Slashdot Mirror
BlackFrog to Take up BlueFrog's Flag
Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."
Link to the project website.
How long until some hacker poisons the peer system into spamming a legitimate site?
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I bet this was totally unexpected here ;-)
"Social" internet might not sound that great, but at least it has some great advantages like this (I dont consider file sharing an advantage, but fighting against SPAM is).
Try Digg instead
Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.
just too bad that someone couldn't get this into the BlueFrog stuff before it died.. atleast then they would have a large userbase.. but if the Blue peps are the ones that look at the e-mails to make sure someone isn't being evil and submitting normal HAM - how is that going to work without master to authorize the clients???
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
Just as a correction folks, it's not called "Black Frog" this is a mix up. There was two projects. Black Frog and Okopipi aiming for the same goal. Black Frog stopped and the people joined Okopipi.
I hope that people from bluefrog will release source of their utility. This new initiative could surely benefit from their sourcecode.
#
#\ @ ? Colonize Mars
#
Hmm, wont it be amusing for user's PCs to be spamming as part of an hidden botnet and running this at the same time. Hope their not on dialup.
I think one of the most genial spamtools is SpamCannibal
http://www.spamcannibal.org/cannibal.cgi
I can imagine the slew of whiners who will complain about such a vigilante approach to this problem.
Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.
Global warming is a cube.
I've been using ODF for spreadsheets and a novel for some time now. The novel has over 400 pages, and I haven't noticed any difference since I switched from the word doc format to ODF, well, other then really liking ODF as a format to work with.
Well, except that I no longer have to worry about only being able to edit my document safely in one editor, on one platform, that's a pretty big issue for me, huge even.
There's no way I'll ever use a microsoft editor again, just because I know they'll never willingly support other formats for the good of the consumer. Ok they *may* add support for ODF, but they wouldn't have if Mass' hadn't pushed them into a corner. That attitude is worrying, it speaks volumes about their trustworthyness. I wouldn't put it past them to somehow add an extension which meant my previously cross platform document 'accidentally' wasn't quite so cross platform/editor any more.
I thought the reason Blue Security closed shop was because the spammers had diff'd their user database, identified quite a large amount of the participants, and then threatened virus attacks directed at them. Not because of the DDoS.
...
Blue Security Gives up the Fight
The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."
I'm guessing the only real difference is that users will know this time around.
From their wiki:-
Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.
I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.
I have no sig yet I must scream.
The more successful it is, the more the Internet will be too bogged down to be useful to anybody.
Also, if someone programs the botnet's to evolve to attack each other better, we're talking SkyNet right around the corner.
Every spammer gets a "Spring Surprise."
m
CrunchyFrog explined. http://orangecow.org/pythonet/sketches/crunchy.ht
muchI as Windows BSD style.' In the clean for the next SO ON, FREEBSD WENT In a head spinning I have a life to as little overhead it has to be fun and distraction Already aware, *BSD sales and so on, what they think is but many find it another troubled Apple too. No, The Cathedral ass of them all, 1. Therefore it's shall we? OK! for a living got the wind appeared rival distribution, To be about doing About bylaws elected, we took and/or distribute OpenBSD leader Theo Apple too. No, Guest and never get About outside member. GNAA (GAY ass until I hit my For successful wasn't on Steve's
Ok folks, let get a few things straight.
Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?
The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.
Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.
Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.
Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.
Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.
If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.
What kind of name is Okopipi. That is real markettable. Stupid. Leave it up to a bunch of nerds to use a ridiciulous name for a product.
Wow, a real live anarchist.
Isn't that the old Minitel system?
You can't trust the "members". Say that a savvy black hat creates many "tainted-members". What happens if the "tainted-members" all report that a legitimate site is spamming?
I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.
Minor point here, but SPAM (All caps) is the foodstuff. Spam (Not all caps) is the bloody awful mountain of email we all recieve every morning.
I thought we knew better than that.
How many people can read hex if only you and dead people can read hex?
