BlackFrog to Take up BlueFrog's Flag

Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."

Link

Link to the project website. [okopipi.org]

Poisonous frogs?

How long until some hacker poisons the peer system into spamming a legitimate site?

-Rick

How to prevent DDOS on the servers.

We're (yes, I'm part of the team - hello slashdot!) currently discussing using the main servers thru various proxys to anonymize the IP address. On a DDOS attack, the servers would just disconnect and then reconnect to another proxy and voila.

Also, the servers are the ones with the Central PGP authority. The network can still operate without servers, they're just needed for login (for now).

Re:Never trust the users

>I think one method for this to work is for each suggested target be evaluated by each member. The >member has to agree that this is a valid target before his account participates in the attack.

With a certain threshold of participants required before the attack even takes place. If there are 100 members, perhaps 20 would need to agree on the item in question being spam. 15 wouldn't be enough to initiate a retaliatory opt-out.

I wonder how much of the "background" noise on the internet is this sort of crap floating around....DNS requests for viruses, port scanning for viruses, traffic in the form of spam, spam responses, systems to deal with spam....probably more than anyone realizes.

seems insecure

Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.

good idea

just too bad that someone couldn't get this into the BlueFrog stuff before it died.. atleast then they would have a large userbase.. but if the Blue peps are the ones that look at the e-mails to make sure someone isn't being evil and submitting normal HAM - how is that going to work without master to authorize the clients???

Once you go black, you never go back.

Just as a correction folks, it's not called "Black Frog" this is a mix up. There was two projects. Black Frog and Okopipi aiming for the same goal. Black Frog stopped and the people joined Okopipi.

Re:Once you go black, you never go back.

an Okopipi is a poisonous blue frog.

source from bluefrog?

I hope that people from bluefrog will release source of their utility. This new initiative could surely benefit from their sourcecode.

Re:source from bluefrog?

BlueFrog was open sourced and under the mozilla license, and yes they have the source code.

Spamming the spammers?

Hmm, wont it be amusing for user's PCs to be spamming as part of an hidden botnet and running this at the same time. Hope their not on dialup.

SpamCannibal

I think one of the most genial spamtools is SpamCannibal
http://www.spamcannibal.org/cannibal.cgi [spamcannibal.org]

OMG vigilantes

I can imagine the slew of whiners who will complain about such a vigilante approach to this problem.
Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.

Re:OMG vigilantes

couldn't we just send the spammers a sony music cd? That rootkit would take out their computers at the source instead of just spamming them

Blue Security's reason for shutting down

I thought the reason Blue Security closed shop was because the spammers had diff'd their user database, identified quite a large amount of the participants, and then threatened virus attacks directed at them. Not because of the DDoS.

Blue Security Gives up the Fight [slashdot.org]
The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
...
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."

I'm guessing the only real difference is that users will know this time around.

Re:Blue Security's reason for shutting down

You're getting things mixed up, I think most users were quite willing to get involved in the cyber-war, the problem was that the company didn't have the resources to fight it.

I'll probably sign up for this blackfrog thing once I've checked it out. In fact, I'd probably consider giving money to someone collecting money to pay someone else to beat the shit out of the world's top spammers. I'm serious, they're scum..

/Mikael

Automatically clicks Unsubscribe links in Spam?

From their wiki:-

Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.

I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.

Excuse me, but

isn't this really good botnet vs bad botnet? (With good being defined as "opt-in"?)

The more successful it is, the more the Internet will be too bogged down to be useful to anybody.

Also, if someone programs the botnet's to evolve to attack each other better, we're talking SkyNet right around the corner.

Re:Excuse me, but

isn't this really good botnet vs bad botnet?

More like Autobots vs Decepticons, but in the end it's the same thing. The "good" forces won't be a botnet per se, but a loosely aligned group of people doing the same thing, taking on a group with coordinated resources capable of wreaking terrible havok. It's vigilantism to be sure, but until the government of the world actually get their heads out of their butts and come up with a unified and mutually beneficial set of laws to deal with spammers wherever they live, this is the only tool anyone has to even try and slow the spammers down.

I am holding out for CrunchyFrog.

Every spammer gets a "Spring Surprise."

CrunchyFrog explined. http://orangecow.org/pythonet/sketches/crunchy.htm [orangecow.org]

Before comparing to DDOS, or botnets. Be informed

Ok folks, let get a few things straight.

Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?

The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.

Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.

Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.

Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.

Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.

If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.

What Do We Really Want?

Don't we have two objectives regarding spam?

