
Journal Spy der Mann's Journal: Okopipi anti-spam project coming soon 81
Today I applied for a Sourceforge.net project called "Black Frog" (edit: The new name will be "okopipi"). It will be a completely-new distributed version of Blue Frog.
The project is still in its planning stages, we need people who will take over the project and continue to work on it.
Update:
The project is now official. The discussion pages are the following Google groups: okopipi-dev and okopipi-discuss.
How to help spammers automate their opt outs (Score:2)
All the spammers have to do is include the blackfrog_optout.php in their main directory, and Black Frog will try to access the blackfrog_opt out page first. If the page is accessed, it will try to opt out there first. If not, it will do the usual.
The point is to make it EASY for spammers to opt us out. The problem with Blue Frog is that spammers had to download a GLOBAL
Re:How to help spammers automate their opt outs (Score:2)
They just tarpit all requests sent to your special complaint reciever script, and nothing will really reach them.
Re:How to help spammers automate their opt outs (Score:2)
So it becomes a reward-punishment system. Are you ignoring requests instead of process them? You'll get a bunch of traffic and your server will be "frogged".
Re:How to help spammers automate their opt outs (Score:2)
If you make it easy for them, by dumping it in a special wastebasket. Well.. then it's not much of a burden and they'll just have to pay some more for bandwidth (or they simply drop those HTTP requests). They don't care about the bandwidth bill. They make enough money to DDoS the largest blogging company off t
Re:How to help spammers automate their opt outs (Score:2)
Second offense, find first "normal customer" form and fill it.
Re:How to help spammers automate their opt outs (Score:1)
Keep in mind that the Frog attack is targetting not only at the spammer, but also at the CLIENTS of the spa
Re:How to help spammers automate their opt outs (Score:1)
Thinking like this is the right way to go!
Not *all* spammers are beyond reason. Offering compromises for those willing to play by the rules sets a standard of MUTUAL RESPECT. I think this is a great idea.
I can also code PHP backwards and forwards, and am happy to offer any GPL code I can to your BlackFrog project.
Josh-ribbit-ibot.tv
Keeping it clean, and further thoughts / concerns (Score:1)
Having written an essay on the BF forum on how BF was NOT a DDOS attack, (it got copied around a bit) it's probably obvious to those who've seen me lurking the forums that I considered Blue Security to be taking the high road. Therefore I think it's imperative that everyone try to
"Stop spamming EVERYONE." (Score:2)
One should not have to become a blackfrog to get one's received spam to stop. Spam should
No -- some people want spam (Score:2)
If you want to complain to spammers for emails that you didn't receive... that's crossing the line from a legal complaint process (one complaint per spam you received) to illegal extortion, or... what do you call it when you force another company out of business through illegal means? I forget, but it's not a line we want to cross.
Remember, th
Blue Frog was an Entertaining Intermediate Step (Score:2)
I don't remember how aggressive it was about filling out forms - imag
Re:Blue Frog was an Entertaining Intermediate Step (Score:2)
Ultimately, e-mail rules will have to be changed, and the protocols modernized. SPAM is based on various internet flaws that exist by design, the problem is that companies haven't agreed on fixing those fla
Re:Blue Frog was an Entertaining Intermediate Step (Score:2)
Not true, actually -- that would be a real DoS attack (and, um, illegal). Blue Security only submitted one complaint for each spam received (first including honeypots, then based purely on spam reports from the userbase). AND they didn't submit any complaints if the spammer was CAN-SPAM compliant, or if the spammer responded within a week or two to direct c
Re:Blue Frog was an Entertaining Intermediate Step (Score:2)
Oh, Rob - please go to http://groups.google.com/group/okopipi-dev [google.com] and http://groups.google.com/group/okopipi-discuss [google.com] for more discussions regarding Okopipi, those are the official discussions now.
Don't forget accountability... (Score:1)
Re:Don't forget accountability... (Score:1)
Re:Don't forget accountability... (Score:1)
As for picking who gets to be in the groups... I suppose they'd be picked out of the long-time black frog members, and elected/selected by their peers? It's difficult to make sure you're not infiltrated by spammers :\
If worse comes to wor
Re:Don't forget accountability... (Score:2)
Maybe the scripts could be downloaded via shareaza or torrent, to keep full distribution of the system.
