Fight Spam with FOAF

by Steven Garrity

FOAF LogoThere is a new acronym floating around that has at least two things going for it, it sounds cool, and it has a cool logo. FOAF stands for Friend of a Friend and is a file format intended to express identity and relationships. Basically, it’s a computer-readable file that identifies you and the people you know (by pointing to their FOAF files). A computer can then go grab their files, and so on.

The practical applications haven’t really been figured out yet – but people seem to be in agreement that having this type of info available could make for some interesting applications. The TypePad service is the first major weblogging platform to create FOAF files by default – this should spread adoption beyond XML-nerds.

Right now my FOAF file says I know three other FOAF-enabled friends (Dan James, Peter Rukavina, and Ben Wright are the lucky trio). If you follow Peter’s FOAF trail, he “knows” 14 people, most of whom I also know, some of whom I don’t. If you were to follow the trail a step further, I would likely know fewer.

Overlapping circles of friends and acquaintances form a web. The further someone is away from you on the web, the less you are able to trust them solely based on relationships. I trust my friends. I would trust a friend of a friend. I would trust a friend of a friend of a friend, but less so.

So what can we do with all of these social connections? Block spam. I propose a FOAF-powered super-whitelist.

The usual “whitelist” in an email program is basically a list of people that you have explicitly told the program are not spammers. You can usually do this manually, or by a few other semi-automatic means (anyone in your contact list or anyone you reply to, can be added).

The whitelist works well, but it’s not a very good way to make new friends. What if I want to send a legitimate email to someone I’ve never emailed before?

What if your “FOAF-knows“ list was your email whitelist – and people further away from you on the web of FOAF could have something along the lines of “whitelist” points according to their distance from you on the chain.

For example, anyone on my FOAF-knows list gets on my email whitelist (call them Group A). Anyone on the FOAF-knows list of anyone in Group A gets on my email whitelist (call this pack Group B). Anyone on the FOAF-knows list of Group B could be given some level of “whitelist point”, and so on.

Make any sense? Wanna implement it? Please do.

 

21 thoughts on “Fight Spam with FOAF

  3. And when FOAF-based whitelisting becomes widely used spammers will just send messages with spoofed addresses from your FOAF friends. And FOAF will be great for email viruses based on social-engineering… malicous messages will appear to be from your real friends.

  5. Isn’t Nate right. Isn’t an obvious weakness that I have just stuck up a bunch of info about me and others publicly?

  6. Rule of thumb — don’t publish stuff you’re not happy… er… publishing.

    Re FOAF, the original version relied too heavily on email addresses. We now encourage the use of foaf:mbox_sha1sum instead of foaf:mbox so you get a uniquely identifying value derrived from your mailbox URI but one that can’t be used to actually send email. The foaf-a-matic tool makes it easy to generate this…

  7. I don’t think that I am wanting to be the crank on this as I am sure I am not getting everything related to FOAF. But let me poke a stick at it.

    I used the foaf-a matic tool but doesn’t that creates a simple obfuscating code or cipher which merely needs a translator to come up with the email address? If that is the case, all a spammer must do is break the cipher. This can be done through using the tool a few times and figuring out the cipher. Also, as I have generated the code, if a spammer breaks it, we each have to manually recreate our FOAF file. This is even the case if one of my contacts changes their email.

    The problem would be in the combination of public and P2P. It would seem to me that there should be some receiving app into which the FOAF is placed to confirm. If either my ISP or a tracker like Jevons held my FOAF it would filter and create the whitelist. Is this what is envisaged? It could also include a key which is provided directly to my FOAF list outside of the FOAF file. It would cross reference the key to the FOAF. For second level FOAFs and beyond, the key would require the next acceptable key. Unencrypted keying. Nate will tell me the ways this is foolish.

