Black Frog (okopipi): next generation botnet. No generation spam fighting.

black frog – a new effort to continue the so-called blue security fight against spammers. a botnet, a crime, a stupid idea that i wish would have worked.

news items on black frog.

blue frog by blue security was a good effort. why? because they wanted to “get spammers back”.

they withstood tremendous distributed denial of service (ddos) attacks and abuse reports, getting kicked from isp after isp.
they withtood the entire anti spam and security community and industry saying they are bad.

the road to heaven is filled with good intentions. their’s was golden, but they got to hell, quite literally, non-the-less.

they did not hurt any spammer (okay, maybe one), as their attacks reaches servers spammers already moved from, domains spammers already dumped for the sake of thousands of other bulk-registered throw-away domains and so on.

their attacks did reach hacked machines which hosted other sites. their attacks reached isp’s with other users and their attacks hurt the internet as well as these other legitimate targets.

blue security also got a lot of pr, good and bad, but they were not here first. lycos europe with their “make love not spam” effort was. isp’s globally nullrouted that service, as it was indeed, much like blue security’s, a ddos tool by the use of a botnet. a botnet in this case being numerous computers controlled from a centralized point to launch, say, an attack.

lycos europe soon realized their mistake and took their service off the air. blue security had 5 millions usd of vc money to burn, so they stayed.

even if they did reach spammers with their attacks (which they didn’t), they would still hurt so many others with the attacks, and the internet itself. when blue security came under attack they themselves said how ddos attacks are bad, and their fallout hurts so much more than just their designated target.

that said, who is to determine said target?

when blue security went down, some of us made a bet as to when two bored guys sitting and planning their millions in some caffe would show up, with blue security’s business plan minus the ddos factor. well – they just did.

thing is, a p2p network is just as easy to ddos. it has centralized points.

it is, indeed, a botnet.

i want to kick spammer behind too, but all i would accomplish by helping these guys is performing illegal attacks and hurting the internet as well as innocent bystanders.

this business model will not last. it will get pr, but it will not be alone. 10 other efforts just such as this will follow. now that black frog made their appearance – sooner rather than later.

how long is this journey of folly going to continue? any service provider which hosts them is as guilty of the illegal ddos attacks as anyone who signs up with them.

the way to kick spammer behinds is to, plain and simple, put them in jail. i.e., change the economics. make it more risky and less cost-effective for them bad guys to spam.

stop black frog now.

i will keep updating about this latest useless harmful project on the blog where this is written,

gadi evron,

  • AnonEcon

    I don’t know if this was you intention but the News link points to the Hebrew version of Google News.

  • sunshine

    Would show the sam ething, but thanks! :)

    Fixed now.

  • kurt wismer

    blue frog wasn’t a DDoS anymore than it would have been a DDoS for all the people getting spammed to go to the spammer’s site and complain… blue frog automated the complaint process – one complaint per spam… and the sites that it complained to were first researched to ensure they weren’t hosted on compromized machines…

    marcus ranum has a much different analysis of the blue security effort than this one…

  • sunshine

    Show me two others who are serious security or anti spam folks, and I will eat my hat.

    MJR is a very interesting and smart guy, and he makes me think. That said, no one in the industry nearly ever agrees with him. Ever.

    I still find him more of an interesting read than most.

  • kurt wismer

    ok, then let me ask you this – does his description of how the their service worked contain any factual errors

    because if not then it truely is no more of a DDoS than if each affected spam recipient went to the marketed site and complained individually…

    further, and more obviously, the counter attacks (the DDoS against blue security, the mail bombing of their customers, etc) would not have occurred if the system wasn’t having an effect on the spammers…

  • aviram

    Marcus’s analysis is very detailed and it’s obvious he put a lot of thought into it. However, he does have a few holes in his logic.
    Consider the following scenario:

    A (real) spammer who hates our web site spams an advertisement for The advertisement is sent to his entire spam mailing list including Blue Security’s spam traps.

