Domain: okopipi.org
Stories and comments across the archive that link to okopipi.org.
Comments · 13
-
Re:Do not spam?
Actually, seriously, did you hear about Blue Frog? Same idea.
Basically, you signed up at Blue Frog with your e-mail address, and they maintained a list of everyone's e-mails. Then, they provided a few Perl scripts that spammers could run on their e-mail DB which would remove those who had signed up at Blue Frog. The e-mails weren't actually revealed to the spammer -- it was just run against a hash.
As punishment for those spammers that didn't comply, Blue Frog provided an e-mail client plugin (even one for Gmail that was a Firefox extension) and anybody who got spammed, the client would automatically DoS the spammers website's contact form.
It actually seemed to work well for a while -- I noticed about a 25% reduction in spam, but eventually one guy ("PharmaMaster") attacked the Blue Frog servers (actually the DNS, which was hosted by UltraDNS), and Blue Frog gave up mid-fight. PharmaMaster was quoted as saying "Blue found the right solution to stop spam, and I can't let this continue".
The Okopipi Project was an attempt to create an open source clone of this system, but it's pretty dead.
-
The main difference: yours is illegalMy software is nothing like blue frog. The main difference is that BlueFrog took the same approach, but with adjustments to:
* keep it legal (a straight DDoS is not legal, and your users would expose themselves to legal repercussions)
* involve human-written scripts to access the spamvertized company's site, so that the response (a complaint) would be successfully delivered in the most effective way possible.
The legal question is essential. You need more than a few hundred (or a few thousand) people using the software, or the impact is negligible and avoidable. And of course if the spammers just manage to get one of your users or YOU heavily fined or jailed for DDoS attacks, that pretty much finishes it.
So BlueFrog was designed on the idea that one spam = one complaint on the spamvertized company's server, often submitted into an order form or something like that to get their attention. Unfortunately for their model, they managed this by having users send all spam to a central server, where they processed it and sent reporting scripts back out to the clients, who would submit the actual complaints. Obviously this presented an attackable weak link. The complaints would include text that told the spammer how to download software to clean *all* bluefrog users from their lists... unfortunately (this was the other, smaller flaw) the spammers could figure out the blue frog users on their lists by doing a simple compare of lists pre & post cleaning. Then harass them directly... though the number of users was high enough that this didn't amount to much in the end.
Personally, I STILL think this is the closest anyone has come to a successful campaign against spam. There's a project set up to create a similar, but distributed, system at http://okopipi.org/ if you are interested in pitching in and solving the remaining issues.
Just please don't create yet another DDoS against spammers tool (there are others out there already, of course) that is blatantly illegal to use and thus cannot be anything more than a mild irritation to spammers. -
bluesecurity had the right idea!
and now okopipi is going to be reborn: http://www.okopipi.org/article/129
When ? Who knows. -
How do you START it?
The problem with so many spam "solutions" is that they're all predicated on the vast majority of server admins in the world all magically agreeing on the solution and implementing it, all at once.
The whitelist solution is useless when 99.9999% of valid email servers are not yet on the whitelist, right? Because if you turned on whitelist filtering you'd just be blocking all mail. So no one will install and activate the filter until the vast majority of valid email senders *are* registered.
Now consider all of those busy admins of the outgoing mail servers. If they don't register to your whitelist, what happens? Nothing, because no one is filtering yet. So if they have to choose between sorting out this registration process (if they even happen to hear about it...) vs. replacing the flaky memory in server "vulcan22", which will they choose?
But we just need one of the big guys to get behind the plan, right? Well, Hotmail or Yahoo can't just turn on filtering either, because even if they saturate the globe with hugely expensive advertising explaining to email admins that they'd better register their servers before filter rollout in 2008, it simply won't happen for many, many servers until something actively *breaks*. And anyone using the podunk.com ISP suddenly finds their emails are rejected by Hotmail (but nowhere else)... so Hotmail customer support gets a flood of help requests, threats, angry emails, etc. etc.
Are you still sure the whitelist idea is good?
Think of online systems in terms of evolution. Every step has to have a good reason, or no matter how attractively you propose it, it cannot survive.
The Blue Security concept actually *worked* partly because it DID involve the end user. People pissed off by spam actually had legal recourse that they *knew* made the spammer's lives a little more difficult. "Sure, you can bulk-advertise with spam, but every spam you send us is going to result in one more complaint clogging up your order forms."
So even when there were only a handful of users (before the spam started dropping), there was a small benefit.
As soon as the userbase grew to 1/2 million or so (a drop in the bucket in terms of internet users, mind you) the benefit became large. My spam dropped to about 4 or 5 a day.
Of course, BlueSecurity's business model was an huge Achilles' heel. They were fairly decisively taken out of the game because of it. They were on the right path, though: counter automated contacts with automated responses. Keep it legal FTW. A small userbase can know they're at least a small thorn in the spammer's side, and a large userbase is a force to be reckoned with.
Work on a distributed system much like the BlueFrog approach started at Okopipi.org, but has lost steam. Anyone who wants to stir things up again should stop by and see what they can do. -
Yes! So please help the Okopipi project
Excellent point.
