Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackFrog to Take up BlueFrog's Flag

Posted by ryuzaki0 on from the internet-routes-around-stupidity dept.

Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."

44 of 178 comments (clear)

  1. Link by Anonymous Coward · · Score: 4, Informative

    Link to the project website.

    1. Re:Link by WhiplashII · · Score: 2, Interesting

      To get the same effect in a perfectly legal and unstoppable way, alter Mozilla and other email clients so that when you click on the junk button it automatically goes and fills out form, etc - without accessing a separate server. That way, they get a response from each person solicited or spammed (prefectly reasonable) and they have to sort through the responses to find the ones that fell for the scam.

      Many people will say that if you do this the spammers will know your address. My response: 1) they obviously already know your address, and 2) if everyone does it, it won't help that they know your address. The point is not to make you personally get less spam, the point is to eliminate spam as an easy option for criminals.

      --
      while (sig==sig) sig=!sig;
    2. Re:Link by Smidge204 · · Score: 2, Interesting

      1) they obviously already know your address

      Maybe, maybe not. They have your e-mail in a list somewhere, but they don't know if it's still valid. Sending a real response proves that it IS valid and IS checked actively, which increases its value when sold to advertisers or sold/traded to other spammers.

      NOT replying puts a little "?" on the message, because they know the address is probably still valid (didn't bounce) but there was no reply (maybe nobody checks it)?

      I think the better solution would be to send forged bounce errors back to the sender in hopes that they'll think the e-mail is dead, and remove it from their list.
      =Smidge=

  2. Poisonous frogs? by RingDev · · Score: 4, Insightful

    How long until some hacker poisons the peer system into spamming a legitimate site?

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
    1. Re:Poisonous frogs? by Paran · · Score: 2, Insightful

      FTA:
      Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

      Sounds like the same idea as Blue Security, only they're hiding. Probably will result in the same outcome. Massive DDoS on their "hidden" servers.

    2. Re:Poisonous frogs? by iminplaya · · Score: 3, Funny

      ...Okopipi's staff will not disclose information about its servers.

      Aahhh...the old security throught obscurity trick, eh? Should work as well as the cone of silence.

      --
      What?
    3. Re:Poisonous frogs? by lhorn · · Score: 3, Informative

      That's the whole point of an analysis before sending opt-out messages from all members. I am not familiar with Black Frog intended function, but if a certain percentage of their members gets similar messages it's a fair bet it is spam. A FrogHerder must look at the message to ensure it is sufficently spammy, before action - this may even be legal somewhere in the world.

      --
      accept no limits but time
    4. Re:Poisonous frogs? by mybootorg · · Score: 2, Informative

      I think it might be helpful for you to go back and read up on what Blue Frog was initially about. Their FAQ is undoubtedly cached somewhere. Many of the people posting here -- and nearly all of the media in past weeks -- have missed the point entirely. Because of the deliciously newsworthy "angle" of using spam vs. spam, most reporters have molded Frog to fit that news story, but not to represent what it actually was.

      Blue Frog didn't automatically focus on every Spam that was submitted. It focused on the ones where it could do the most good. To be specfic, the developers would identify Spam that had been submitted to the most Frog members and originating from Spam networks that were not in compliance with the Blue Frog opt-out list.

      Then the developers would visit the page and develop a script/bot that would submit opt-out requests using the E-Commerce or "For More Information" forms on the website.

      Give this, I think it's pretty unlikely that someone would get hit by accident, dont you agree? Frog was never a completely automatic process. It required intervention and that's a good thing.

      Blue Frog won because it was systematically beating the big spammers into submission, one spammer at a time.

  3. seems insecure by robinesque · · Score: 3, Insightful

    Sounds sort of insecure for a project like this to be openly editable to the public via a wiki and p2p network.

  4. good idea by Amouth · · Score: 2, Insightful

    just too bad that someone couldn't get this into the BlueFrog stuff before it died.. atleast then they would have a large userbase.. but if the Blue peps are the ones that look at the e-mails to make sure someone isn't being evil and submitting normal HAM - how is that going to work without master to authorize the clients???

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  5. Once you go black, you never go back. by DigDuality · · Score: 5, Informative

    Just as a correction folks, it's not called "Black Frog" this is a mix up. There was two projects. Black Frog and Okopipi aiming for the same goal. Black Frog stopped and the people joined Okopipi.

    1. Re:Once you go black, you never go back. by Thwomp · · Score: 3, Funny

      No doubt it's a name inspired from the Nintendo school of marketing.

    2. Re:Once you go black, you never go back. by DigDuality · · Score: 5, Informative

      an Okopipi is a poisonous blue frog.

