Slashdot Mirror
BlackFrog to Take up BlueFrog's Flag
Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."
How long until some hacker poisons the peer system into spamming a legitimate site?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.
just too bad that someone couldn't get this into the BlueFrog stuff before it died.. atleast then they would have a large userbase.. but if the Blue peps are the ones that look at the e-mails to make sure someone isn't being evil and submitting normal HAM - how is that going to work without master to authorize the clients???
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
I can imagine the slew of whiners who will complain about such a vigilante approach to this problem.
Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.
Global warming is a cube.
From their wiki:-
Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.
I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.
I have no sig yet I must scream.
I'll probably sign up for this blackfrog thing once I've checked it out. In fact, I'd probably consider giving money to someone collecting money to pay someone else to beat the shit out of the world's top spammers. I'm serious, they're scum..
/Mikael
Greylisting is to SMTP as NAT is to IPv4
Ok folks, let get a few things straight.
Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?
The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.
Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.
Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.
Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.
Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.
If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.
Okopipi is a poisonous blue frog. Quite appropriate I think.
As to the fact that it isn't "marketable", who cares. Would anyone have thought google was marketable before they started? If the product is good enough, the market doesn't care about the name.
You can't trust the "members". Say that a savvy black hat creates many "tainted-members". What happens if the "tainted-members" all report that a legitimate site is spamming?
I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.
I'd like to hope Okopipi could make a positive difference, but it cannot, because it is open to exploitation by the very people it's trying to stop.
Okopipi's greatest asset: people who are desparate to stop spam; is also it's greatest weakness, because their frustration sometimes leads them to take ill considered actions without first understanding the facts. Choosing to publish the statement below is a fairly pertinent example:
It's difficult to see any way this statement could be more wrong.
When a state sponsored law enforcement official does their work they are enacting the will of a democratically elected governement. It is a careful and methodical process designed to protect the innocent.
Their job works like this:
The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
The result is that members of the Okopipi network and innocent bystanders with websites will become the target of the organised crime that is funding the spammers.
At which point your friendly "state sponsored vigilante" is only a phone call away.
boakes.org
Frankly, they should have let the spammers go for it then. If you give in to Terrorists, you can only expect more terror in the future. Or so all the western governments seem to keep telling us as they send in the special forces.
If the spammer took out a public enough target, the authorities would have had to get involved. BlueSecurity wasn't doing anything illegal (or even immoral - they only filled in the webform once for each email a user received.) so its a pity they were hounded out.
"That's not the same thing as going to a site solely to attack the operator, with no interest in any content beyond maybe using it in the attack."
If the site operator sends out a million invitations to come to his website, and gets a million hits because of that, is it an attack? No. The invitation has 3 options, browse, buy something, or opt out. Automating that process is not an attack. If the operator sends out a million invitations he had best have the bandwidth to accomodate the million potential hits. If he doesn't then too bad. The spammers are like the ISP's that have oversold bandwidth. Now that someone wants to take them up on their offer to come and visit, planning on a 1% or 2% response to the spam adds won't cut it. And for that I have ZERO sympathy.
And finally, Bluegrog's stated intentions was not to break it or slow it down. In fact they went to very reasonable lengths to avoid exactly that. Call it an attack if you want, but looking at the methods and actions involved, I just don't see how that term applies. They were a lot more reasonable than I would have been.
Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.
A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.
Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?
---
nostalgia ain't what it used to be