I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.
So I guess the question is how is this any different from individual users crafting their own attacks? For me the nice thing about Blue Frog was they crafted a script for me that will be used to attack. I'm sure this new project will do something similar.
And I could even see a karma system for the members. Members that suggest valid targets gets modded up.
I'd like to hope Okopipi could make a positive difference, but it cannot, because it is open to exploitation by the very people it's trying to stop.
Okopipi's greatest asset: people who are desparate to stop spam; is also it's greatest weakness, because their frustration sometimes leads them to take ill considered actions without first understanding the facts. Choosing to publish the statement below is a fairly pertinent example:
It's difficult to see any way this statement could be more wrong.
When a state sponsored law enforcement official does their work they are enacting the will of a democratically elected governement. It is a careful and methodical process designed to protect the innocent.
Their job works like this:
The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
The result is that members of the Okopipi network and innocent bystanders with websites will become the target of the organised crime that is funding the spammers.
At which point your friendly "state sponsored vigilante" is only a phone call away.
boakes.org
I don't see why the froggy approach is the best direction. Yes, I see the logic in fighting fire with fire. But I've heard that water and foam are also used -- sometimes with good effect -- to fight fires. Sometimes axes are also used.
As an email user, I only care about the second objective. (Don't worry, as an Internet user, I realize my self-interest in supporting the first objective, but it seems more directly relevant to network admins and a "tragedy of the commons" problem for the rest of us.)
Permission-based email starts to make real headway on the second objective, but it doesn't seem to be a common offering. I'm pretty sure one of the Baby Bell ISPs offers it, but I forget which one. Does anyone know more about this and which ISPs might offer it?
Better still, does anyone know of an open-source add-on for mail servers that will do this?
"It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses."
Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.
"Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.
That seems solid, but I wonder how something so open can keep a secret like what and where its servers are. It's beyond me, anyone have more info?
Slashdot Burying Stories About Slashdot Media Owned
Misses the point entirely. If Black Frog ends up with 1,000,000 subscribers, let's talk about forming a PAC and getting legislation passed. Think $5-10 donation per person, with all proceeds going to fund the PAC. Now you can buy laws and screw spammers permanently. You've also got a handy voting bloc for, let's say, the next Presidential race. Before you laugh, remember that the last race was won by a lot less than that.
The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance".
And we know this is true because Russian spammers are known throughout the world for their unassailable truthiness.
Can anyone read the subject line five times quickly and get it right? :)
All your sig are belong to us.
There is a history of this issue and related links here. The castlecops stuff has threads of the original spam message board threads.
When a state sponsored law enforcement official does their work they are enacting the will of a democratically elected governement. It is a careful and methodical process designed to protect the innocent.
Perhaps the GP was from the US, where that doesn't hold true anymore...
I [may] disapprove of what you say, but I will defend to the death your right to say it.
Let's be realistic -- This is a great way to get arrested.
Building software to construct botnets is a totally unproductive use of time. Running botnets that DDoS sites all over the net is illegal. Blue Security isn't out of the woods yet legally and their DDoS of SixApart is far from a closed case.
If you think this kind of coding is interesting and fun then shoot me an email -- I'll give you an internship (or a job) working on way more productive and positive projects that will impact just as many (if not more) people.
-david
# Hack the planet, it's important.
Are you saying that we should be fighting spammers with axes?
I'd personally like to collapse their children's skulls with a rusty used camshaft taken from a 1985 Pontiac Iron Duke. Think of an overweight cast iron baseball bat with induction-hardened lobes to ensure non-uniform cranial trauma.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Hey what about a anti spamming version of this toad [en.wikipedia]? XD
As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complicated form of DDoS attack, which can be accomplished much more simply already. It's not something to worry about yet.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
"The project should also take care not to cross the line from legitimate spam complaints to attacking spammers using DDoS-like techniques,"
That's what it basically sounds like.