  8. RFC3174 describes the US Secure Hash Algorithm 1 (SHA1), which is what is used to create what Dan calls the “foaf:mbox_sha1sum” and Alan calls the “simple obfuscating code or cipher”. The beauty SHA-1 is described as follows:

    The SHA-1 is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest.

    This says, in simple terms, that if you use the algorithm on something like an email address (the “message”) to get the “obfuscated” version thereof (the “message digest”), it would be next to impossible (“computationally infeasible”) to derive the original email address from the SHA-1’d version.

    This means that if I know your email address, I can calculate the SHA-1 value of your email address, and use this to find your FOAF. But if I don’t know your email address, I can’t calculate your SHA-1 value, and I can’t find your FOAF (at least not that way).

  9. So it uses chaos based encoding – that is good. But if the code is public (on my foaf.rdf) and fixed from its cretion so that the same cipher always relates to my email and, for practical purposes, all emails are out there in the public space, is not Peter’s last sentence one that would never come into play?

  10. There is a risk of brute force attack, eg.

    foreach $given (‘alice’,’andy’,’bill’,’brian’, ‘…) {
    foreach $family (‘Astwith’,’Brown’,’…’) {
    foreach $connector (‘-‘,’.’,’_’,”) {
    foreach $case ( ‘caps’,’lowercase’,’camelcase’) {
    foreach $order (‘familyfirst’,’givenfirst’) {
    foreach $knowninternetsubdomain (‘very long list here’) {
    my $mb= composembox($given,$family,$connector,$case,$order, etc…).

    So there is some possibility that you could use this to test a sha1sum’d mailbox against a hypothesis generated this brutish way, and for some class of users (daniel.brickley@bristol.ac.uk for eg.) the content could be confirmed.

    I’m not loosing sleep over it, but the possibility certainly exists.

  11. The method described by Dan is not actually a brute force attack; it’s rather more like a combined dictionary attack. The attack is not feasible — worst case scenario would be when the DB contained permutations for all possible email addresses, and a good case wont came far from it. It would make more sense to run SHA1 lookups against spammers’ email databases to determine which addresses are good.

  12. I’m not losing sleep over it, but the possibility certainly exists.

    And well you shouldn’t. And, yes, smart namelists will crack most human-derived passwording, however hashed.

    One either wants to use FOAF or not. Obviously it will keep step with real world protections (or die) but, assuming it does, FOAF can do a lot of good. For those who want to participate.

    How many of us anonymize our IPs behind a chain of proxies when Web surfing? How many seriously guard knowledge of their email addresses? Almost nobody.

    Steven is right, and Dan is right. FOAF is nothing about evil and everything about good. The power of FOAF is in aggregation, but the data expressed are subjective, privately-selected. Prying applications may crunch the FOAF network for commercial purposes, but will that mean you’ll get more spam? Doubt it.

    No, FOAF costs nothing in practical terms. If you’re willing to say in person, on the street, to an acquaintance or a cop that so-and-so is my friend then you should be willing to say it in a FOAF file. There’s no difference and no additional exposure than that, probably less.

  13. I suppose that is a very good way of looking at it, Lou. So I have two questions: what do I do with it and how do I add more names to my FOAF once it is up?

  14.  

    Alan: what do I do with it and how do I add more names to my FOAF once it is up?

    First things first: your FOAF file isn’t well-formed XML. Looks like you’ve embedded it in a SilverOrange content node. (Sorry to be nodal. I’ve had Drupal fever for the past two days and am growing nodes willy-nilly.)

    Anyhow, you want to take the foaf.rdf file that (I’m guessing) was generated by FOAF-a-matic, save it off as its own discrete text file and upload it to your server. The Web root is a suitable place:

    http://www.genx40.com/foaf.rdf

    The SilverOrange tool is wrapping your FOAF file in a bunch of XHTML. It needs to just sit there by itself, unadorned and unprocessed.

