well, i went to visit pipikaki, the project named as black frog. actually, it’s okopipi, black frog merged with them. they mean well and they will send a response to this blog soon with what they are up to. this is a chat and shouldn’t be taken as more than that.
obviously, this guy has no intentions to destroy the internet, but it’s an interesting
look at how people view the project.
here is a chat i had on their irc channel:
hello
intrestingly no one seems to know the fact black frog is not
being used as a name
who calls it black frog?
cnet mainly, and everyone’s copying them
well, red frog will soon show up. don’t feel special. 
red frog?
and 10 other such frogs…
yep
but here, and now, there is only okopipi
anyway, i think cnet also mentioned the name okopipi - not
for the product, only the project though.
they did
they did
i personally believe the project is doomed to failure, much like
blue security was a complete idiocy to begin with… but who am i to not
let people try?
i posted in the comments a few corrections, but i’m not sure
who to e-mail
well subshine, why do you think so?
hmm
okay, let me put it this way
anyway, what is redmond magazine on - “after spammers cracked
the blue security code, the company decided to shut it down.” (
http://www.redmondmag.com/reports/article.asp?editorialsid=296)
drugs j/k 
even if ddos by itself wasn’t hurting the internet badly
i don’t remember the spammers “cracking” anything in the
client though.
even if ddos didn’t attack the server and whoever is on it, not just
the spammer (in the rare case it’s the spammers server and that they
didn’t move on by the time you attack them)
even if it doesn’t affect the isp
or the internet
you nearly never attack the spammers
they buy 5k domains a day, use one for spam, and throw it away
same goes for ip’s
(servers)
so who do you attack?
further, p2p is just as vulnerable to attack
we don’t go after spammers, far to hard a target. but there
are statioary websites, the ones who advertise by contracting out to
spammers
that’s my 2 cents
we go for them
and blue frog proved it works
these change even faster
nope, they really didn’t
obviously not
they got 6 out of the 10 biggest spammers to scrub their lists
why do every anti spam guy out there say blue security is wrong?
you really believe that?
yep
i will give you a very good reason why they didn’t
they said they “protect their users”, correct?
why did all their customers reporting a drop in spam?
do you honestly believe that?
yes
well, that really happened to me, for instance
first, a list of known anti-spam people is always good for
spammers. second, a list of confirmed addresses is even better. this has
been attempted before
and if it didn’t work who would be willing to work on okopipi
plus, blue security claimed their users are safe, yet they gave
their lists to spammers
they gave encrypited lists
people like you, who want to do good, know their stuff, but don’t
understand the mafia world of spam and the current technology
no, they didnt
see, let me ask you a question
ge-, they didn’t give them the list. they gave list of
hashes. its not the same.
if you are a spammer, and you run a tool that removed addresses from
your list, can’t you see what addresses were removed?
you can
okay, you run the hashes against their hashes, same difference
thats how the spammers got the addresses
yep
but they had those addresses allready
ge-, of course. it was very clear to me that this is what they
did.
(spammers)
further, they said that they remove random addresses
and that way are safe from being found out (their users), right?
add random addresses
exactly
now, answer me this
if you are a spammer, and you know that every time you run their
tool, you lose random addresses that may want to get your spam.. would you
run it?
every time you lose more potential customers
if you don’t run it your clients refuse to deal with you
so yes i’d run it
spam is good business
they have clients
those who buy from spammers obviously don’t care about blue security
so why should they?
all the more reason to clean the lists
remove antis and you’ve only got customers left
because bsec put presured their clients. (advertisers)
so: 1. they never attacked real spammers, just the internet and
innocent bystanders, and 2. their lists were always compromised to begin
with, and no spammer would use them
in a word, wrong
why is that wrong?
people who pay spammers to advertise are not “innocent
bystanders”
ahh, but these people are the spammers and the mafia. further, their
sites move ip’s even every 10 minutes and a domain every time they make a
spam run. so you never attack spammers, just innocent bystanders and the
internet
maybe you get lucky, sometimes, but the spammer already moved on
thats not true ge-
yes, it is
those sites are stationary
which? where?
