Black Frog leaps into fight against spam

Spammers beware--hostile amphibians are once again rising against you.

First there was Blue Frog, a community antispam effort that stopped operating last week after Blue Security, the company that started the project, came under a withering denial-of-service attack.

Out of the ashes comes Black Frog, part of a project that is apparently willing to become a flag bearer in the fight against spam. The project, dubbed Okopipi, is developing the Black Frog antispam software as an open-source project, according to the group's wiki.

"This project aims to become a distributed replacement of antispam software Blue Frog," the Okopipi wiki states. The project merges two separate efforts--Okopipi and Black Frog--that arose after the demise of Blue Frog.

Blue Security waged a sort of do-it-yourself spamming campaign against the spammers. It said that more than 500,000 customers downloaded its Blue Frog software, which automatically sent replies back to mass e-mails. If all of these customers' systems responded, the spammers' systems would be overwhelmed.

But the Web sites of Blue Security and some of the company's partners were knocked out last month by a massive distributed denial-of-service attack. In such an attack, scores of computers try to continuously log onto Web sites, in an effort to overtax the servers.

Okopipi's battle plan is to avoid depending on a centralized server, creating a target too big to be taken out by a single DOS attack.

"It will be based on a P2P network (the frognet)," according to a posting on the wiki. "On failure to connect, it could still opt out given e-mail addresses."

Participants will send reports of spam e-mails to Okopipi, which will use "handlers," which include dedicated servers, to analyze it. To avoid suffering the same fate as Blue Security, Okopipi's staff will not disclose information about its servers.

"Only the Okopipi administrators will know their locations," the group said on its wiki. This should make a DOS attack "very difficult," it said.

The Okopipi wiki said that the Black Frog software will set participants' systems to automatically click the "opt-out" or "unsubscribe" links contained within spam--sending a response to the mailers. The software is still being developed.

Richi Jennings, an analyst at security research company Ferris, said that Okopipi should be careful if it decides to fight fire with fire.

"The project should also take care not to cross the line from legitimate spam complaints to attacking spammers using DDoS-like techniques," Jennings wrote on a posting to Ferris' Web site.

[techguy83]

I wonder how long...

I wonder how long it takes the spammers to bypass this resistance as well.

[Pixelslave]

It's not just about when it will be defeated

The main problem of the DoS fight back approach is not just about when it will be defeated but when it will be compromise to do things that it's not supposed to do. Here's one example, a competitor site reports an e-mail sent by its rival as spam. Will there be anyone evaluating it and determine if it's really a spam? If not, and a DoS attack is lauched, and the rival sues. Who is responsible? Does the open source project's administrator takes the responsibility and releases its users from being sued?

[Tortanick]

Factual errors in this article

Firstly Okpipi is developing Okopipi, not black frog. Black frog was a separate project that merged with us.

Secondly blue frog never attempted to overwhelm spammers, it stopped far short of anything resembling a Denial of service attack and we plan to do the same.

Thirdly if you read read the link to Ferris' Web site. It dose not say our plan is misguided. Only that we need to be carefully. Something we plan to do.

Finally All technically details are subject to change. we're still in the planning stage.

Yours truly, Tortanick - Head of Public Relations for Okopipi.

[KsprayDad]

If you are who you say you are

then please consider keeping the Black Frog name as part of the project...

Since this project requires a critical mass of participants to work the reference to 'frog' will help that penetration grow amongst former Blue Frog users.

Something like Okopipi's Black Frog or
Black Frog by Okopipi would work.

Best of luck.

[Eskiegirl302]

Whatever your doing Tortanick

I hope it works. I had Blue Frog and I really liked that thing. I do everything possible to fight spam. I am getting pretty good at it too. I usually get about 6 spams per day, and I have it figured out that most of them come from the same people. If I can rid of those, I will have it licked. It is too bad that just because you would visit a website from a link, you would get spam. Now I do it a bit different. I never click links anymore. I will google them first. Check out "who is" and then visit if the page has no advertising. I have site advisor and it will tell me. I also use Firefox. I use everything I can possibly think of to stay safe. Prevention before perversion. I also use disposable mailboxes, filters, ect. People should not have to go through all of this, but we do. I now do not have to even look at any ads because of the things I do. I won't either. So anything for sale online, is never seen by me. I don't like commercials on tv, and I don't like ads on websites. I won't do surveys as they get you a ton of spam. I only go to sites on information that I want. I change mailboxes frequently and this seems to be working. No contact, no spam. This is my own way of fighting back. I never give out my personal info online either. Not my name, not my address, and especially not my cc info and ss #. No contact unless I am the one contacting. That is usually by a mail from a disposable box or a phone call to the company. If I find something I want, I will send a money order or western union payment. If a company does not offer you that choice from an online sale, I consider them not private enough and they will lose that sale. I will find someone else. You live and learn. I look at the internet as a WHOLE community. Who I choose to deal with is my business, and the way I choose to make payment is also my business. I do not give anyone my ss#. The social security administration has told me that any company or anyone who ask you for your ss#, does not have the right to ask you. I do not give it! Even when I apply for a job, unless they hire me, they do not get my info. I don't give it. Everyone wants it, but you can find out anything about anyone just by checking it out. Most companies are not careful enough. They put it in their database and the next thing you know, boom! Someone has harvested that database. Your money in the bank could be gone, your identity stolen, ect. So don't even start to defend this. I think there should be a law that companies are not allowed to enter your info into a database. They should keep it in a file in a filing cabinet on paper, and if you ever leave that company, your information should find the shredder. You should be allowed to ask for your files and shred them yourself. Online is just too risky anymore. If the crooks do not have the info, then they cannot harm you. Computers are great, but my info does not go into this box.

