BlackFrog to Take up BlueFrog's Flag 178
Runefox writes "ZDNet UK has a story about a new SPAM defense mechanism called BlackFrog, a response to the demise of Blue Security's BlueFrog. According to the article, the new service is based on a P2P network of clients, called the 'Frognet', which allows the opt-out service to continue functioning even after a server has gone down, making a DDoS attack like that which crippled BlueFrog ineffective against the new service."
Link (Score:4, Informative)
Re:Link (Score:3, Interesting)
Many people will say that if you do this the spammers will know your address. My response: 1) they obviou
Re:Link (Score:3, Interesting)
Maybe, maybe not. They have your e-mail in a list somewhere, but they don't know if it's still valid. Sending a real response proves that it IS valid and IS checked actively, which increases its value when sold to advertisers or sold/traded to other spammers.
NOT replying puts a little "?" on the message, because they know the address is probably still valid (didn't bounce) but there was no reply (maybe nobody checks it)?
I think the better solution would be to send
Re:Link (Score:2)
Re:Link (Score:2)
Then the spammers will start adding captchas to their opt-out pages.
Oh, the irony.
Poisonous frogs? (Score:5, Insightful)
-Rick
Re:Poisonous frogs? (Score:2, Insightful)
Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.
Sounds like the same idea as Blue Security, only they're hiding. Probably will result in the same outcome. Massive DDoS on their "hidden" servers.
Re:Poisonous frogs? (Score:3, Funny)
Aahhh...the old security throught obscurity trick, eh? Should work as well as the cone of silence.
How to prevent DDOS on the servers. (Score:5, Informative)
Also, the servers are the ones with the Central PGP authority. The network can still operate without servers, they're just needed for login (for now).
Cone of Silence?!? (Score:2)
Hover Cover!
Re:Poisonous frogs? (Score:3, Informative)
Never trust the users (Score:2, Insightful)
You can't trust the "members". Say that a savvy black hat creates many "tainted-members". What happens if the "tainted-members" all report that a legitimate site is spamming?
I think one method for this to work is for each suggested target be evaluated by each member. The member has to agree that this is a valid target before his account participates in the attack.
Re:Never trust the users (Score:4, Insightful)
With a certain threshold of participants required before the attack even takes place. If there are 100 members, perhaps 20 would need to agree on the item in question being spam. 15 wouldn't be enough to initiate a retaliatory opt-out.
I wonder how much of the "background" noise on the internet is this sort of crap floating around....DNS requests for viruses, port scanning for viruses, traffic in the form of spam, spam responses, systems to deal with spam....probably more than anyone realizes.
Re:Poisonous frogs? (Score:2, Informative)
Blue Frog didn't automatically focus on every Spam that was submitted. It focused on t
seems insecure (Score:3, Insightful)
Hierarchical P2P (Score:2)
On the remote case we suffer a complete P2P blackout, the frogs can still opt out - the network will only be used as a regulation mechanism.
Re:seems insecure (Score:2)
The P2P network will almost certainly include some sort of authentication system so that peers cannot fake messages from other peers. A voting system means that the number of 'bad' peers must be very high to cause any damage to the network as a whole. The system will have to be able to identify the bad peers and remove them from the network as soon as possible. A difficult challenge, but given that
good idea (Score:3, Insightful)
Re:good idea (Score:2)
Once you go black, you never go back. (Score:5, Informative)
Re:Once you go black, you never go back. (Score:3, Funny)
Re:Once you go black, you never go back. (Score:2)
Re:Once you go black, you never go back. (Score:2)
besides, surely BlackFrog is much easier to make icons for... assuming the BlueFrog resources are OSS too. Got knows what an okopipi is anyway.
Re:Once you go black, you never go back. (Score:5, Informative)
Re:Once you go black, you never go back. (Score:3, Funny)
*now* you tell me, after I posted my ignorance on slashdot for all to see. Geeks around the world are openly laughing at me, secretly thankful that they didn't post earlier
Re:Once you go black, you never go back. (Score:2, Informative)
http://www.atlantabotanicalgarden.org/conservation
One interesting note from the WikiPedia article (couldn't find it elsewhere right now), is that the frog does not make any poison of its own but instead gets poison from insects which it eats. Seemed like an interesting tie-in for a P2P project.
http://en.wikipedia.org/wiki/Dendrobates_azureus [wikipedia.org]
source from bluefrog? (Score:2)
Re:source from bluefrog? (Score:4, Informative)
Re:source from bluefrog? (Score:2)
Spamming the spammers? (Score:4, Funny)
Re:Spamming the spammers? (Score:3, Informative)
Once you receive a mail advertizing pills or wrist ornaments , the Blue/Black frog client sends an opt-out message to the advertized mailbox.