or at least, enough of them are for bs to make an impact
i can show moving sites
* newokopipiuser (n=newokopi at 82-70-238-82.dsl.in-addr.zen.co.uk) has
joined #okopipi
can you or bs show stationary sites?
i’m sure spam experts can show static
exactly
i can’t though, i don’t get spam
spam experts - all of them, show bs was wrong
well mailwasher didn’t for one.
show me a second one, and you will get 2 out of 10,000
and the clueless ones at that
all i am saying is
don’t take my word for it
check the facts on your own
i did
and?
blue security was the target of a ddos, its important enough
to be a target
of course
the spammers got pissed and attacked
download.com gave it a good rateing
is your purpose to get attacked?
okay, so you do this for a good download rating, making people
believe they are fighting spammers when they are not?
nope, but you said bs would just be going for sites that
vanish to quickly to do anything
or sites that the spammers don’t care about or own
yes
download.com is very hard to rig
download.com is not a spammer nor was spammed that i know of
they offered them for download
if the spammers didn’t care about those sites, why did they
launch a ddos?
do they need a reason?
yes
first, we can’t prove it was the spammers, second, i believe it was
them
they got pissed
ddos uses botnets that can’t be used for making money at the
same time
so they got bs down
i happen to know a thing or two about botnets
proving bs was effective enough to piss spammers
and you can use them for whatever you want
ahh, so your goal is to piss spammers off and get them to ddos the
internet?
nope, thats just proof that bs worked
i am not trying to attack you, i am trying to show you that maybe
you didn’t think this though
through
we did though
so, because you piss someone off you were successful?
apparently not enough, no offence.
yep
piss someone off and you’ve obviously found a way to affect
them
okay, so if spamhaus goes and says spammers suck, they won’t get
attacked too?
it’s about who mouths off more.
spammers are secrative, they ignore “mouthing off”
okay, so let’s start a war. we will piss spammers off without
affecting their business, and cause a network wide ddos attack
you have to hit them in the wallet
you obviously don’t know much about spam or anti spam
and even if that were true
no offense, but i’d suggest cluing up
as others less nice than me will ask you these same questions
causing them to rampage across the net would finally wake the
governments up
ahh, so it’s a scortched earth strategy
your goal in this project is to cause the internet to die so that
the government gets involved?
having irc client trouble here.
that explains your silence
ahh, so it’s a scortched earth strategy
your goal in this project is to cause the internet to die so that the government gets involved?
that’s what i last sent
but i have to go very soon
i wish you guys luck in fighting spammers
thats not the plan
i’m sure you have no wish to destroy the world
its just silver lining on the possible failure of the real plan
hopefully the spammers will utilise the 2 braincells they have collectively and just clean their lists
hit the spammers in the wallet like blue frog did and make them clean their lists
i sent this log to the botnets@ mailing list, let’s see what people think and who they agree with
time to discuss this once and for all.
actually, that’s the one thing i agree on this far
you seem quite in with the spammers crowd
it’s an economic problem, hit them economically
not really
you can google me, my name is in my /whois
as others less nice than me will ask you these same questions
ahh, so it’s a scortched earth strategy
your goal in this project is to cause the internet to die so that the government gets involved?
* ge- has quit (read error: 104 (connection reset by peer))
erm, damn, that client was lagged
yep
* entvex (n=entvex@194.192.108.108) has joined #okopipi
and by the way, repeating something doesn’t make it right.
hi :d
lol
hi entvex
no, but it was the awnser to sevral diffrent questions
hi entvex
btw ge, this you? http://blogs.securiteam.com/?author=6
yes
* tortanick looks for comment button
* flinty (n=flinty@84.12.79.104) has joined #okopipi
what’s your job with the project?
i been looking at the google grops but i can relly get an ider where the projeket is atm do any one know
public relations
still planning entvex
ok
well than, how would you like to write a response to my blog entry?