    Next you want to create a hard link to it, instead of letting the SilverOrange app create one:

    <a href=”http://www.genx40.com/foaf.rdf”>FOAF</a>

    You might also add a link to the FOAF file in the <head> section of your pages. This casts an eye toward future auto-discovery of FOAF; it’s not really necessary.

    <link rel=”meta” type=”application/rdf+xml” title=”FOAF” href=”http://www.genx40.com/foaf.rdf” />

    Now some cool things start to happen.

    You’re included as a foaf:knows in Peter Rukavina‘s FOAF file (visit FOAF Explorer and see). The foaf:knows entries (people) in Peter’s FOAF that themselves have a resolvable FOAF file show the FOAF Explorer icon to the left of the name. Click it to see a formatted depiction of their FOAF info. Feel the groove.

    To the right of each foaf:knows name in FOAF explorer is another icon, a red smiley with a plus sign (looks like a red pineapple). This is a link to a Web service called FOAF Add-A-Friend. It reads your FOAF file, adds a foaf:knows entry to it for the person’s name you clicked, and presents a new version of your FOAF file with the new person added. You can copy-paste this output to your FOAF file (fully replacing the prior contents), et voilà: you just added a friend of a friend. The network is growing like Ron Jeremy at a Tupperware party.

    None of this means much right now. FOAF is comparatively bleeding edge. As discussed above, the really useful FOAF stuff (applications and Web services that actually use FOAF data for beneficial purposes) hasn’t arrived yet. But FOAF is cool and is coming, I think, so figuring it out now can’t hurt if you have the time.

    Before long, Web CMSes will provide a tool for editing one’s FOAF file in an orderly way. That’s probably already tacked to the end of Steven’s to-do list for the SilverOrange app … hey, maybe I’ll write a Drupal module for it. Good excuse to dig into pHp‘s XML parser functions and reclaim some lost cred.

    I’m leaving a lot out here. The PGP encryption and public/private FOAF bifurcation issues mentioned and linked-to above are part of the emerging picture. For now, leave anything sensitive out of your FOAF file, get it online, and wait. The jazzy stuff is just around the corner.

    Hope this helps.

  15. Thanks Lou. So often 101’s are not the right place to start. I often need the 100.5 which you supplied.

  16. I think it’s anthropologically interesting that a thing like FOAF exists. A year or two ago, I read a book by David Attenborough; ‘Life En Earth’, and its last chapter was about humans, and was called ‘The Compulsive Communicators’.

    I also think it’s too soon for FOAF, because the technology it’s based on hasn’t even crystallized into a stable form yet, from what I can tell.

    It’s like when the trucks are still pouring concrete into the foundation of a building and at the same time the contractor orders the roof to be built.

    Maybe I’m wrong about status of XML/RDF/RSS/whatnot. If I am, you’re free to smack me.

  17. hey everyone whats up?! well i was just wondering if there was nemore robots screen names! well my screen name is sftblstar852 i m me sometime ttyl! buh byes!
    ~*nina*~

  18. hi everyone! whats up?! i was just wondering if there was anymore robots screen names! well my screen name is sftblstar852 i m me sometimes! ttyl! buh byes!
    ~*Nina*~

  19. Is ~*Nina*~ the daughter of somebody around here who just doesn’t get it, or is it okay to IM her some JPGs of my schwantz?

    Steven, can you whois her IP to see if it’s probably broadband? These are high-rez shots. There’s a lot to fit in the image, and some important detail I’d hate to obscure.

  20.  

    Willem: I think it’s anthropologically interesting that a thing like FOAF exists. [snip] It’s like when the trucks are still pouring concrete into the foundation of a building and at the same time the contractor orders the roof to be built.

    Smack.

    What’s it cost? It’s a damned text file.

    I think it’s anthropologically interesting that anyone thinks the pouring of concrete will ever pause, or that it will ever be allowed to cure. Ever.

    Seriously, get a grip. This is a recipe for doing nothing, because, well, it’s not quite ready yet.

Comments are closed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)