Let say this online shop sends a million spam messages by means of a spammer, he (the shop owner) receveives 1 million opt-out messages back !
Days are counted for the spammers ! MUahAhahAHhaHAh
Re:Spamming the spammers? (Score:2)
Must go away and read the original bluefrog article again.
Actually i wouldnt count on the days of spammers being numbered.
The sneaky little bugg@rs have been getting round new antu-spam systems for years, and the more unscrupulous will start doing things like providing opt out locations that look different when you view then. (IE, providing two links, a link thats invisible for the anti spam engine to chew on, and one that isnt that may be obfuscated in some way)
Unfortu
SpamCannibal (Score:1, Informative)
http://www.spamcannibal.org/cannibal.cgi [spamcannibal.org]
OMG vigilantes (Score:5, Insightful)
Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.
Re:OMG vigilantes (Score:5, Funny)
Re:OMG vigilantes (Score:3, Funny)
Re:OMG vigilantes (Score:2, Funny)
One "slow" tier would be for all the people who actually reply to spam (thus giving the spammers money) or get their computers infected with bots and fail to clean them.
The other "fast" tier would be for poeple who know better than to click on everything in their email box and instead delete the spam / trojans.
I'm thinking something more substantial (Score:2)
Re:OMG vigilantes (Score:1)
Re:OMG vigilantes (Score:3, Insightful)
Re:OMG vigilantes (Score:2)
Well, remember Firefox, "We're taking back the web"? That's exactly what we're doing here.
I like Firefox and all, but I really don't see the connection between having a choice over your web browser and launching DoS attacks on possible spammers.
If you disagree with fighting fire with fire, I suggest you also criticize any and all law enforcement activities. They're simply state-sponsored vigilantes.
Once they are state sponsored, they rather stop being vigilantes. They also (hopefully) are held ac
Myopic-kneejerk-retribution-a-go-go (Score:2, Insightful)
I'd like to hope Okopipi could make a positive difference, but it cannot, because it is open to exploitation by the very people it's trying to stop.
Okopipi's greatest asset: people who are desparate to stop spam; is also it's greatest weakness, because their frustration sometimes leads them to take ill considered actions without first understanding the facts. Choosing to publish the statement below is a fairly pertinent example:
OT: Myopic-kneejerk-retribution-a-go-go (Score:2)
Perhaps the GP was from the US, where that doesn't hold true anymore...
Re:Myopic-kneejerk-retribution-a-go-go (Score:2)
look at CANSPAM. it seems to be real effective.... >/sarcasm
Re:Myopic-kneejerk-retribution-a-go-go (Score:2)
Step 1. Fix the law.
Step 2. Let the law fix the spammers.
My personal opinion and some clarifications (Score:2)
Unelected? Unrepresentative? We've received HUNDREDS of volunteers to help us. And with more than 700 diggs (yes, blasphemy! don't burn me), i doubt it's "unrepresentative".
The problem with Okopipi is that it amounts to an unelected and unrepresentative group that is appointing itself as police force, judge, jury and executioner.
It should be obvious by
Re:My personal opinion and some clarifications (Score:2)
Hi SpyDerMan, I appreciate that you're trying to make a positive difference, and I'm concerned that the project may be trying to solve the problem by entirely the wrong means...
The number of volunteers is certainly promising, and although 700 is a good start its definitely not a representative sample of the 1 billion people who now use the internet [internetworldstats.com].
I note that there are as yet no volunteers
Re:Myopic-kneejerk-retribution-a-go-go (Score:2)
Yes; although if there were appropriate legislation in place, the authorities wouldn't need to fight fire with fire. I also agree that "the system" can never be perfect (because we keep inventing new things that require new legislation) so there is at best, a lag. Perhaps the Okopipi volunteers will spend some time lobbying their government representatives - in the long run that may do more g
Re:Myopic-kneejerk-retribution-a-go-go (Score:2)
Offshore affairs certainly put a different spin on the problem, and moves to internationalise control of the Internet through the UN [intgovforum.org] may present an opportunity to control wayward countries and ensure that they enforce internationally binding internet laws* in accordance with the declaration of human rights [un.org].
* laws that don't exist yet, hence the unsolicited commercial email problem.
Re:MOD PARENT UP! (Score:2)
Oh, and you're absolutely right about the rest of his post. He made some good points, but highlighted the big problem with the moderation here.