1. Reduce/eliminate the network clutter it creates
2. Prevent it from reaching our inboxes

I don't see why the froggy approach is the best direction. Yes, I see the logic in fighting fire with fire. But I've heard that water and foam are also used -- sometimes with good effect -- to fight fires. Sometimes axes are also used.

As an email user, I only care about the second objective. (Don't worry, as an Internet user, I realize my self-interest in supporting the first objective, but it seems more directly relevant to network admins and a "tragedy of the commons" problem for the rest of us.)

Permission-based email starts to make real headway on the second objective, but it doesn't seem to be a common offering. I'm pretty sure one of the Baby Bell ISPs offers it, but I forget which one. Does anyone know more about this and which ISPs might offer it?

Better still, does anyone know of an open-source add-on for mail servers that will do this?

Security?

This does look promising (from TFA:)

"It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses."

Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

"Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.

That seems solid, but I wonder how something so open can keep a secret like what and where its servers are. It's beyond me, anyone have more info?

Glad to know...

Glad to know that annoying solutions are evolving as quickly as annoying intrusions. A weakness was discovered in the first system, and now an improved version is available. Clearly the first system was sufficiently annoying to be attacked, which means it was working. In the end it's all a question of who you want to annoy. I vote for annoying spammers since they've annoyed me for far too long.

As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complicated form of DDoS attack, which can be accomplished much more simply already. It's not something to worry about yet.

What does Richi think BlackFrog's doing?

"The project should also take care not to cross the line from legitimate spam complaints to attacking spammers using DDoS-like techniques,"

That's what it basically sounds like.

They're automatically doing what spammers wanted people to do, based on the assumption that the spammers didn't set up the infrastructure necessary to support the e-mails they're sending.

T-Bird Plugin?

For me, this would work well with a Thunderbird plugin: Say an option to send the opt-out as a right-click.

I have a catchall account for non-valid email addresses in my domain. Everything that goes there is junk. I could have t-bird's junk filter grab it (mostly it does correctly at this point.), and then when I manually delete stuff, perhaps there could be a right-click to mark as frog-food? (about two thousand a day. fun fun.)

My $.02

Two pronged approach

Remove the demand
Get people to stop buying things from people that Spam. If they open a storefront, send out Spam and get zero response they will stop.
Educate people:
Tell grandpa to stop ordering Viagra from these people!
You cannot buy a Rolex for $99!
Your Johnson will not grow if you take a pill!

Remove the supply.
The other thing that needs to happen is the companies that produce these products being sold need to be accountable for where their merchandise is being sold. I think the best approach to this is for a service like Black Frog that sends an E-mail to the manufacturer stating "Please inform merchant XYZ that I no longer want to receive E-mail offers that include your product." This will be a long hard road since many of the pill companies sell knock-offs that are not genuine. These companies will be more inclined to prosecute the people that are misrepresenting their product this way. The others will find ways to control the supply chain better.

I don't see a spammer ever going away unless you make the internet unprofitable for them. Irritating them costs them $0 Removing the supply and demand is the only solution.

Better idea

Find out their physical locations and make them public. Mob justice works fast.

For the Nth time, we're NOT GOING TO DDOS!!!

Disclaimer: This is my personal opinion and does not reflect the viewpoints of other members of the Okopipi project.
--

Sheesh people! I hate to have to respond to 1,000 comments made by kneejerks who don't even RTFA, saying how terrible it's to DDOS and how the system could be abused.

Do you think we're idiots to let something like this happen?

1. The "attacks" on websites will be moderated. We want to make sure that the force is non-lethal to websites. We haven't discussed the implementations, but the decision has been taken: We will use throttling to PREVENT denial-of-service attacks.

2. The P2P network does *NOT* control the clients, it'll only distribute opt-out scripts for websites. Also, the customer can log out ANY TIME they want. So, NO, it's NOT a botnet.

3. Spammers Don't need P2P networks to initiate an attack. They already have their effective botnets in infected WinXP machines.

4. There will be a reputation system AND a hierarchy system (so not everyone can mod someone down), people will have to earn their trust to classify scripts, those who report wrong sites will be modded down, and the usernames and reputations are permanent. The hierarchy system we're studying requires at least two people acting as an individual before taking any action, to prevent infiltrations.

5. We're already considering infiltration of spammers in our model, we're researching papers written by experts in graph theory and computer science for this. A spammer could at most try to disable the network, but with the currently planned infrastructure, i doubt they can do it.

6. We haven't started to code. We're still discussing (and will continue to discuss) the possible consequences, abuses, attacks and how to prevent them or at least minimize them. We cannot afford to have ANY point of failure.

