basis because UnrealIRCd is too confusing for average users to administer. Channel ops also struggle to be able to administer their own channels because of the needlessly complex settings.

Here are some example flags that are highly confusing and of no use: 

D 	chanmodes/delayjoin 	Delays someone's JOIN message until that person speaks. Chanops and higher, opers and ulines/services are exempt. 	Requires +o or higher 
Q 	chanmodes/nokick 	No /KICK allowed. Can be used to force all chanops to use Services for kicking. Unusual, but possible. 
V 	chanmodes/noinvite 	/INVITE is not permitted.

Introducing STOPM

The STatistical Open Proxy Monitor (STOPM) is IRCNow's attempt at a good spam filtering system. It is designed to work automatically and should not require admins or users to memorize an endless series of flags.

We believe an intelligent policy will consider a user's fingerprints holistically and assign a statistical probability to guess whether or not it might be a spam bot.

A spam system has to be able to scale for a network with >50,000 users and determined attackers. To do this, we must build our own spam fighting system.

"The sculptor can more easily carve a fair statue from a rough block, than from the block which has been badly shaped out by another"

How STOPM works

A spam probability score will be assigned ranging from 0.0000 (not spam) to 1.0000 (spam) based on a combination of factors:

  1. Does the IP address appear on an RBL?
  2. Does the IP address have DNS and rDNS properly configured?
  3. Does the IP address come from a residential IP or VPN or other proxy?
  4. Is the IP address an open proxy based on port scans?
  5. Is ident enabled?
  6. Did the client use SSL?
  7. Does the irc client respond to CTCP requests?
  8. Does the client have a proper realname and username?

We can also combine this with http and smtp fingerprinting done by services to build a spam score that won't ban innocent users.

Fork ACOPM

We will use ACOPM as our base because it is a minimal open proxy monitor, which we can then customize to our needs.