Errata (Score:2)
Re:Errata (Score:2)
Re:OMG vigilantes (Score:2)
> sponsored vigilantes.
Actually, in any reasonable democracy law enforcement is more like "state-sponsered vigilantes, with an independent court system designed to prevent them from accidently screwing over the innocent in their zealous quest for justice."
Re:OMG vigilantes (Score:2)
That's exactly what we're doing here. It's the only strategy that's going to work. Bitching and moaning won't get you a clean mailbox. Taking spammers down will.
And you think this is going to work? First, there is little or nothing stopping abuse of this system. I can compromise a machine and send out piles of offensive spam for my competitor, and the system will then fire what amounts to a DoS attack at him. Second, This sort of an attack can be filtered out by ISPs now (on premium accounts) and that ca
Re:weenieism (Score:2)
I noticed you had no option for YOU to go deal with the mom beater.
Unless this is direct action, then it is a subset of vigilantism. Maybe your mom is just using you as unwitting muscle for her extortion scam. Give me $100 or I'll tell my son to beat you up.
To me, that is a better option, or even better than THAT, is that your mom gets the training and the tools needed to protect herself.
Except by its very nature there is no witness to a spam attack, so any retaliation will have to be after the fac
For clarification, we're *NOT* DDOS'ing the sites. (Score:2)
What we're going to do, is poison their purchase forms (as Blue Sec. did) with enough requests so they have to search in them before finding true customers.
Re:OMG vigilantes (Score:2)
Blue Security's reason for shutting down (Score:3, Informative)
Blue Security Gives up the Fight [slashdot.org]
The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."
I'm guessing the only real difference is that users will know this time around.
Re:Blue Security's reason for shutting down (Score:4, Insightful)
I'll probably sign up for this blackfrog thing once I've checked it out. In fact, I'd probably consider giving money to someone collecting money to pay someone else to beat the shit out of the world's top spammers. I'm serious, they're scum..
/Mikael
Re:Blue Security's reason for shutting down (Score:2)
Re:Blue Security's reason for shutting down (Score:3, Insightful)
If the spammer took out a public enough target, the authorities would have had to get involved. BlueSecurity wasn't doing anything illegal (or even immoral - they only filled in the webform once for each email a user received.) so its a pity they were hounded out.
Re:Blue Security's reason for shutting down (Score:2)
The spammer took out several public targets-- the Blue Security site and the LiveJournal blogger site, as well as the ISP which hosted them last. The authorities aren't going to do anything. The "good guys" in this case are a scrappy web software company in Israel. The "bad guys" are contract "advertisers" for some (probably shady but not proven so) corporations who clog up the internet with crap. Most of "the au
Automatically clicks Unsubscribe links in Spam? (Score:4, Insightful)
Okopipi will automatically click the "opt-out" or "unsubscribe" links contained within the emails and/or report the spam to the appropriate authorities.
I thought that it was generally a bad idea to click unsub or opt-out links in Spam messages since it only server to prove they have a valid email address and the receipient actually reads Spam messages.
Re:Automatically clicks Unsubscribe links in Spam? (Score:2)
So it makes sense for a system like this to
First post to get a clue! (Score:2)
When the spammers' clients have to pay BIG TIME for MY inbox and everybody else's inboxes getting full of spam, that is when I expect spam to dry up.
Until then its all just wanking.
Re:First post to get a clue! (Score:2)
Re:Automatically clicks Unsubscribe links in Spam? (Score:3, Informative)
Re:Automatically clicks Unsubscribe links in Spam? (Score:3, Insightful)
Re:Automatically clicks Unsubscribe links in Spam? (Score:2)
Re:Automatically clicks Unsubscribe links in Spam? (Score:2)
Has anyone heard of that actually happening?
Re:Automatically clicks Unsubscribe links in Spam? (Score:2)
Excuse me, but (Score:1)
The more successful it is, the more the Internet will be too bogged down to be useful to anybody.
Also, if someone programs the botnet's to evolve to attack each other better, we're talking SkyNet right around the corner.
Re:Excuse me, but (Score:5, Interesting)
More like Autobots vs Decepticons, but in the end it's the same thing. The "good" forces won't be a botnet per se, but a loosely aligned group of people doing the same thing, taking on a group with coordinated resources capable of wreaking terrible havok. It's vigilantism to be sure, but until the government of the world actually get their heads out of their butts and come up with a unified and mutually beneficial set of laws to deal with spammers wherever they live, this is the only tool anyone has to even try and slow the spammers down.