    3. Re:Once you go black, you never go back. by gbjbaanb · · Score: 2, Funny

      an Okopipi is a poisonous blue frog.

      *now* you tell me, after I posted my ignorance on slashdot for all to see. Geeks around the world are openly laughing at me, secretly thankful that they didn't post earlier :-)

    4. Re:Once you go black, you never go back. by Infoport · · Score: 2, Informative
      A little more info: Dendrobates azureus is the blue poison arrow frog of Suriname
      http://www.atlantabotanicalgarden.org/conservation /amphibian_research.html

      One interesting note from the WikiPedia article (couldn't find it elsewhere right now), is that the frog does not make any poison of its own but instead gets poison from insects which it eats. Seemed like an interesting tie-in for a P2P project.
      http://en.wikipedia.org/wiki/Dendrobates_azureus

  6. Spamming the spammers? by ScouseMouse · · Score: 3, Funny

    Hmm, wont it be amusing for user's PCs to be spamming as part of an hidden botnet and running this at the same time. Hope their not on dialup.

    1. Re:Spamming the spammers? by forghy · · Score: 3, Informative

      The goal is to spam the spammer *sponsors*, not the spammers themselves. This is the exact reason why the blue frog was so successfull.
      Once you receive a mail advertizing pills or wrist ornaments , the Blue/Black frog client sends an opt-out message to the advertized mailbox.
      Let say this online shop sends a million spam messages by means of a spammer, he (the shop owner) receveives 1 million opt-out messages back !


      Days are counted for the spammers ! MUahAhahAHhaHAh

  7. Re:source from bluefrog? by DigDuality · · Score: 4, Informative

    BlueFrog was open sourced and under the mozilla license, and yes they have the source code.

  8. OMG vigilantes by giorgiofr · · Score: 4, Insightful

    I can imagine the slew of whiners who will complain about such a vigilante approach to this problem.
    Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
    If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.

    --
    Global warming is a cube.
    1. Re:OMG vigilantes by joe+155 · · Score: 5, Funny

      couldn't we just send the spammers a sony music cd? That rootkit would take out their computers at the source instead of just spamming them

      --
      *''I can't believe it's not a hyperlink.''
    2. Re:OMG vigilantes by giorgiofr · · Score: 2, Insightful

      So, uhm, we should keep quiet and hope no one notices us? Maybe squeek a bit?

      --
      Global warming is a cube.
    3. Re:OMG vigilantes by op12 · · Score: 2, Funny

      If it's a recent Sony music CD, you're going to have a hard time convincing them to put it in their computers as they'll likely be thinking, "Why do I want to listen to this garbage?"

    4. Re:OMG vigilantes by whyrat · · Score: 2, Funny

      I think we should solve this with a two tier internet!

      One "slow" tier would be for all the people who actually reply to spam (thus giving the spammers money) or get their computers infected with bots and fail to clean them.

      The other "fast" tier would be for poeple who know better than to click on everything in their email box and instead delete the spam / trojans.

  9. Blue Security's reason for shutting down by Paran · · Score: 3, Informative

    I thought the reason Blue Security closed shop was because the spammers had diff'd their user database, identified quite a large amount of the participants, and then threatened virus attacks directed at them. Not because of the DDoS.

    Blue Security Gives up the Fight
    The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
    ...
    "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."

    I'm guessing the only real difference is that users will know this time around.

    1. Re:Blue Security's reason for shutting down by mikael_j · · Score: 3, Insightful
      You're getting things mixed up, I think most users were quite willing to get involved in the cyber-war, the problem was that the company didn't have the resources to fight it.

      I'll probably sign up for this blackfrog thing once I've checked it out. In fact, I'd probably consider giving money to someone collecting money to pay someone else to beat the shit out of the world's top spammers. I'm serious, they're scum..

      /Mikael

      --
      Greylisting is to SMTP as NAT is to IPv4
    2. Re:Blue Security's reason for shutting down by gbjbaanb · · Score: 2, Insightful

      Frankly, they should have let the spammers go for it then. If you give in to Terrorists, you can only expect more terror in the future. Or so all the western governments seem to keep telling us as they send in the special forces.

      If the spammer took out a public enough target, the authorities would have had to get involved. BlueSecurity wasn't doing anything illegal (or even immoral - they only filled in the webform once for each email a user received.) so its a pity they were hounded out.

  10. Automatically clicks Unsubscribe links in Spam? by Robmonster · · Score: 3, Insightful

    From their wiki:-

    Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.

    I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.