    Blue Security verifies the spam mail manually (well, it is a spam mail after all) and sends a query to us. Alas, the query gets lost, filtered, or goes unanswered since our entire team is out in Hawaii catching waves for a couple of weeks – remember, we didn’t plan on anybody contacting us, since we didn’t actually send the advertisement. Or maybe we just don’t feel like answering. Why should we? We’re an innocent 3rd party here.

    The complaint is now marked as ‘unanswered’, and guess what? Our spammer keeps spamming an ad for our web site again and again. More complaints mount up. After the grace period is over, Blue sends their entire botnet after us and we come back from Hawaii only to discover our web site down after being bombarded with hundreds of thousands of posts, possibly filling up our mail queues and causing data destruction when the logs fill up. What did we do to deserve this? Absolutely nothing. How easy is it to ‘joe job’ someone you hate like that? Very easy – you just need a spam list or a little money to pay someone to send it for you.

    Second scenrio that Marcus is ignoring:
    I have a spam mailing list that is a bit old and I’m not sure which emails are still valid. My spamvertisers won’t pay me much because I can’t guarantee delivery.
    Well, I’ll ask Blue for their ‘scrub’ list, and compare it against my own (yes, sure, using MD5′s and whatnot. Still, the comparison works since I have a list myself). The result is a list of 100% validated emails. I can charge more from my customers and not waste time sending emails to unverified addresses. Thank you Blue Security for the cool validation service!

    Marcus gives a lot of credit to Blue Security’s human being ability to detect fraud. Well, as smart as those people are, they are still human – and humans make mistakes (was your domain ever blacklisted by mistake?). In this case, the mistakes damage someone else. Well, sorry – that doesn’t work for me.

  • kurt wismer

    scenario 1 involves an entire organization being completely unavailable for the entire grace period and also assumes a great deal about how blue security tries to communicate with them and how they interpret the responses…

    scenario 2 ignores the fact that sending spam to those blue security verified emails will have consequences that the average vendor would not appreciate…

  • aviram

    Kurt, are you trying to custom-tailor scenarios where Blue Frog works? I agree those exist. The argument is that there are scenarios where Blue Frog doesn’t work, and actually does damage. Since I can be the one caught in the crossfire (remember: you’re telling me if I don’t get back to Blue Security regarding a false report within 10 days my website might be DDoS’d) I would not want to see these type of initiatives, regardless of how good it makes us all feel to hit spammers in the nuts.

    Some more interesting reading material in Larry Seltzer’s column:,1895,1967417,00.asp

  • sunshine

    For more discussion on this (with Kurt too):

  • kurt wismer

    –Kurt, are you trying to custom-tailor scenarios where Blue Frog works? I agree those exist. The argument is that there are scenarios where Blue Frog doesn’t work, and actually does damage.–
    since blue frog didn’t send complaints to everyone, only to those blue security deemed it should, it seems to me that it’s entirely possible to avoid most if not all of those situations where it might actually do damage…
    –Since I can be the one caught in the crossfire (remember: you’re telling me if I don’t get back to Blue Security regarding a false report within 10 days my website might be DDoS’d)–
    again, you’re making assumptions about how blue security tries to contact people when researching a possible spamvertised site and how they interpret the responses… while they COULD just go ahead and add you to the list if they don’t hear back from you, thats only one of the possible things they could do…

  • Pingback: Hackers Blog » Blog Archive » BlueFrog back, sort of.

  • sunshine

    Okay, I want to see BS’s work. I know how spammers work, now – don’t take my word for it. Go clue up and then I’d be happy to resume this lil chat.