Re:Don't forget accountability... (Score:1)
Re:Don't forget accountability... (Score:1)
Use a distributed review system :-) (Score:2)
There would be Black Frog nodes, and Black Frog "supernodes". Supernodes are the ones conforming the network, just like Gnutella or Kazaa.
Now a node would have two functions: Client, or Reviewer. A Reviewer would review a spam and website, and give his "SPAM probability" from 0 to 5.
The client would "roll a dice" and if the dice has less probability than the reviewer's "SPAM probability", he would send a complaint / opt-out.
Now the trick is this: Use only reviewers of nodes lo
Also, reviewers should be weighted. (Score:2)
Reviewers should be given a weight depending on what country they live in. Countries like Malaysia, Russia or China would be given zero credibility
Why we need a review system (Score:2)
This way, we can know HOW to opt-out at a website, and at the same time we can decide by ourselves whether to opt-out or not.
Re:Don't forget accountability... (Score:1)
I.e., distributed voting/review in addition to distributed unsubscribing.
Re:Don't forget accountability... (Score:1)
I disagree with this. I think that the users should be able to nominate a spammer for attack, but the decision should be entirely out of their hands. A voting system like this can lead to serious abuse. Each vote is a potential black hat
Re:Don't forget accountability... (Score:1)
I just can't see the right balance between centralization and losing the single-point-of-failure.
My thoughts on a p2p version of bluefrog (Score:2)
Maybe you take some stuff too lightly
In case of abuse (frog-jobs) (Score:2)
Anyway i have an idea to prevent frog-jobs. Along with complaints, send the e-mail headers (except the To: and CC: fields), so the affected party can complain with the ISPs.
In other words, the opt-out requests will be the basis for ISP requests in case of abuse.
Re:In case of abuse (frog-jobs) (Score:1)
This is actually a really good idea, and similar to once that I was thinking of making a while ago. It's basically a plug-in for Thunderbird/Firefox. It works in conjunction with the "This Is Spam" button. Each time the user marks a message as spam (or the program automatically marks something as spam), then it automatically forward
Re:My thoughts on a p2p version of bluefrog (Score:2)
language (Score:1)
Re:language (Score:2)
Re:language (Score:2)
About the language decision, I have to agree... It means I won't be as much of a help as I might have been otherwise (as you can possibly guess from my username) but Java is still just too much of a pain on the client-side, and we will want to maximize the userbase.
Server not = Spammer (Score:1)
3. An opt-out processor, which will receive opt-out complains at your server and remove the offending addresses from your spam list.
Huh? Spamvertized web sites outsource their site promotion to several "bulk-mailer" affiliates. Each affiliate has his own address list.
How do you envisage step 3. handling that?
Re:Server not = Spammer (Score:2)
Check this out first (Score:2)
http://castlecops.com/postitle156112-15-0-.html [castlecops.com]
They got a bunch of people on board and waiting for SF approval.
Re:Check this out first (Score:2)
Argh! Can't sign up! (Score:2)
Nevermind, I posted already. (Score:2)
Some initial things to think about in planning (Score:2, Interesting)
Some thoughts right off the top, regarding abuse of the system
1) How to you authenticate requests for attacks? These need to come from legitimate, unique users. And a single request shouldn't launch an attack.
2) Who launches the attack. It's too dangerous a weapon to leave up to an automated system. There should be a threshold of attack requests that will trigger an event. And that event should alert human
Captchas for reviews (Score:2)
Re:Captchas for reviews (Score:2)
Somewhere you need the trust factor. And it's far easier to trust a single source, than it is to trust a cloud of sources.
Re:Some initial things to think about in planning (Score:2)
The client should only ask the server / network to request authorization for opt-out.
Re:Some initial things to think about in planning (Score:1)
No, the attack should be client initiated. And it's NOT a DDOS. It's an opt-out request, remember that!
The client should only ask the server / network to request authorization for opt-out.