I really like anything that comes out security and hope the black frog becomes successful. If it does, I will use it but, this time I will wait a while to see how it fares so I am not installing and unstalling those files. I even promoted blue frog to a lot of people. So this time I want to wait a while to see if it is going to work. I really hope it does and I hope you all got a bit of info on fighting spam in your way too. Better safe than sorry.

Esk

[sandonet]

Clarification from author of story

I'm going to stand behind the story I wrote except for one issue. On review, I agree that I mischaracterized the quotes by Ferris' Richi Jennings at the conclusion of the story. I wrote that he thought the idea was "misguided." We're changing that. I should have just let the readers decide what Jennings thinks. His quote was included in the story. Thanks for reading.

[inachu]

I need black frog!

Now that blue frog is dead My spam has increased by 50%

I would not mind going to jail for homicide if one of those spammers was standing next to me.

[Seaspray0]

Hurrah for Black Frog!

The spammers are only in it for the money and don't care about anything else, including violating the law. Since nothing else has gotten their attention, except overloading their systems the way blue frog did, then I say "Go for it!" Sometimes you have to fight fire with fire.

[jabbotts]

Spam is fundamentaly wrong

Spam is fundamentaly wrong. Spam producers, like virus writers, should have there fingers broken. I don't advicate physical responses too often but in this case the offense they case us unacceptable. I don't mean the budding coder playing with viruses on a closed system or two tech having a geek-off over who can implement the better "surprise" for the other. I mean those that intentionally write viral software and spam for release to public networks.

Spam is not a freedom of speach issue. I get crap in my mailbox everyday delivered by a government postal worker. Fine, at least it's traceable and minimal. Deliverying Spam to my email inbox is a different matter. The Spam is broadcast in a manner that hides the sender and blankets a giant area for barely any cost to the sender. I then have to pay to be notified of the vegrant email (blackberry and such), pay to transfer the vegrant email (cell fees, blackberry fees and/or ISP fees) and loose the time (money being the economic representation of one's time in life) waisted deleting the crap.

Replying to the opt-out link only confirms your email address as "live" for the next Spam dump.

I remember when the only email I got was from someone I knew. I've often though it would be great to be able to trace the person resonsible for the spam in my inbox and flood all there personal email accounts. Better yet, cause a physical feedback through the network and burn out there personal machines. The feedback idea is perhaps more CyberPunk than reality but you get the idea.

I feel for the hotspots and inet cafe's who will inadvertantly get flooded by responses to a Spammer who's used there connection. I hope it convinces them that while providing an open connection to all, they also need to have aproapriate security in place.

The Creator bless you BlueFrog, BlackFrog and the project you've merged with for realizing my dream. Unfortunately in computer security the correct response to an attack is not to counter-hack the attacker and damage there systems back. With Spam a videlanty aproach may be the only solution. Thank you for developing a mediated response to an ongoing problem.

[Caged Anger]

Viva la Frog!

Let's hope this frog packs more of a punch than the last one...its one thing to be a blue frog...

but throw a black, incredable angry frog into the picture and things might get interesting :-D

[206538395198018178908092208948]

Blue Frog Did Not Reply to Spam

The article says that Blue Frog software replied to spam. This is incorrect, as that would generate tons of replies to innocent users whose addresses were faked.

Blue Frog went to the spam-advertised website and posted opt-out requests on any web forms it found.

[lanker45]

Law Suite For Spamers

As a Blue Frog member I agree with the spam issues outlined in this story and want to tell ALL Blue Frog members to pick up the fight... I have to ask this question " All Blue Frog members having advised spamers of their opt-out status, should be able to use the Can-Spam act and file a Class Action Law Suite against the spamers at this point would they not? I am contacting the security firm hired by blue security to ask if the would file suite on behalf of Blues members. Funding would come from Blue Frog members @1 (one) us dollar for those interested into a general fund. If All the frogs members put up a buck thats something like 500,000 us Dollars, what law firm would not want to touch that one????? So I ask All ban togather and kick spam in the ass once and for all, Ita my inbox not theirs......

[mikevieira]

We have the right to fight back

The spammers are constantly breaking the law in every way or form. There seems to be a lot more concern for the spammer then there is for the public. In my opnion Spammers are outlaws who should be prosecuted and sued.

If vigilantiasm is being suggested by the public then obviuosly the law isn't doing its job. I hope we have a way to fight back like we did with Blue Frog I would definetly join. I have no programming skills whatsoever but I am willing to help any which way I can to hit the spammers back.

If they start using Ddos attacks and the laws and governing bodies do nothing again. Like they did with Blue Security then I see no reason that we can't deliver Ddos attacks to the spammers, thier websites and even those zombies they are using.

If people don't care that thier computer is being used as a zombie to cause Ddos attacks then they shouldn't be on the internet. If we knock out thier websites then they will be forced to retreat like Blue Security had to.

If any major company is against this kind of retaliation and says nothing much about the spammers and thier attacks. Then we have to raise questions about those individuals and compaies. Who knows they may be part of the problem not the solution.

Blue Security did the right thing and what they said is true the problem was way too big for one small company. I suspect thier may be a lot more major financing for spam then one suspects.

P2P is the right way to go. An untraceable one would be even batter. If spammers wanna nuke sites lets nuke thier sites. Giving a taste of thier own medicine may be just what we need.

In any regards I am more then glad to help in any which way I can.

[southpawflies]

We have the right to fight back

Just wondering if anything ever came of this project. I, for one, agree that spammers should be hit with everything (to include the kitchen sink!). Spam continues to be a major problem and nothing substantial ever seems to be done to terminate it. I use E********.net and they do not seem to take it very seriously when spam is reported to them. After multiple calls to them (being on hold for a very long time each and every time) I have given up trying to complain. I would be more than happy to become proactive in this fight though.