From the Ashes of Blue Frog

The Blue Frog may be no more,  but the vigilantes are. Seems that despite the death of Blue Security in the face of a spammer’s wrath, the service has built an appetite for fighting back. Eric B. Parizo of SearchSecurity.com reports on a new independent group called Okopipi who intend “to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends “unsubscribe” messages to spammers and/or reports them to the proper authorities.”

Okopipi has already merged with a similar effort known as Black Frog and has recruited about 160 independent programmers, who are dissecting the open source code from Blue Security’s Blue Frog product. The idea seems to be the same: automatically sending opt-out requests to Web sites referenced in received spam messages, the idea is to over-burden the spammer’s servers (or those of the product he’s advertising) as a deterrence and incentive to register with Okopipi. By registering he can cleanse his spam list of Okopipi members.

Some tweaks seem to be under consideration: Processing will take place on users’ machines and then on a set of servers which will be hidden to try to prevent the kind of denial-of-service attack that brought down Blue Frog.

Possible problems: I noticed that some of the half million (quite a feat, when you think about it) Blue Frog users were quite, shall we say, passionate about the endeavour. These are the kind of folk now switching to Okopipi. This, then, could become an all-out war in which a lot of innocent bystanders get burned. The Internet is a holistic thing; if Denial of Service attacks proliferate, it may affect the speed and accessibility of a lot of other parts of it, as the Blue Frog experience revealed. (TypePad was inaccessible for several hours.)

Another worry: Richi Jennings, an analyst with San Francisco-based Ferris Research, points out on Eric’s piece that project organizers must ensure that spammers don’t infiltrate the effort and plant backdoor programs within the software. “If I’m going to download the Black Frog application,” Jennings said, “I want to be sure that the spammers aren’t inserting code into it to use my machine as a zombie.” I guess this would happen if spammers signed up for the service and then fiddled with the P2P distributed Black Frog program.

Another problem, pointed out by Martin McKeay, a security professional based in Santa Rosa, Calif., that spammers will quickly figure out that the weak link in all this is it rests on the idea of a legitimate link in the email for unsubscribing, and that spammers will just include a false link in there. Actually I thought the link Blue Frog used wasn’t unsubscribe (which is usually fake, since if it wasn’t would then pull the spammer back within the law) but the purchase link. How, otherwise, would folks be able to buy their Viagra?

One element I’d like to understand better is the other weakness in the Blue Frog system: That however the process is encrypted, spammers can easily see who are members of the antispam group by comparing their email lists before and after running it through the Blue Frog/Black Frog list. Any member who is on the spammer’s list will now be vulnerable to the kind of mass email attack that Blue Frog’s destroyer launched. How is Okopipi going to solve that one?

26. May 2006 by jeremy
Categories: Malware, Security, Spam | Tags: , , , , , , , , , , , , , , , , , , , | 2 comments

Comments (2)

  1. Don’t worry, we’re tackling all these issues.

    * Regarding DOS attacks, we’re redesigning the network to make Okopipi as distributed as possible so it won’t depend on a single ISP to track down.

    * As for inserting code, we’re careful of admitting people into the dev team. We will use an auditing system to split the tasks between designers and implementors, the implementors will be carefully monitored.

    * As for handling fake spam directing to “nice” websites, we will take the following measures:

    a) include IP and domain filters to ensure innocent parties won’t be harmed. The software will connect to the IP addresses, and any redirections will be compared against the IP ranges given. All redirections towards a third party will be ignored.

    b) All scripts will be signed with the administrators’ public keys, so it will be impossible to have a client opt-out at an innocent site.

    c) We can also publish whitelists, then again, with IP address ranges.

    * As for the do-not-intrude list, we’re still discussing that one. But then again, don’t spammers have the people’s e-mails already?

    * Finally, and this is the greatest issue to tackle – existing botnets. THESE are the real weapons used by spammers to launch DOS attacks and spread spam. And guess where they’re located? Right in front of our noses! In Uncle Bob’s, Granny’s or Little Tim’s infected computer.

    That’s right – spammers are attacking us with OUR OWN weaponry, and we don’t even know it!

    I’d like to remind people that having antiviruses in their machines and scanning them regularly is an OBLIGATION for any user connected to the internet. Most Spam is sent by botnets running in these computers – I’m sure that if every Windows user scanned and cleaned his machine, we wouldn’t have to worry about Spam and DOS attacks. I’m still amazed nobody has given that issue enough coverage yet.

  2. P.S. The official name of both the software and the project is “Okopipi”. There is NO black frog. It disappeared when the projects merged.

    P.P.S. Don’t trust further e-mails claiming to be from the Okopipi team – the e-mail addresses could as well be forged by spammers trying to discredit us.

    Thank you.