Unfortunately, I don't see any good solution to the pump-and-dump scams -- that's a much more complicated money trail. But we CAN stop the penis-enlargement spam by finding a way to stop the companies PAYING the spammers.
You mentioned Blue Security, which was seriously starting to make a difference (but had a huge Achilles heel in their business model...).
If enough dedicated developers are willing to help out on the slowly withering Okopipi project (founded to develop a decentralized version of Blue Security's system), it could quickly become a serious player in actually STOPPING spam, not just filtering it better for techies (which does *nothing* to discourage actual spammers).
The principle is the same as Blue Security used -- for every spam delivered to an Okopipi user (and reported as spam into the local Okopipi client), the advertised website gets an single generic opt-out request submitted automatically via the same client, generally submitting this request into the spamvertizers order forms, as that's often the only functional feedback mechanism they have (text something like "an unsolicited email advertising this product was sent to an Okopipi user: please visit okopipi.org for details on cleaning your lists").
There are obviously technical hurdles to surmount, and security issues to tackle, but a lot of design work addressing these is complete... right now the main issue is the project needs more smart, experienced programmers who can finalize designs, trash nonessential features, and get coding.
I'm personally trying to fire things up again, but there's no way I could do this kind of project solo. -
Re:Wasting our time...
I agree totally. Why not stop bitching and help fight spam instead?
-
Re:That's nice
But how about a nanofilter for SPAM!!!
You mean this one? (PDF) Or perhaps you would like a more proactive method? ;-)
And after the shameless plug, someone mod parent off-topic :P -
Re:My personal opinion and some clarifications
Hi SpyDerMan, I appreciate that you're trying to make a positive difference, and I'm concerned that the project may be trying to solve the problem by entirely the wrong means...
We've received HUNDREDS of volunteers to help us. And with more than 700 diggs, i doubt it's "unrepresentative".
The number of volunteers is certainly promising, and although 700 is a good start its definitely not a representative sample of the 1 billion people who now use the internet.
I note that there are as yet no volunteers in the "Legal Advice" section. Hopefully this will change and you'll have some specialists in international law willing to help out (perhaps a call to the EFF - see if they know anyone?).
It should be obvious by now that you haven't RTFA.
Only "the FAQ", "Security Concerns", "Project Description", several diagrams and some of the google groups discussion - and I enjoyed your peer review idea.
You're forgetting something, currently there's *NO* mechanism to enforce ALREADY EXISTING laws regarding SPAM. Spammers' servers are across the globe, where there are no laws.
So if there are no opt-out laws, how will clicking an opt-out link help? Is Okopipi entirely helpless against international spammers?
Note: "Yarr! We'll DDoS those scurvey ridden pirates" is not the correct answer here, obviously. So is Okopipi impotent?
I already said that, the "attacks" will be controlled but significant enough to disrupt the spammers' business. As if that wasn't enough, people who have voted to punish an innocent website will receive bad karma, this eliminates corruption from the network.
Whilst that might deter people from being petty and spiteful; its not perfect:
- it cannot stop mistakes from being made
- genuinely honest people can be corrupted, hoodwinked or can have their machines compromised.
Perhaps a short example will explain my concern. Imagine a web company that has an email list for their customers (a company that never spams, because they have to pay for the limited inbound and outbound bandwidth).
That company has an opt-out web page for their customer-email list. If someone were to "spam in their name" (i.e. without their knowing) how would they be able to stop their entire month of bandwidth being wasted by Okopipi clients automatically trying to unsubscribe?
Who is responsible if Okopipi "accidentally" attacks such a company? What recourse does the company have against the members of the Okopipi network? Will individual members be liable to court action, or will Okopipi?
-
Re:Myopic-kneejerk-retribution-a-go-goThe problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
Nonsense. All Okopipi will do is automate the opt-out/unsubscribe requests.
-
Link
-
P2P networks are obsolete.
The research i've been doing in P2P networks (due to my involvement in the okopipi project) has shocked me. In file sharing, we're living in the STONE AGE. Yes, even with bittorrent (which depends on centralized servers, and there's practically no privacy. And anonymous bittorrent like mutorrent is closed source, who knows if they got a backdoor in there).
EDonkey uses MD4 for hashing, it depends on central servers, and has no anonymity at all. And without mentioning queue # 4892 for a popular file.
Unfortunately for filesharers, file sharing networks based on modern P2P architectures is very scarse. The supernodes / ultrapeers approach is obsolete, easy to disrupt both denial of service and eavesdropping attacks.
The future of P2P is Overlay Networks.
From an architectural point of view, I would recommend the KAD p2p network, which bases its architecture on the relatively-new kadelmia network (See Technical paper on Kadlemia, 2002).
Even then, Kadelmia could be improved because it's based on a Pastry network topology - compared to other topologies like De Bruijn Graphs, proposed by a recent paper in 2003.
And more research is being done dealing with load balancing, anonymity, trust, reputation, etc.
As I said, current peer to peer networks are in the stone age. Someone needs to design a file sharing network based on the latest research, and publish it. -
Fred goes open source.
-
Re:P2P Blue Security?
Some people already started a new project based on the blue frog.
Check out:
http://www.okopipi.org/