Stopm

Statistical Open Proxy Monitor (STOPM)

Motivation

Most ircds today have clumsy ways of dealing with spam and ban evasion. They do an IP address lookup and check if the IP is present on an RBL. If so, they ban the user. This unfortunately ends up banning a lot of innocent users. Users behind VPNs and tor are often banned, as are users who have bad ISPs.

Here are some examples:

  1. Some networks completely ban tor or force tor users to first register using a non-tor IP (which defeats the purpose of tor)
  2. Channel operators often set public channels to +R, which forces every use to register before they can chat. Some channels outright ban tor. This prevents unregistered users from chatting, which severely reduces privacy and makes it hard for new users to join.
  3. Users with bad residential ISPs are banned by default because their ISP has a reputation for spam; the entire IP range is placed on a blacklist.
  4. If you try to connect to Freenode from a blacklisted residential ISP, you are forced to install and authenticate using SASL (confusing for new users):
    16:45 !cherryh.freenode.net *** Notice -- You need to identify via SASL to use this server
    16:45 -!- ERROR Closing Link: 10.0.0.1 (SASL access only)
    
  5. Forcing SASL authentication has caused over 95% of our znc users to quit using SimoSnap
  6. +l limits to prevent flooding may prevent normal users from joining if limits aren't updated
  7. +Z which bans non-SSL users will ban lots of mIRC 6.x users who lack SSL

Introducing STOPM

The STatistical Open Proxy Monitor (STOPM) is IRCNow's attempt at a good spam filtering system. It is designed to work automatically and should not require admins or users to memorize an endless series of flags.

We believe an intelligent policy will consider a user's fingerprints holistically and assign a statistical probability to guess whether or not it might be a spam bot.

A spam system has to be able to scale for a network with >50,000 users and determined attackers. To do this, we must build our own spam fighting system.

"The sculptor can more easily carve a fair statue from a rough block, than from the block which has been badly shaped out by another"

How STOPM works

A spam probability score will be assigned ranging from 0.0000 (not spam) to 1.0000 (spam) based on a combination of factors:

  1. Does the IP address appear on an RBL?
  2. Does the IP address have DNS and rDNS properly configured?
  3. Does the IP address come from a residential IP or VPN or other proxy?
  4. Is the IP address an open proxy based on port scans?
  5. Is ident enabled?
  6. Did the client use SSL?
  7. Does the irc client respond to CTCP requests?
  8. Does the client have a proper realname and username?

We can also combine this with http and smtp fingerprinting done by services to build a spam score that won't ban innocent users.

Fork ACOPM

We will use ACOPM as our base because it is a minimal open proxy monitor, which we can then customize to our needs.