SPAM (bulk unsolicited private message, SCAM) received

[slrslr]

Hi,

after using MuWire for more than 1 month (last build is maybe 6 days old?) i have received first SPAM private message 15 minutes ago. It was sent in bulk to 67 recipients and is a SCAM message.

(click to enlarge)

Some ideas:

• Allow bulk message after certain period of time since profile setup or maybe better also since MuWire install (7 days old profile & muwire)
• Limit amount of messages sent per the time period for new users (maximum X messages sent per interval or maximum recipients per interval, no matter how many messages was sent)
• Allow bulk message only if at least one recipient has the sender in his contacts or in his Sent private messages (do not disclose this limit when warning user, because they will create two profiles..)
• Make scraping usernames/recipients in bulk harder by obfuscating parts of the full usernames?
• user can write his/her blacklist (found phrase in body -> auto-delete message)

[zlatinb]

I received the message too :(

Unfortunately there is no technical "solution" to spam; with email it took many years to get spam under control and even that is debatable. Some of the solutions that helped with email will not work at all with MuWire due to its anonymous nature, i.e. the spammer can generate infinite number of fake identities to send messages from.

Some comments on your ideas:

• Allow bulk message after certain period of time - there is no way to enforce that because MuWire is open source; the spammer can easily circumvent the enforcement if they build from source
• Limit amount of messages sent per time period - same problem as above
• Allow bulk message if at least one recipient has the sender in his contacts - I'm not sure exactly what you mean by this, but "not disclosing the limit" will not work again because the source is available to read
• Make scraping usernames harder - a lot of the MuWire functionality depends on being able to easily find the full id of someone else. Every query for example contains the full id of the person sending it and that is required for query processing.

I guess the only silver lining is that there is little to no incentive for someone to spam MuWire users. The main motivation spammers have is money, and I would speculate that MuWire users are a very unlikely audience for profitable spamming. This spammer was probably testing if it was technically possible to spam; if there is no money to be made they will eventually stop.

Spam is a problem with search results as well, which is one of the reasons the trust functionality exists. Ultimately the best thing to do is to have a large contact list and to allow messages only from trusted contacts. But I don't want to make that setting the default because a new user will be completely unable to successfully communicate with others.

[slrslr]

Allow bulk message if at least one recipient has the sender in his contacts - I'm not sure exactly what you mean by this

I was assuming that the bulk message is meant to contact people you usually already know so one would assume that people you are contacting A) already have you in contacts or B) sent you a message already. Though likely it is stupid idea to and Muwire unable to verify this.

spammer can easily circumvent the enforcement if they build from source

yes, though it may limit some potential spammers who will give up upon being denied to send bulk message too often or at all due to mentioned time limits (new user+new muwire build)

What may also help is that user can write his/her blacklist, if phrase is found in the message, message gets automatically deleted.

True that user can still disable messages from unknown sources entirely. Sub-option of this "Not accept bulk messages by default" would not make sense, because user can still send unlimited single-recipient messages to users?

[zlatinb]

Bulk message is only one way of spamming; a determined spammer can script sending direct messages in a loop in which case any restrictions on bulk messages will be circumvented.

I think this specific spammer sent the message from the MuWire gui. This is very inefficient and will very quickly become tedious for repeated spamming. If someone were to seriously spam, they would need to build a spamming tool - and they can then bypass any limits on bulk sending.