Well, the attack is client initiated. A user puts a request into their Black Frog client asking that a site be attacked. ("Not" a DDoS. A perfectly legitimate opt-out... sent 1000 times a second. I know, I know. ;) ). BUT one client shouldn't have the authority to get ALL clients to participate in the attack. And
Re:Some initial things to think about in planning (Score:2)
No, a client *MUST NOT* attack the websites that it doesn't have already requested authorization for. A client *MUST NOT* be able to tell other clients to attack *ANY* website. This is how Blue Frog ori
Re:Some initial things to think about in planning (Score:1)
My question then is why would I (taking on the role of an anti-spam activist) sign up for this? RIght now, I already have the power to attack a spammer myself. If I get an unwanted email, I can write a script to do s
Re:Some initial things to think about in planning (Score:2)
Very interesting proposal. I'm still worried that this has the potential to open a lot of users up to abuse. They are, in essence, opening their machines up as restricted zombies.
For every N redundant servers it is possible that a spammer could have N+1 trojan servers (they control thousands of zombies already). In a worst case scenario where a small group of users were persuaded to download server lists containing those N+1 trojan servers would that mean that the real authorized servers would lose the vot
Re:Some initial things to think about in planning (Score:1)
Yup, that's the idea.
For every N redundant servers it is possible that a spammer could have N+1 trojan servers (they control thousands of zombies already). In a worst case scenario where a small group of users were persuaded to download server lists containing those N+1 trojan servers would that mean that the real authorized
Re:Some initial things to think about in planning (Score:1)
About using a central server in the P2P (Score:2)
I'm thinking that this would require the use of public keys to identify "trustable servers". Volunteers could post their public keys in forums so we could attach to them.
OR - if we could review peers to see how many fake reports (false positives or the reverse) they've posted. Then we could blacklist them, and the network wouldn't listen to them. But HOW? And how to prevent them from gaining majority?
Man, this i
Re:About using a central server in the P2P (Score:1)
Re:About using a central server in the P2P (Score:2)
So we need an authority to determine whether a spam is a joe job or not. I'm thinking that a hierarchical authority (with some initial credentials at the top) would be the way to go. This way if a spammer is disrupting the system, his superior can shut him down.
Problems with authentication and review (Score:2)
First thought: Webpages with more than N (1,000? 10,000?) different reports are flagged as "possible spam". This would be a first measure, but then we'd have to be careful about joe jobs. So we need reviewers.
The "reviewers" are the ones to determine whether a mail/page combination is spam AND authentic. But the spammers could set up their own client and start flagging every joe job as true, or every spam as fake?
Then we need someone to "metamod" the reviewers. But then again, ho
Re:Problems with authentication and review (Score:2)
The only problem here, of course, is that the barrier to entry is relatively high, as you (or your closed user group) needs to t
Re:Problems with authentication and review (Score:2)
Bluefrog source (Score:1)
I am trying to figure out what the legal status of it.
I`ll keep you posted.
Re:Bluefrog source (Score:1)
Re:Bluefrog source (Score:1)
each peer can complain for itself utilizing its own bandwidth.
Black Frog anti-spam project (Score:1)
The main intrest should be to make those scripts public.
Immagine a website full of such scripts (php anyone?) divided in viagra / penis enlargement, etc sections. Now if the spam makes you angry you go to this site and fire some opt-outs in your prefe
suggested project logo (Score:1)
gimp file : http://firefang.net/info/blackfrog/blackfrog.xcf [firefang.net]
a black frog, with some phoenix like properties
Re:suggested project logo (Score:2)
Re:suggested project logo (Score:1)
Re:suggested project logo (Score:1)
Re:suggested project logo (Score:1)
I think this frog looks mean unlike the friendly azureus frog.
Re:how to get the code. (Score:1)
Re:how to get the code. (Score:1)
Re:how to get the code. (Score:1)
http://prdownloads.sourceforge.net/bluefrog/?sort
Re:how to get the code. (Score:1)
trouble with P2P (Score:1)
Re:trouble with P2P (Score:2)
Minimizing the P2P dependancy (Score:2)
If you have a client that, no matter what good/bad info it manages to get from the P2P network, is only capable of submitting one complaint per unique email, and ONLY to a domain listed in that email (though the actual reporting scripts may vary), there's very little room for malevolent 3rd parties to screw it up. The spam analysis will need to happen on the client (instead of remo
Publicity Support (Score:1)
I want to sign up for War.
OpenPGP+P2P (Score:2)
Re: (Score:1)
Re: (Score:1)