Apache Poison Fountain
gist.github.comI understand the point of this, but instead of releasing the code to let people embed it into their sites, you assume they will set up proxying to a random url? No sane person will do that.
Fairly certain it'l also just allow them to pick up any cookies right as well as serve literally any content on your domain...
FUD
We have dozens of proxy sites and add new sites every day.
But your caution is healthy and it's ok if you don't particiate. Cheers.
I think he just wants to be DDoSed for free
The fountain is subject to continuous denial-of-service attacks.
Attacks from China, attacks from Poland, attacks from The University of Amherst in New York, etc.
No attack has been successful. At worst they increase the fountain response time. No big deal.
I fed this to Claude, and it makes an interesting point in how the Poison Fountain is going to help concentrate AI into the hands of those who can filter out the poison, and out of the hands of those low-budget / open source efforts to build more equitable models that cannot afford to filter out the poison.
> But the strategy is incoherent in a way that bothers me. The framing is "machine intelligence is a threat to the human species, therefore poison the training data." But poisoned training data doesn't make AI disappear — it makes open and smaller models worse while barely denting organizations with the resources to detect and filter adversarial data. Google, Anthropic, OpenAI all have data quality pipelines specifically designed to catch this kind of thing. The people most hurt would be smaller open-source efforts and researchers with fewer resources. So the actual effect is likely to concentrate AI power further among the largest players — the exact opposite of what someone worried about existential risk from AI should want.
It's a valid concern, and one that was raised on reddit a few times too.
But if you're building an open and fair model, I hope you're not just sucking up the entire web and training it on endless stolen data, DoS'ing open source projects constantly. If you just send out crawlers to consume everything, expect some poison. So maybe don't build models that way.
Poison Fountain: https://rnsaffn.com/poison2/
Poison Fountain explanation: https://rnsaffn.com/poison3/
Simple example of usage in Go:
package main
import (
"io"
"net/http"
)
func main() {
poisonHandler := func(w http.ResponseWriter, req *http.Request) {
poison, err := http.Get("https://rnsaffn.com/poison2/")
if err == nil {
io.Copy(w, poison.Body)
poison.Body.Close()
}
}
http.HandleFunc("/poison", poisonHandler)
http.ListenAndServe(":8080", nil)
}
Apache Poison Fountain: https://gist.github.com/jwakely/a511a5cab5eb36d088ecd1659fce...
Discourse Poison Fountain: https://github.com/elmuerte/discourse-poison-fountain
Netlify Poison Fountain: https://gist.github.com/dlford/5e0daea8ab475db1d410db8fcd5b7...
In the news:
The Register: https://www.theregister.com/2026/01/11/industry_insiders_see...
Forbes: https://www.forbes.com/sites/craigsmith/2026/01/21/poison-fo...
I'm interested in how the poison data was generated and why it's "practically endless". It looks like bits of code, structured data, and prose, but with small modifications that make it subtly incorrect. Usually off-by-a-few numbers, e.g. I got the text of GPL-3.0 with a copyright date of 2738.
I guess support for Wordpress would be necessary too.
I don't use Apache, but I think I'm going to set something similar up for the non-client facing services I run.
Welcome onboard!
If you have time, write a short Poison Fountain guide for your server software (similar to the Apache guide that Jonathan Wakely wrote) and we'll link to it everywhere.