7. If any wants to cooperate, the google group is open to ideas.

8. And I repeat: we will *NOT* DDOS websites. It's a decision the commitee has taken, and it's a final decision. There have been people who have proposed to DDOS the spammers to death, and we're already shutting them up.

I don't mean to sound like I'm bragging....

... But I use gmail almost exclusively and receive a ton of spam, but what little gets through their filter is caught by Thunderbird. Now, I know Google and Mozilla, Inc. are pretty innovative groups, but why can't others do what they're doing? Especially as Thunderbird is open source? Spam exists because it is profitable. If people saw very little spam it wouldn't be so profitable anymore.

IMPORTANT ANNOUNCEMENT FROM BLACK FROG

Due to TradeMark conflict, I have closed the Black Frog project. Actually the project was just a nameholder, since Okopipi was a separate project which I joined later.

So the official name of the P2P antispam software is now "Okopipi". Please stop naming it "Black Frog" or we could get sued for Trademark Infringement.

Thank you.

(More info on my journal) [slashdot.org]

On Windows? Ignore Spam(mers). I do. Since 2004.

Disclaimer: I wrote it. I use it. It's 100% free (keep your money).

It was available at my website (more info here if you want to read it) [cf13.com] but it got 'Slashdotted' and was 'removed'. So I finally got around to updating it with statistics logging to 'prove' it's effectiveness, to accommodate 'flakey' mailservers that might not like a highly efficient POP3 client accessing them, and to treat 'highbit' email the same as file attachments (email is historically a 7-bit protocol) and posting it on http://rapidshare.de/ [rapidshare.de] at the 'sig' URL above. Download and enjoy! :)

P.S. see

http://slashdot.org/comments.pl?sid=184696&cid=152 59932 [slashdot.org]

and

http://slashdot.org/comments.pl?sid=171793&cid=143 07815 [slashdot.org]

for more info.

In short, my approach uses the venerated, time tested SMTP protocol and character set AGAINST spammers....

oh ooo!

"Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.

does this imply, security by obscurity. not a good idea!

* lon3st4r *

Re:Uhm... Okopipi

Okopipi is a poisonous blue frog. Quite appropriate I think.

As to the fact that it isn't "marketable", who cares. Would anyone have thought google was marketable before they started? If the product is good enough, the market doesn't care about the name.

Re:Hormel won't like it...

they do in fact don't like it details: http://www.spam.com/ci/ci_in.htm [spam.com]

Re:This is a monumentally stupid idea.

Maybe they need to form a cooperation then.

Re:This is a monumentally stupid idea.

I don't think it's a matter of being interesting or fun. It's a question of whether it is neccessary or not.

Rather than ignoring it and hoping it goes away, how about suggesting an alternative solution to the problem at hand?

Re:This is a monumentally stupid idea.

Ususally the sites hit were the former home of a spamsite or spammer and at the time of being hit were just the compromised box of an innocent webhost, university computer or other bystander. You can argue all you want about the 1:1 ratio of it, or that networks should be more responsible (I agree) but that doesn't make it right.

And to the person who said I should suggest something better -- how about a botnet reporting engine to let responsible ISPs know they have compromised machines on their network? Or a system of sifting through whois and domain registration data to determine who the good or bad registrars are out there (like are all phishing sites coming from one policy-loose registrar or not?). Or a system to combat phishing and fraud on the net.

I can come up with a 100 good ideas to make the net a better place and teach you 1000 things about system administration, networking, running big networks, building scalable systems. Take advantage of that, not of the Internet.

Being an operator (sysop/netop) is infinitely better than being a hacker. A hacker just needs to know one way into your system, an operator needs to know all the ways in. :-)

Best,
David

It's not DDoS.

The service fills in forms on spammers websites and submits it. This "corrupts" the data that the spammers are collecting by inserting hundreds of "opt out" submissions which makes finding the "valid" submissions (where stupid people responded to the spam looking to buy v1agr@) more difficult. There's nothing illegal (as far as I know) in using your own computer to fill out forms with bogus data.

The few hundred frog subscribers don't have the horsepower to shut down a Web server anyway. They just make the results of spamming much more difficult to sort through.

Mod parent down!

-1, both ignorant and irresponsible. Thank you.

DDoS of SixApart

What do you mean by "Blue Security isn't out of the woods yet legally and their DDoS of SixApart is far from a closed case." SixApart was attacked by the same people that attacked Blue Security. Blue security changed their DNS to point at their blog. Granted, changing the DNS records under the circumstances was irresponsible; however, your quote is misleading.

Re:This is a monumentally stupid idea.

regarding interesting tasks/job
my e-mail larytet at yahoo com