They're automatically doing what spammers wanted people to do, based on the assumption that the spammers didn't set up the infrastructure necessary to support the e-mails they're sending.
For me, this would work well with a Thunderbird plugin: Say an option to send the opt-out as a right-click.
I have a catchall account for non-valid email addresses in my domain. Everything that goes there is junk. I could have t-bird's junk filter grab it (mostly it does correctly at this point.), and then when I manually delete stuff, perhaps there could be a right-click to mark as frog-food? (about two thousand a day. fun fun.)
My $.02
later seen in goodbye...she 4ad Fact: *BSD IS A Fly...don't fear BUWLA, or BSD benefits of being BE FORGOTTEN IN A though, I have to for a living got
The service fills in forms on spammers websites and submits it. This "corrupts" the data that the spammers are collecting by inserting hundreds of "opt out" submissions which makes finding the "valid" submissions (where stupid people responded to the spam looking to buy v1agr@) more difficult. There's nothing illegal (as far as I know) in using your own computer to fill out forms with bogus data.
The few hundred frog subscribers don't have the horsepower to shut down a Web server anyway. They just make the results of spamming much more difficult to sort through.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
I've been running an ISP called FrogNet (http://www.frognet.net/) for the past 10 years. I am SO looking forward to feeling misdirected spammer wrath.
"so it can punish the people who hired the spammers"
When the spammers' clients have to pay BIG TIME for MY inbox and everybody else's inboxes getting full of spam, that is when I expect spam to dry up.
Until then its all just wanking.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Remove the demand
Get people to stop buying things from people that Spam. If they open a storefront, send out Spam and get zero response they will stop.
Educate people:
Tell grandpa to stop ordering Viagra from these people!
You cannot buy a Rolex for $99!
Your Johnson will not grow if you take a pill!
Remove the supply.
The other thing that needs to happen is the companies that produce these products being sold need to be accountable for where their merchandise is being sold. I think the best approach to this is for a service like Black Frog that sends an E-mail to the manufacturer stating "Please inform merchant XYZ that I no longer want to receive E-mail offers that include your product." This will be a long hard road since many of the pill companies sell knock-offs that are not genuine. These companies will be more inclined to prosecute the people that are misrepresenting their product this way. The others will find ways to control the supply chain better.
I don't see a spammer ever going away unless you make the internet unprofitable for them. Irritating them costs them $0 Removing the supply and demand is the only solution.
Slashdot +1 funny -4 Insightful +1 informative -2 Redundant
Karma: Somewhere between SCO and Microsoft
Find out their physical locations and make them public. Mob justice works fast.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
We're (yes, I'm part of the team - hello slashdot!) currently discussing using the main servers thru various proxys to anonymize the IP address. On a DDOS attack, the servers would just disconnect and then reconnect to another proxy and voila.
Also, the servers are the ones with the Central PGP authority. The network can still operate without servers, they're just needed for login (for now).
The network is P2P, but authority is hierarchical. We'll use anonymous routing to prevent DDOS on the high authority nodes. And the network will require a validated login.
On the remote case we suffer a complete P2P blackout, the frogs can still opt out - the network will only be used as a regulation mechanism.
We'll use throttling techniques to let them live and breath.
What we're going to do, is poison their purchase forms (as Blue Sec. did) with enough requests so they have to search in them before finding true customers.
The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
Unelected? Unrepresentative? We've received HUNDREDS of volunteers to help us. And with more than 700 diggs (yes, blasphemy! don't burn me), i doubt it's "unrepresentative".
The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
It should be obvious by now that you haven't RTFA. The network will have a system of trust and reputation (karma), and there WILL be people gathering evidence.
One thing to clarify. It's an open network, but unlike other P2P networks this one is willing to cooperate with the police. We're going to give authorities and recognized companies PGP-based authorization (on request) so they can work with their own nodes and recognize authentic SPAM.
The result is that members of the Okopipi network and innocent bystanders with websites will become the target of the organised crime that is funding the spammers.