    --
    I have no sig yet I must scream.
    1. Re:Automatically clicks Unsubscribe links in Spam? by dnixon112 · · Score: 2, Informative

      A legitimate concern, but with the Blue Frog system at least, the way this was handled was that the system did not identify which email address was clicking the links. All the "clicking" was done by the Blue Security servers, it just added up to one opt-out/unsubscribe click per spam message sent.

    2. Re:Automatically clicks Unsubscribe links in Spam? by drinkypoo · · Score: 2, Insightful

      If the links are put together by someone who is not a total fucking moron, the link either has the email address encoded within it, or it is a unique token that links to a specific email address. Either way, following the opt-out link will indeed confirm that the address was deliverable. Unless these guys are just generating web traffic to the same server but a wholly different URL, preferably not even accessing the server by name but by IP... Which I doubt.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. I am holding out for CrunchyFrog. by 1_brown_mouse · · Score: 3, Funny

    Every spammer gets a "Spring Surprise."

    CrunchyFrog explined. http://orangecow.org/pythonet/sketches/crunchy.htm

  12. Before comparing to DDOS, or botnets. Be informed by mybootorg · · Score: 5, Insightful

    Ok folks, let get a few things straight.

    Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?

    The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.

    Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.

    Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.

    Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.

    Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.

    If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.

  13. Re:Excuse me, but by Billosaur · · Score: 4, Interesting
    isn't this really good botnet vs bad botnet?

    More like Autobots vs Decepticons, but in the end it's the same thing. The "good" forces won't be a botnet per se, but a loosely aligned group of people doing the same thing, taking on a group with coordinated resources capable of wreaking terrible havok. It's vigilantism to be sure, but until the government of the world actually get their heads out of their butts and come up with a unified and mutually beneficial set of laws to deal with spammers wherever they live, this is the only tool anyone has to even try and slow the spammers down.

    --
    GetOuttaMySpace - The Anti-Social Network
  14. Re:Uhm... Okopipi by Magee_MC · · Score: 4, Insightful

    Okopipi is a poisonous blue frog. Quite appropriate I think.

    As to the fact that it isn't "marketable", who cares. Would anyone have thought google was marketable before they started? If the product is good enough, the market doesn't care about the name.

  15. Never trust the users by Jac_no_k · · Score: 2, Insightful

    You can't trust the "members". Say that a savvy black hat creates many "tainted-members". What happens if the "tainted-members" all report that a legitimate site is spamming?

    I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.

    1. Re:Never trust the users by sk8king · · Score: 3, Insightful

      >I think one method for this to work is for each suggested target be evaluated by each member. The >member has to agree that this is a valid target before his account participates in the attack.

      With a certain threshold of participants required before the attack even takes place. If there are 100 members, perhaps 20 would need to agree on the item in question being spam. 15 wouldn't be enough to initiate a retaliatory opt-out.

      I wonder how much of the "background" noise on the internet is this sort of crap floating around....DNS requests for viruses, port scanning for viruses, traffic in the form of spam, spam responses, systems to deal with spam....probably more than anyone realizes.

  16. Myopic-kneejerk-retribution-a-go-go by ear1grey · · Score: 2, Insightful
    I have no mod points, so I must respond...

    I'd like to hope Okopipi could make a positive difference, but it cannot, because it is open to exploitation by the very people it's trying to stop.

    Okopipi's greatest asset: people who are desparate to stop spam; is also it's greatest weakness, because their frustration sometimes leads them to take ill considered actions without first understanding the facts. Choosing to publish the statement below is a fairly pertinent example:

    If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.

    It's difficult to see any way this statement could be more wrong.

    When a state sponsored law enforcement official does their work they are enacting the will of a democratically elected governement. It is a careful and methodical process designed to protect the innocent.

    Their job works like this:

    1. A law is defined (there are many ways for this to happen).
    2. A transgression of that law is identified.
    3. Evidence is gathered.
    4. The transgressor is prosecuted and can defend their actions.
    5. If the transgression is proven a sentence is handed down.

    The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.

    The result is that members of the Okopipi network and innocent bystanders with websites will become the target of the organised crime that is funding the spammers.

    At which point your friendly "state sponsored vigilante" is only a phone call away.

    --
    boakes.org
  17. Security? by Rob+T+Firefly · · Score: 2, Interesting
    This does look promising (from TFA:)

    "It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses."

    Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

    "Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.

    That seems solid, but I wonder how something so open can keep a secret like what and where its servers are. It's beyond me, anyone have more info?