you know ge, its normally the job of the one making accusations to prove it
i’d be happy to write one but i think we’ll do it collaboratively
tortanick: everyone can make accusations
*shrug*
wow ge, couldn’t get it more wrong (@ that blog)
iehm, did you read my conversation with tortanick ?
lible laws, slander laws, its illegal to make reputation dammaging accusations without proof
we were both talking past eachother, quite an itresting log
it’s not about your reputation. it’s about what you do
what you do, in simple terms..
erm
no i didn’t
and without trying to hurt you, as you guys are trying to also fight the good fight
is stupid and proven wrong
ehm: try reading it, maybe you can prove me wrong
as the accusor though, the legal system says you have to prove it
okopipi will throttle the opt-outs… to make sure we don’t dos the spamvertised
but we’ll try and prove you wrong anyway
deal
lets get to work ehm
good morning *cough*
morning
afternoon kork
that’s what you get for going to bed at 8am
i will post this log, and let’s see what people think. i will mention you guys will send something in to prove me wrong.
lol
5 am? that’s it? geek!
ok, but this log isn’t what i’d call a resonable discussion
we were both to sure we were right for one
agreed!
ge: what we’re doign is perfectly legal: one opt-out per spam recieved…
ehm: times how many?
let’s stop now, and contrinue this with your response to my blog?
of course
actually, it’s not my blog really, but the author 6 is mine
btw, want to change the news link from black frog to okopipi
or will you leave that for us to point out in our response
i think black frog is your name from now on
and i must be wrong, we will hear their response soon.
gadi evron,
ge@beyondsecurity.com.
-
Is your site safe from XSS Attacks? Use Active Network Scanning to protect your network!
Subscribe
Subscribe
Do you have a version of the logs with who said what? It gets hard to read this log. If you could just link to a .txt file where there is no word wrapping that’d be great.
I had to HTML escape the obvious characters. It’s fixed now. My apologies.
allow me to add some extras:
[14:44:26] [o] [journeyman] if you send someone an email and they visit yoursite, it isnt a dos
[14:44:42] [o] [journeyman] if you send 10,000 people an email and they all visit your site, it still is not a dos
[14:45:00] [-] [sunshine] you are right, it’s a ddos
[14:45:12] [o] [journeyman] uhm no
[14:45:26] [-] [sunshine] what’s the definition of ddos?
[14:45:32] [o] [journeyman] so any time you invite a bunch of people to your website it is a ddos
[14:45:34] [-] [atoponce] its requested, so how is it a ddos?
[14:45:43] [o] [journeyman] distributed deinal of service
[14:45:53] [o] [journeyman] we arnt trying to deny service to the website
[14:45:59] [o] [journeyman] we are merely trying to complain
[14:46:08] [-] [sunshine] one minute, let me sunshinet something done and i will be back?
[14:46:09] [o] [ehm] from google: ddos = “a type of denial of service attack in which an attacker uses malicious code installed on various computers to attack a single target. an attacker may use this method to have a greater effect on the target than is possible with a single attacking machine.”
[14:46:21] [o] [journeyman] 1000 complaints at once is heard a bit more than one complaint
[14:46:52] [o] [journeyman] i am in the military, when i was in tech school we had a problem with our air conditioner, a few people filled out complaints, nothing was done
[14:46:55] [-] [sunshine] 1. you don’t send the complaint to spammers, you send them to hacked machines, hosted websites of regular people, isp’s that were hacked and the internet.
[14:47:01] [o] [journeyman] one day our whole floor wrote complaints
[14:47:08] [o] [journeyman] the problem was fixed that afternoon
[14:47:10] [-] [sunshine] well, then you reached the right people
[14:47:21] [o] [journeyman] sunshine: the websites arnt on hacked machines
[14:47:23] [-] [sunshine] this is rehearsing our earlier log
[14:47:26] [-] [sunshine] let me fix it first
[14:47:35] [-] [sunshine] you obviously don’t know much about what spammers are using.