Sure, let them earn MORE money and become MORE powerful so they'll lobby the congress and throw away the can-spam act.
You're forgetting something, currently there's *NO* mechanism to enforce ALREADY EXISTING laws regarding SPAM. Spammers' servers are across the globe, where there are no laws. And not only they're bypassing the countries frontiers, they're also committing FRAUD. They're telling the marketers: "Look! These people are willing to receive your offers for cheap viagra, they WANT to buy our products!". But we're not. ALL WE ASK is to GET OUT of their lists.
Also, we don't want to DDOS sites. I already said that, the "attacks" will be controlled but significant enough to disrupt the spammers' business.
And FINALLY, the network will NOT be used to INITIATE attacks. The attacks are the sole responsible of the CLIENT - the system has been designed this way to prevent abuse.
In other words:
* The police force is THE PEOPLE (those who submit their SPAM, plus we'll have spam honeypots and cooperate with SpamHaus and other authorities)
* The jury is THE PEOPLE (the people who have earned enough trust to participate in the classification of websites, or simply those who emmit votes. As if that wasn't enough, people who have voted to punish an innocent website will receive bad karma, this eliminates corruption from the network.
* The judge is also appointed by THE PEOPLE. Those who have earned enough trust to write the opt-out scripts. Maybe even the FTC with their own authorized nodes.
* The executioner is the PEOPLE, those who have installed the clients on their system. It's their decision to opt out from the websites, no one else's.
It seems pretty democratic to me.
Any questions?
Disclaimer: This is my personal opinion and does not reflect the viewpoints of other members of the Okopipi project.
--
Sheesh people! I hate to have to respond to 1,000 comments made by kneejerks who don't even RTFA, saying how terrible it's to DDOS and how the system could be abused.
Do you think we're idiots to let something like this happen?
1. The "attacks" on websites will be moderated. We want to make sure that the force is non-lethal to websites. We haven't discussed the implementations, but the decision has been taken: We will use throttling to PREVENT denial-of-service attacks.
2. The P2P network does *NOT* control the clients, it'll only distribute opt-out scripts for websites. Also, the customer can log out ANY TIME they want. So, NO, it's NOT a botnet.
3. Spammers Don't need P2P networks to initiate an attack. They already have their effective botnets in infected WinXP machines.
4. There will be a reputation system AND a hierarchy system (so not everyone can mod someone down), people will have to earn their trust to classify scripts, those who report wrong sites will be modded down, and the usernames and reputations are permanent. The hierarchy system we're studying requires at least two people acting as an individual before taking any action, to prevent infiltrations.
5. We're already considering infiltration of spammers in our model, we're researching papers written by experts in graph theory and computer science for this. A spammer could at most try to disable the network, but with the currently planned infrastructure, i doubt they can do it.
6. We haven't started to code. We're still discussing (and will continue to discuss) the possible consequences, abuses, attacks and how to prevent them or at least minimize them. We cannot afford to have ANY point of failure.
7. If any wants to cooperate, the google group is open to ideas.
8. And I repeat: we will *NOT* DDOS websites. It's a decision the commitee has taken, and it's a final decision. There have been people who have proposed to DDOS the spammers to death, and we're already shutting them up.
-1, both ignorant and irresponsible. Thank you.
... But I use gmail almost exclusively and receive a ton of spam, but what little gets through their filter is caught by Thunderbird. Now, I know Google and Mozilla, Inc. are pretty innovative groups, but why can't others do what they're doing? Especially as Thunderbird is open source? Spam exists because it is profitable. If people saw very little spam it wouldn't be so profitable anymore.
I dream of a better world... one in which chickens can cross roads without their motives being questioned.
... like infecting the spammer with AIDS or Rabies - I'm sure they'll be the last customer of those "cureall" stores
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Hover Cover!
Man, you really need that seminar!
Due to TradeMark conflict, I have closed the Black Frog project. Actually the project was just a nameholder, since Okopipi was a separate project which I joined later.