Re:Excuse me, but (Score:2)
Re:Excuse me, but (Score:2)
It's not vigilantism. I, the receiver of the email, an entitled to answer it if I choose. I am also entitled to use a piece of software to help decide which mails I'll answer to. If the business model of the sender depends on only 0.1% of his emails beeing answered, that's his problem. My problem is with the one and only email I got from him, to which I can decide to answer or not.
This can be stretched quite broadly from here. I can answer anonymously, I can answer through a pr
Exactly; thank you! (Score:2)
If the spammers were willing to manually type out each spam message and type my address in by hand, THEN it would be balanced when, receiving the spam, I need to manually navigate to the advertised site, find a "remove me" page, and manually type in my address.
Of course they aren't going to do that -- this is the computer age. Computers exist to rapidly accomplish these kind of t
Re:Excuse me, but (Score:2)
I'm interested as well, but it's not going to be many-to-many. Each side will execute many-to-one. *Frog's many against spamvertisers one, multiple times, in a "one response per spam" action. Spammer's many against *Frog's one, in an "as much force as can be mustered" action.
Provided that the spammer's attack can find an appropriate target, and depending on the flexibility of *Frog to make itself a constantly moving target.
The weak link in t
Re:Excuse me, but (Score:2)
Maybe the new clients can make greater use of torrents in their operation (as opposed to simply distributing the client installer via torrent). Example: a "spa
Re:Excuse me, but (Score:2, Insightful)
If the site operator sends out a million invitations to come to his website, and gets a million hits because of that, is it an attack? No. The invitation has 3 options, browse, buy something, or opt out. Automating that process is not an attack. If the operator sends out a million invitations he had best have the bandwidth to accomodate the million potential hi
I am holding out for CrunchyFrog. (Score:3, Funny)
CrunchyFrog explined. http://orangecow.org/pythonet/sketches/crunchy.ht
Before comparing to DDOS, or botnets. Be informed (Score:5, Insightful)
Blue Frog was NOT effective not as a denial of service attack or distributed denial of service attack. It was never meant or designed to be. The Russian spammer said it himself - they never brought down our servers, they only served as "a daily nuisance". The nuisance was this: for every spam that the spammer sent to the some 500,000 Blue Frog members, an automated script (bot) visited the website advertised and filled out the form for snakeoil, home refinancing -- whatever was being hawked. But instead of filling it in with valid input from someone interested in what the website was hawking, it filled it in with a legitimate plea from a single person to Opt-out of being spammed further. With me so far?
The spammer -- or worse, the spammer's client -- in turn, goes to check on their database of people or leads to which they can hawk their snakeoil and generic viagra and low and behold, instead of being filled with legitimate contacts of people they can do business with -- it's filled with hundreds upon thousands of opt-out requests.
Undoubtedly there are real requests from potential business contacts in there. But first they have to filter out all the opt-out requests that Blue Frog has submitted.
Sound familiar? It sure does. It's what we've been putting up with for years. We open our Inbox and instead of seeing email from friends and business associates, we first have to sift through and filter a few gazillion pieces of spam -- each with "Hi How are you?" and "Important Account Information" fake titles. Only then can we get down to the email that's actually sent to us. It's a nuisance.
Blue Frog forced spammers to deal with the SAME NUISANCE they cause us. And the spammers didn't care for it too much. They don't care about opt-out requests, the Internet, what people think of them, possible prosecution --- all they care about is making money and they're making it by the truckload. The fact that Blue Frog actually bothered them enough to use their botnets to attack is VERY encouraging. It means we've found a way to kick them in the ass and make it hurt.
Please don't compare Blue Frog or Black Frog to a DDOS or DOS. As the Russian Spammer demonstrated with his attack, what little network disturbance Blue or Black Frog causes for the spammer or spammer client server pales in comparison to a real attack. Mainly because it isn't meant to be an attack in the first place.
If Black Frog ends up with 1,000,000 subscribers, then lets talk DDOS.
Re:Before comparing to DDOS, or botnets. Be inform (Score:2)
And we know this is true because Russian spammers are known throughout the world for their unassailable truthiness.
Re:Before comparing to DDOS, or botnets. Be inform (Score:2)
Security? (Score:3, Interesting)
"It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect it could still opt out given email addresses."
Participants will send reports of spam emails to Okopipi, which will use "handlers", including dedicated servers, to analyse it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.
"Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DDoS attack "very difficult", it said.
That seems solid, but I wonder how something so open can keep a secret like what and where its servers are. It's beyond me, anyone have more info?
