Shareaza

[branko-r]

I'm asking this because the last 6 months at least has been a whack-a-mole game. Hashes are different each time, and so are IPs. You can ban them all you want, but they appear to start anew in the very next search. You've seen them already: 657 kb ZIPs, 4.13 Mb MP3s, 5.15 MB MOVs and the like.

Also, there are usually batches of search hits with the same indicated speed, despite completely disparate IPs, which would normally be highly unlikely.

Before this, there were fake files, but the search results were real. That's why filtering was generally effective. This time, my guess is that these search results are faked. Consequently, filtering is useless: one is banning fake IPs and fake hashes, instead of banning the ones who are sending these results. However - and this is my understanding of the protocol - you can't really do that either, because search hits are cached across the network, so one doesn't know whether these hits originated with the one who is sending them, or are merely being passed along.

Is this an accurate description of the situation? While this is probably not a major annoyance at the moment, is there a way to combat the problem?

[cyko_01]

There is only one simple solution: set minimum file size for example 10Mb.

Also u can try Shareaza Effective Filter 10-01-01 by ShareazaSpamBusters

Shareaza Effective Filter

ed2k://|file|ShareazaEffectiveFilter10-01-01.xml|11788|2a0f91a8b32bcafa1923a9991c6433c9|/|sources,95.134.54.163:12000|/

[branko-r]

Thanks for the filter, I'll give it a try!

Although setting the searches to be as selective as possible (e.g. using "Any file type" is not a good idea) does the trick, I'm still looking forward to a systemic solution to this problem...

[cyko_01]

It is true that it is getting more and more challenging to effectively block spam. spammers are getting better and better at what they do, but shareaza also has incredible spam blocking capabilities. Shareaza is capable of filtering spam in ways that NO OTHER P2P SOFTWARE can. That is a fact! The trick is creating effective filters and keeping them up-to-date.

I would like to thank diztrancer for sharing his personal filters (nice name by the way), but you may also want to try the All-In-One AntiSpam Filter. It is is downloaded about 500 times per month along with it's accompanying child and adult porn filters, and is used by literally thousands of shareaza users.

You will also be interested to know that I am working on a tool that will allow you to automatically update your shareaza filters. This will allow for more frequent updates and better spam blocking.

@diztrancer: I downloaded and examined your filters and there are some excellent new filters (particularly the filesize filters. I knew it was possible, but couldn't figure out how to do it )that I will definitely include, and build upon, in the next release of the All-In-One AntiSpam filter!

[diztrancer]

i managed to create filter without any text,filesize or hash rules - only 60 regex and some IP for ed2k - it so slow (even on machine with 2,8Ghz CPU and 2Gb RAM) so use filesize rules and group similar regex rules into one complex rule (tested on 1100Mhz machine with 512 RAM) - 5 complex regex rules are not noticeable, but 15 very simple rules make switching from download tab to search tab take 1 minute and Shareaza .

Most valuable part of filter is ed2k rules, they are always up to day (i check them every week).

[ocexyz]

I just wonder what those other P2P softwares do against spam?

[diztrancer]

eMules don't have spam - it has ipfilter support (anyway ed2k spam can be disabled by same 10 rules like in my filter for Shareaza). And even this is not relevant because more and more users don't rely on server and use only KAD.

Limewire make HUGE progress in fight with spam - now it superior to Shareaza in both interface solution and effectiveness.

I'm not sure about today situation in Ares - i have it running and check it once per month, will try to search for "Windows Super Fuck Dexter Edition"

[cyko_01]

[diztrancer]

ED2K filter is made from scratch every ~10 days. I'm have connection with some people related to biggest russian ed2k sites, they always give me up to day information which spam-servers are active.

I even have lists of what spam was send from what IP.

P.S. Hits for different ranges depends on what ed2k server u connected to. If u connected to TVUnderground u will not receive spam from most ranges in filter.

P.P.S. As long as Shareaza will not support KAD u need to add at least 100 ed2k servers to find anything using "Global search"(in eMule terms), which Shareaza perform by default, but right after installation it have only <20 servers, pretty useless servers.

[cyko_01]

Shareaza Effective Filter 10-01-04 by ShareazaSpamBusters

Shareaza Effective Filter 10-01-04 by ShareazaSpamBusters

P.S. better to clear all previous security rules before using this: press F7, Home, Shift-End then "Remove rule"

P.P.S. @Ryo-oh-ki: why Ctrl-A don't work ?!?!?

[bugotrep]

I think that the passive spam filtering is ineffective. It block IPs, keywords or hashsets. But IPs can be changed, keyword too, and hashsets too. So every anti-spam filter is old at it release. But I think that one active antispam logic can be very efficient. The logic is pretty simple.
When you search for anything you put some criteria including keywords, size, author... etc. Try the same search, but with random keywords, and then remove duplicated results from the actual search. This should work for all kind of searches without risk to filter correct result. If it is performed by Shareaza will be great advantage.

[old_death]

[diztrancer]

New version ShareazaEffectiveFilter:
Filter out new Gnutella "space in the end" spam and new G2 rar spam.

magnet:?xt=urn:bitprint:4C3DHB3HWUQEEA3G3QMGP64GJC45MXQH.E3UOU2HAK57FGVI4SAJJKXJVKZOUMUAPE5YU6WQ&xt=urn:ed2khash:9d296b5630efb6e9abee8b38dbf7daf1&xl=13303&dn=ShareazaEffectiveFilter10-03-15.xml&xs=http%3A//95.134.53.1%3A12005/uri-res/N2R%3Furn%3Asha1%3A4C3DHB3HWUQEEA3G3QMGP64GJC45MXQH

Please send me examples of spam, that this filter can't stop.

[dark146]

They are effective but they are not 100% effective. At least they are better than nothing.

[bugotrep]

[brov]

Searching for nothing is bad, but it can somewhat prevent spam...

Let's see at nodes sending spam - from what I observed:
They're sending hash tables 100% full meaning every query that reach its hub will be forwarded to them, wasting resources of a hub and giving possibility to send spam. 100% full tables are not likely made by legitimate nodes Blocking by user agent is useless as user agents can be spoofed easily... (they claim to be shareaza)

My proposals:
1. Drop/blacklist all leaf nodes that send QHT 100% full (yes, this can yield to blocking some legitimate nodes, but...)
2. When forwarding a query to such node - remove return address from Q2 (the /UDP child) so all QH2's are forwarded by connected hub. Why? A hub can compute something like 'ratio' between queries sent and hits received and drop nodes/queries accordingly. But it must be done intelligently to avoid dropping/blacklisting legitimate nodes as one query can produce a number of hits. If, say, hub forwarded X queries and have to forward replies to, say, 90% of queries - drop the node or blacklist it and not forward any subsequent queries preventing it to send search spam. Using such scheme will likely block 90% of spam but add some stress to hubs, and something must be done with older nodes that do not follow this scheme... (it is effective only for hub-to-leaf connections, caution must be taken when we deal with hub-to-hub connections...)

My 3 eurocents...