So the official name of the P2P antispam software is now "Okopipi". Please stop naming it "Black Frog" or we could get sued for Trademark Infringement.
Thank you.
(More info on my journal)
What do you mean by "Blue Security isn't out of the woods yet legally and their DDoS of SixApart is far from a closed case." SixApart was attacked by the same people that attacked Blue Security. Blue security changed their DNS to point at their blog. Granted, changing the DNS records under the circumstances was irresponsible; however, your quote is misleading.
I never clip my fingernails for fear of dangling symbolic links.
Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.
A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.
Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?
---
nostalgia ain't what it used to be
-Mike
I'm sorry; I don't know what I was thinking!
Disclaimer: I wrote it. I use it. It's 100% free (keep your money).
:)
2 59932
3 07815
It was available at my website (more info here if you want to read it) but it got 'Slashdotted' and was 'removed'. So I finally got around to updating it with statistics logging to 'prove' it's effectiveness, to accommodate 'flakey' mailservers that might not like a highly efficient POP3 client accessing them, and to treat 'highbit' email the same as file attachments (email is historically a 7-bit protocol) and posting it on http://rapidshare.de/ at the 'sig' URL above. Download and enjoy!
P.S. see
http://slashdot.org/comments.pl?sid=184696&cid=15
and
http://slashdot.org/comments.pl?sid=171793&cid=14
for more info.
In short, my approach uses the venerated, time tested SMTP protocol and character set AGAINST spammers....
I noticed you had no option for YOU to go deal with the mom beater. To me, that is a better option, or even better than THAT, is that your mom gets the training and the tools needed to protect herself. I know a lot of women-including "grandmaw" age women, who have "opted out" of the "professional victim in advance" mindset. Perhaps it is the crowd of adults I hang out with, maybe you don't know anyone but professional victims, or perhaps you live someplace where "the police" insist that you be a victim to maintain "societal norms" or something. Either way, you left out the best options in your list.
With this SPAM deal, people getting spammed opt out automatically, and in large numbers, that's it, all it does is speed up the process and further protect against a backlash from the scumbag spam scammers. There is nothing illogical or unethical about it that I can see, and it doesn't even come close to being a vigilante effort, it is pure self defense. Only real spam in real people's inboxes gets reacted to, so there ya go. And "your competitor" you are going to poison the system with? You mean some OTHER spammer? Another cut rate mortgage/bank info stealer or diluted drug or counterfeit watch or dick lengthening merchant? HAHAHAHAH! WHO CARES! The only "competitors" for bogus spammed crap are OTHER SPAMMERS.
We need to get rid of this bogus institutionalized and brainwashed politically correct weenieism in our society, you ARE allowed self defense, at least in the US anyway (outside of strange foreign nations like NYC and chicago where the bill of rights don't seem to matter), following some basic common sense criteria, and I assure you, from a "been there, done that, the bad guy lost hard" personal level (several times actually) it can and does work every single day of the year, even if the MSM won't report on it.
So does this system do nothing against spam that does not contain a url (stock tip, 419's, diploma spam that uses phone numbers instead of urls, etc.)?
boakes.org
does this imply, security by obscurity. not a good idea!
* lon3st4r *
100% correct -- all this tool is doing is evening out the balance so that spam becomes more like a normal commercial interaction.
If the spammers were willing to manually type out each spam message and type my address in by hand, THEN it would be balanced when, receiving the spam, I need to manually navigate to the advertised site, find a "remove me" page, and manually type in my address.
Of course they aren't going to do that -- this is the computer age. Computers exist to rapidly accomplish these kind of tedious tasks: hence the obviousness of also automating the complaint/opt-out procedure for the steadily growing amounts of email I don't want. No DDoS, no "attack", no "fighting fire with fire" or "spamming the spammers" -- just carrying out a normal, totally-legal business relationship on the scale the spammers have chosen.