  • kurt wismer

    nice – so instead of explaining your reasoning you just tell people to get a clue…

    you’ve called blue frog a botnet even though it acts on the clients wishes rather than the those of a central controller…

    you’ve called it’s effect a DDoS even though it’s just a one response per message system (not unlike ping)… yes you can perform a denial of service that way, however the blue frog clients are not initiating the traffic, they’re responding to existing traffic… if i get a million ping responses from a million different machines, those million machines aren’t DDoSing me, they’re just responding to pings that were sent by me or someone posing as me…

    and you have completely missed the point that the complaints it sends don’t go to spammers and were never supposed to go to spammers but instead to the spammers’ customers – the people who hire the spammers and give them money (the only time it might hit spammers directly is when spammers are spamming about their own products)…

    so far all you’ve said to back up your assertions is all the security experts agree – well, congrats on employing the logical fallacy of argumentum ad numerum…

  • sunshine

    Everything you have said is wrong. We can’t agree. If you believe you are right, ok. However, if you want to check your facts, you will discover every single point is inherently wrong.

    I want to chat with you further, but the facts about spam, spammers, and DDoS are out there, just try and see what they are.

  • kurt wismer

    “You do not really understand something unless you can explain it to your grandmother” – albert einstein

    if the facts are out there then back up your argument and present them…

  • sunshine

    Kurt, how about you write a rebuttal in a blog here? email me if you are interested.

  • kurt wismer

    thanks but i already have my own blog… people can read my rebuttal there

    thanks for the idea though…

  • Ya’akov Yehudi


    You have made quite a few errors of fact in this blog posting – can’t you just admit it? :-)

    Blue Frog (and similar) are not DDoS attempts – they utilized ONLY perfectly LEGAL channels which were setup by government specifically to fight against spam.

    Blue Frog did not “attack” ANY ISP or ANY internet site. It was the spammers who performed the DDoS – as you even said yourself! (Third paragraph)

    You claimed that “the entire anti spam and security community and industry” said Blue Frog was “bad”. But this was untrue also – as you MUST know, many people supported Blue Frog. Surely you cannot ignore such a distinguished security professional as Marcus Ranum (a “father” of the firewall) – and he is just one of many!

    Black Frog (okopipi), is not a “botnet” by ANY legitimate definition of the word. As a security professional you certainly know this – why are you misrepresenting the term?

    Nor is Black Frog a business – it is an open community project. How then do you come to claim that their “business model” will fail?

    It is the spammers who are “The terrorists of the internet” – not those who use legal means to combat them!

    The sort of slipshod work you have presented here in your blog is not acceptable from a security professional who wants to be taken seriously. You fail to provide a rational, scientific explanation for your outrageous claims – some of which are manifestly untrue.

    Your post looks to me more like sensationalist FUD journalism than the efforts of a reputable computer scientist. Please THINK before you post!

  • sunshine

    Thank you for your valuable input, Yaakov.

  • Pingback: Security Incite: Analysis on Information Security

  • Grantolio

    Latest statistics I recall show that spam is past 50% of all email traffic. The author’s desire is everyone’s real dream – put these guys in jail. But with 200 countries around the world to base a spam-attack from, its evident that this goal is years away from being realized.
    I _used_ to spend alot of time with spam, and contacting ISP’s who had trojanned machines. Then one year ISP’s stopped caring. I could write, email, phone – “its in the queue, thanks for calling”

    According to several of blue security’s members, they had a 40% drop in their personal spam. Not suprising that the first ever attempt to seriously ‘fight back’ failed – these are professional spammers. And for any first attempt, easy to find fault with.

    But if you can tell me a way to drop my spam by 40% without changing me email address, I’ll stop looking at progress in blackfrog!

  • Yeah hi

    sunshine wrote:
    “the road to heaven is filled with good intentions. their’s was golden, but they got to hell, quite literally, non-the-less.”

    wtf? the phrase is “the road to hell is paved with good intentions”. your version doesn’t make any sense at all. you probably also say “for all intensive purposes”, too.

  • Gavo

    This article was poorly written and poorly informed. Read like the rant of a middle-schooler.