    --
    Slashdot Burying Stories About Slashdot Media Owned
  18. It's not DDoS. by blueZ3 · · Score: 2, Informative

    The service fills in forms on spammers websites and submits it. This "corrupts" the data that the spammers are collecting by inserting hundreds of "opt out" submissions which makes finding the "valid" submissions (where stupid people responded to the spam looking to buy v1agr@) more difficult. There's nothing illegal (as far as I know) in using your own computer to fill out forms with bogus data.

    The few hundred frog subscribers don't have the horsepower to shut down a Web server anyway. They just make the results of spamming much more difficult to sort through.

    --
    Interested in a Flash-based MAME front end? Visit mame.danzbb.com
  19. Re:What Do We Really Want? by shokk · · Score: 2, Funny

    I'm confused. Which are you advocating?
    a) Freezing them with fire retardant foam
    b) Hack off a few appendages with an axe
    c) Drowning
    d) All of the above in that order

    I think any one will do. Why be picky?

    --
    "Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
  20. How to prevent DDOS on the servers. by Spy+der+Mann · · Score: 4, Informative

    We're (yes, I'm part of the team - hello slashdot!) currently discussing using the main servers thru various proxys to anonymize the IP address. On a DDOS attack, the servers would just disconnect and then reconnect to another proxy and voila.

    Also, the servers are the ones with the Central PGP authority. The network can still operate without servers, they're just needed for login (for now).

  21. For the Nth time, we're NOT GOING TO DDOS!!! by Spy+der+Mann · · Score: 5, Informative

    Disclaimer: This is my personal opinion and does not reflect the viewpoints of other members of the Okopipi project.
    --

    Sheesh people! I hate to have to respond to 1,000 comments made by kneejerks who don't even RTFA, saying how terrible it's to DDOS and how the system could be abused.

    Do you think we're idiots to let something like this happen?

    1. The "attacks" on websites will be moderated. We want to make sure that the force is non-lethal to websites. We haven't discussed the implementations, but the decision has been taken: We will use throttling to PREVENT denial-of-service attacks.

    2. The P2P network does *NOT* control the clients, it'll only distribute opt-out scripts for websites. Also, the customer can log out ANY TIME they want. So, NO, it's NOT a botnet.

    3. Spammers Don't need P2P networks to initiate an attack. They already have their effective botnets in infected WinXP machines.

    4. There will be a reputation system AND a hierarchy system (so not everyone can mod someone down), people will have to earn their trust to classify scripts, those who report wrong sites will be modded down, and the usernames and reputations are permanent. The hierarchy system we're studying requires at least two people acting as an individual before taking any action, to prevent infiltrations.

    5. We're already considering infiltration of spammers in our model, we're researching papers written by experts in graph theory and computer science for this. A spammer could at most try to disable the network, but with the currently planned infrastructure, i doubt they can do it.

    6. We haven't started to code. We're still discussing (and will continue to discuss) the possible consequences, abuses, attacks and how to prevent them or at least minimize them. We cannot afford to have ANY point of failure.

    7. If any wants to cooperate, the google group is open to ideas.

    8. And I repeat: we will *NOT* DDOS websites. It's a decision the commitee has taken, and it's a final decision. There have been people who have proposed to DDOS the spammers to death, and we're already shutting them up.

  22. Re:Excuse me, but by RelaxedTension · · Score: 2, Insightful

    "That's not the same thing as going to a site solely to attack the operator, with no interest in any content beyond maybe using it in the attack."

    If the site operator sends out a million invitations to come to his website, and gets a million hits because of that, is it an attack? No. The invitation has 3 options, browse, buy something, or opt out. Automating that process is not an attack. If the operator sends out a million invitations he had best have the bandwidth to accomodate the million potential hits. If he doesn't then too bad. The spammers are like the ISP's that have oversold bandwidth. Now that someone wants to take them up on their offer to come and visit, planning on a 1% or 2% response to the spam adds won't cut it. And for that I have ZERO sympathy.

    And finally, Bluegrog's stated intentions was not to break it or slow it down. In fact they went to very reasonable lengths to avoid exactly that. Call it an attack if you want, but looking at the methods and actions involved, I just don't see how that term applies. They were a lot more reasonable than I would have been.

  23. IMPORTANT ANNOUNCEMENT FROM BLACK FROG by Spy+der+Mann · · Score: 4, Informative

    Due to TradeMark conflict, I have closed the Black Frog project. Actually the project was just a nameholder, since Okopipi was a separate project which I joined later.

    So the official name of the P2P antispam software is now "Okopipi". Please stop naming it "Black Frog" or we could get sued for Trademark Infringement.

    Thank you.

    (More info on my journal)

  24. When is a DDOS not a DDOS? by RedToad · · Score: 2, Insightful

    Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.

    A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.

    Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?

    ---
    nostalgia ain't what it used to be