[14:47:36] [o] [journeyman] they are on legit hosting sites most the time
[14:47:40] [o] [journeyman] i do
[14:47:49] [o] [ehm] sunshine: we’re *not* contacting the *spammers*
[14:47:52] [-] [tortanick] hi again sunshine
[14:47:52] [o] [journeyman] and we arnt complaining to the spammers directly
[14:47:59] [o] [journeyman] we are complaining to the people who pay the spammers
[14:49:08] [o] [journeyman] you obviously dont know what you are talking about sunshine
[14:50:05] [v] [tortanick] yes but be polite about it
[14:50:11] [v] [tortanick] thanks ehm
[14:50:18] [v] tortanick wishes i could keep it post logout
[14:50:56] [-] [sunshine] journeyman, we can’t hold a normal conversation, you’d rather call me stupid than hear me out. tortanick and me may have talked past each other, but we also listened.
[14:51:05] [-] [sunshine] okay, i fixed the blog. check it out and tell me if it’s ok now.
[14:51:11] [o] [journeyman] thats good
[14:51:34] [o] [journeyman] i call people out when they are clueless
[14:51:52] [o] [journeyman] i heard what you said
[14:52:16] [-] [sunshine] well, than i suppose we have nothing much to talk about.
[14:53:02] [o] [journeyman] hey whatever, talk to these guys if you wish
[14:53:13] [o] [journeyman] i have things i gotta go do
[14:54:23] [v] [tortanick] cya
[14:54:27] [-] [sunshine] you are not very friendly, sending a ctcp version out of nowhere. not to mention being completely clueless, and appearing to be an open source project dictatorship.
[14:54:28] [-] [sunshine] oh well
[14:54:40] [-] [sunshine] i will let you guys post your response
[14:54:43] [-] [sunshine] you know my email
[14:54:45] [o] [ehm] uhh
[14:54:47] [-] [sunshine] i’m going back to work.
[14:54:56] [o] [ehm] ‘open source project dictatorship’
[14:54:57] [v] [tortanick] i do ehm
[14:54:59] [o] [ehm] hah
[14:55:01] [-] [sunshine]
[14:55:08] [-] [sunshine] whatever you are, you appear that way to me now
[14:55:14] [v] [tortanick] oh thought you ment you didn’t know his e-mail
[14:55:16] [-] [sunshine] journeyman appeared, and boom, world is over
[14:55:24] [-] [sunshine] regardless - have a very good luck guys
[14:55:25] [-] [sunshine] cya
[14:55:29] [o] [ehm] sunshine: =\
[14:55:46] [sunshine] has left [#okopipi]
[14:55:53] [o] [ehm] because we let a knowlegable person in our team speak it’s a dictatorship?
“If we invite 10000 people to our web site, it’s a DDoS?”
No, but if you invite them somewhere else, it is.
“Our air conditioning didn’t work” - well, you DDoS’d the right guy without attacking the base, didn’t you?
I walked down the street and a fridge dropped down from a window. Relevance?
““If we invite 10000 people to our web site, it’s a DDoS?”
No, but if you invite them somewhere else, it is.”
which is why you don’t make the system fully automatic but rather only let it send opt outs to sites that are vetted (by people) as being the right site and being safe to send opt outs to…
really, this shouldn’t be such a hard concept to grasp…
Okay:
1. Site does not belong to spammer.
2. Site hosts other sites.
3. Site was likely broken into.
4. Site sits on ISP.
5. If all above is false, spammers or their spammed sites moved on by now, both an IP and a domain.
What’s so difficult to understand?
what’s difficult to understand is why you think it’s so difficult to determine if any of those problem conditions hold true and then not enable blue frog to send user complaints in those cases…
seriously sunshine, i’m not trying to offend you here… but it seems you really don’t seem to get the concept of black/blue frog/okopipi.
stop being so stubborn and get the concept right before you rant on please. (btw, i’m just a reader who came along this site).
correct me if i am wrong, but the opt-outs that are send by the frogservice go to the advertisers (not the spammers). the advertisers are usually ‘legitimate’ sites, who want customers to visit their site. this is why they hire a spammer that sends out advertisements for them. the opt-outs are send to these paying advertisers (because they shouldn’t use a spamservice!).
so in short: opt-outs will not go to the machines that are used to send the spam, nor will they go to the domains or ip’s that seem to be the senders. the opt-outs go to the advertised site (which stays on a stable server, else the sent advertisement would be useless).
it could be i myself misunderstood the concept, but i’m sure someone will correct me in that case.