Glad to know... (Score:2)
As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complic
Re:Glad to know... (Score:2)
As far as "poisoning" the black list with a wrong target, who needs to? That would only be an overly complicated form of DDoS attack, which can be accomplished much more simply already. It's not something to worry about yet.
Actually, it would accomplish a little more. It would not only attack a target with a DDoS, but also may train DDoS filters to automatically remove DDoS from the same hosts. Thus, it makes the system ineffective against spam for a company from the same link.
T-Bird Plugin? (Score:2)
I have a catchall account for non-valid email addresses in my domain. Everything that goes there is junk. I could have t-bird's junk filter grab it (mostly it does correctly at this point.), and then when I manually delete stuff, perhaps there could be a right-click to mark as frog-food? (about two thousand a day. fun fun.)
My $.02
For the Nth time, we're NOT GOING TO DDOS!!! (Score:5, Informative)
--
Sheesh people! I hate to have to respond to 1,000 comments made by kneejerks who don't even RTFA, saying how terrible it's to DDOS and how the system could be abused.
Do you think we're idiots to let something like this happen?
1. The "attacks" on websites will be moderated. We want to make sure that the force is non-lethal to websites. We haven't discussed the implementations, but the decision has been taken: We will use throttling to PREVENT denial-of-service attacks.
2. The P2P network does *NOT* control the clients, it'll only distribute opt-out scripts for websites. Also, the customer can log out ANY TIME they want. So, NO, it's NOT a botnet.
3. Spammers Don't need P2P networks to initiate an attack. They already have their effective botnets in infected WinXP machines.
4. There will be a reputation system AND a hierarchy system (so not everyone can mod someone down), people will have to earn their trust to classify scripts, those who report wrong sites will be modded down, and the usernames and reputations are permanent. The hierarchy system we're studying requires at least two people acting as an individual before taking any action, to prevent infiltrations.
5. We're already considering infiltration of spammers in our model, we're researching papers written by experts in graph theory and computer science for this. A spammer could at most try to disable the network, but with the currently planned infrastructure, i doubt they can do it.
6. We haven't started to code. We're still discussing (and will continue to discuss) the possible consequences, abuses, attacks and how to prevent them or at least minimize them. We cannot afford to have ANY point of failure.
7. If any wants to cooperate, the google group is open to ideas.
8. And I repeat: we will *NOT* DDOS websites. It's a decision the commitee has taken, and it's a final decision. There have been people who have proposed to DDOS the spammers to death, and we're already shutting them up.
I don't mean to sound like I'm bragging.... (Score:2)
IMPORTANT ANNOUNCEMENT FROM BLACK FROG (Score:5, Informative)
So the official name of the P2P antispam software is now "Okopipi". Please stop naming it "Black Frog" or we could get sued for Trademark Infringement.
Thank you.
(More info on my journal) [slashdot.org]
When is a DDOS not a DDOS? (Score:2, Insightful)
A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.
Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?
---
nostalgia ain't what it used to be
Re:When is a DDOS not a DDOS? (Score:2)
But an opt-out request is not useless in any way. It's valuable information. In this case, the spammer would see "500,000 people want me to remove them from my mailing list". It's not just traffic.
Re:Uhm... Okopipi (Score:4, Insightful)
As to the fact that it isn't "marketable", who cares. Would anyone have thought google was marketable before they started? If the product is good enough, the market doesn't care about the name.
Re:Uhm... Okopipi (Score:2)
OK, so maybe they should have stuck with Black Frog. It'd probably be even better if it were followed by a parenthetical "of Doom", as in "Black Frog (of Doom)". Now that sounds more like something people should be afraid of.
Re:This is a monumentally stupid idea. (Score:2)
Rather than ignoring it and hoping it goes away, how about suggesting an alternative solution to the problem at hand?
It's not DDoS. (Score:3, Informative)
The few hundred frog subscribers don't have the horsepower to shut down a Web server anyway. They just make the r
Mod parent down! (Score:2)
Re:This is a monumentally stupid idea. (Score:2)
And to the person who said I should suggest something better -- how about a botnet reporting engine to let responsible ISPs know they have compromised machines on their network? O
Re:DDoS of SixApart (Score:2)
Would it be misleading of Blue Security was charged with being responsible for the attack on SixApart?
What about if they were held financially responsible for it?
-david
Re:What Do We Really Want? (Score:3, Funny)
a) Freezing them with fire retardant foam
b) Hack off a few appendages with an axe
c) Drowning
d) All of the above in that order
I think any one will do. Why be picky?