It’s not that you misunderstand the concept, it’s that you are 10 years behind on spam technology and operations.
Kurt: erm, okay, how do I put it.. it happens that the security community is cut in half or even 5 parts about a subject and disagree. In this case Everyone agreed, BS sucks. I can’t put it in any better terms.
Hmm, this chat is takin place with Kurt, in two places:
http://blogs.securiteam.com/index.php/archives/425
this is getting sad… did you actually read my complete comment?
i think it’s not that hard to understand how spam is send these days… that is not what this is about…
you just seem to fail to notice the difference in the two ‘guilty’ parties that are involved in sending spam…
1. the spammer with his spamsending machines (botnet i assume, doesn’t matter what he’s using).
2. the advertiser, having a ‘legitimate’ site, hiring this advertisement agencey (we usually call this agency the spammer as in 1.) to sent advertisements to a whole lot of e-mails around the globe (we usually refer to this as spam).
The so called ‘ddos’ (if you would like to call it like that) that blue/blackfrog might start is targeted at number 2, the advertiser…
I’m just curious, what do you not understand in my explanation? And can someone else confirm that this is the way blue/blackfrog works and i’m not misunderstanding that concept?)
–Kurt: erm, okay, how do I put it.. it happens that the security community is cut in half or even 5 parts about a subject and disagree. In this case Everyone agreed, BS sucks. I can’t put it in any better terms.–
well, i guess it’s just too bad that i don’t blindly follow… if the security community says “jump”, you won’t find me saying “how high”, rather i’ll be saying “why should i”…
perhaps you do have a fully thought out opinion on why one complaint per user per spam received by that user is a DDoS or why the human researchers controlling what gets added to the blacklist (blue frog essentially worked off a catalog of known bad sites) is an insufficient safeguard against bad things happening to good people - but if you do have such an opinion you don’t seem to be expressing the reasoning here…
sometimes writing the answer down isn’t enough, sometimes you have to show your work too…
Okay, I want to see BS’s work. I know how spammers work, now - don’t take my word for it. Go clue up and then I’d be happy to resume this lil chat.
[…] You can read it online here it’s quite illuminating even if I don’t agree with their drivers or mentality. […]
everyone else is being to nice to you sunshine, you are an idiot. plain and simple
irc is for losers
sunshine, i’m still waiting for your response at circle id linked to below.
you say that everyone knows that spamvertised sites are hosted by responsible isps and webhosts and “in this case everyone agreed, bs sucks.” that’s nonsense. certainly some people believe that, but what circles are you in where everyone believes this? certainly not maawg or marid. certainly not nanae/nanabl (i don’t even have to look to know the answer on that one.) certainly not spam-l. it’s only true among the dma, emarketersamerica or some similar mainsleaze ‘coalition’.
If they do use some service they buy, it’s still a DDoS. On the server’s other clients, on the ISP, and on the Internet. Plus, the Time to Live for it won’t be very long regardless of any attack.
Example taken from real spam received on May, 31th.
Site: tormaza.com
It resolves to 61.188.39.20, which belongs to China IP range.
According to public whois data, the domain creation date is 2006-05-30, or just 1 day before I received the spam.
So, this advertisement does not “[stay] on a stable server”. I can post 38 other similar examples received just today at just one of my email addresses.
“If they do use some service they buy, it’s still a DDoS. On the server’s other clients, on the ISP, and on the Internet.”
responding (sending opt-outs) to incoming traffic (spam) on a one-to-one basis is not a DDoS…
if you hire someone to send a million messages on your behalf you need to be prepared for a million responses, and if you aren’t it’s not the fault of the people responding…
“If they do use some service they buy, it’s still a DDoS. On the server’s other clients, on the ISP, and on the Internet. Plus, the Time to Live for it won’t be very long regardless of any attack.”
I cannot say about other countries but in the US under the Can-SPAM act advertisers HAVE to have an opt-out feature. What the okopipi project is doing is allowing users on an individual basis (1 email per spam) the ability to opt-out of those lists. If the spammer is smart they would just clean their lists and the opt-out requests would stop.
To be a DDoS attack the project would have to intend to bring down the site. If the advertisee’s server cannot take the load of a portion of those they advertised to loading the page and filling out a form, that is poor planning on the part of the them and not any malicious intent of the okopipi project.
more than that, to be a DDoS attack (or even a DoS attack) perpetrated by the clients, those clients would have to be initiating communication, not responding to it… the system in question here responds to spam (albeit not through the same channels the spam comes in on since the purported starting point is often forged/unreachable)…
sunshine, you call yourself a security expert? you sound like a little playground know-it-all. give it a rest, will you? it is clear that you dont know what you are talking about. half your responses are nothing more than you stroking your own ego.
one of your first comments in the chat is
” i personally believe the project is doomed to failure, much like
blue security was a complete idiocy to begin with… but who am i to not
let people try?”
and then you go on to cry about journeyman treating you with the same contempt? can you spell hypocrite?
your holier-than-thou attitude offended me from the first comment you made. by the end i was entirely sickened by your retarded attitude.
what you don’t seem to understand is that the purpose of blue security and the purpose of okopipi is not to ddos, you dolt. it’s to fill out opt-requests and possibly to poison their purchase order database.
get it through your tiny skull - nobody is trying to ddos the spammers!
that means your diatribe about spammers registering 5k domains and moving by the time you decide to ddos them is not only moot, but it proves that you just have your head up your ass. who cares if their ip moves every nanosecond? there has to be a place for potential buyers to place an order right? well, what do you know… there’s the place that the opt-out requests and fake order forms are sent to! the ip addresses have to stick around long enough to allow orders to be placed, and if they happen to sport one of those newfangled “domain names”, then obviously it doesn’t matter if they change the ip.
your talk of innocent bystanders is equally stupid. if anything, the ddos launched by the spammers was what caused any collateral damage.
here are some nice snippets showcasing more of your combative, arrogant attitude:
” you obviously don’t know much about spam or anti spam”
” i happen to know a thing or two about botnets”
“[sunshine] you obviously don’t know much about what spammers are using.”
” as others less nice than me will ask you these same questions”
that last one is pure gold. so far, you seem like one of the biggest assholes on the internet that i’ve ever seen. can’t be too many out there that are “less nice” than you.
here is another gem:
” it happens that the security community is cut in half or even 5 parts about a subject and disagree. in this case everyone agreed, bs sucks. i can’t put it in any better terms. ”
please back that up with some kind of proof. just running around shouting something doesn’t make it true, and it doesn’t make your case any stronger. oh yeah… and it makes you look like even more of a jackass.
to use another one of your catch phrases that nobody else has ever heard before… “clue up”.
I’m just a random passer-by and found “ge-”’s comments in the IRC chat to be most unhelpful. There’s no use claiming a superior position based on authority to an audience who wants to understand the reasoning behind it, unless you’re going to share that reasoning. To do this properly you must first understand the listener’s framework and ideas, then present your reasoning in terms of that. And you can’t be over-confident, because this will make you unable to respond adequately to problems with your presentation and reasoning. Your comments remind me of other claimed experts I’ve encountered on IRC, who each constantly change the subject and periodically appeal to authority. Heh, and IRC sucks donkey nuts. What a fucking waste of time.
Everyone knows that spamvertised sites are hosted by responsible ISPs and webhosts and “In this case Everyone agreed, BS sucks.” That’s nonsense. Certainly SOME people believe that, but what circles are you in where everyone believes this? Certainly not MAAWG or MARID.
wow, sunshine aka sunshine — can’t believe i wasted my time reading your stupid irc log. you sound like one of those people that take the opposite side of any topic, regardless if that is your true stance, to look edgy and “against the norm”. your a retard bro.