Last week we posted about Spam closes web security firm where I posted the following:
Sighâ€¦.such a sad thing.
We will be watching to see what will come out of the ashes on this one â€¦ I understand that it was the responsible thing to do at this point, too many innocents were getting hurt in the process of the fight, but I canâ€™t help but think there may be a Phoenix in the making.
Eran Reshef, good luck in whatever endeavors you do in the future.
Well, it certainly looks like we are seeing an open source Phoenix in the making … Okopipi (some calling it Black Frog) is in development as a distributed, open source project. Here’s their Okopipi project wiki. It would appear that — like the real life Okopipi (dendrobates azureus) — Okopipi software hopes to be a poison dart to spammers. Cute play on words.
Okopipi maintains, “Okopipi will be a free open source project. Users should never have pay to use this service, although donations will be appreciated.”
From the Okopipi wiki FAQ:
What is Okopipi?
The purpose of Okopipi is to reduce the amount of spam received by users. This is not a spam filter, although it may be used in conjunction with one. Okopipi’s goal is to stop spam from being sent to users.
Okopipi will automatically click the “opt-out” or “unsubscribe” links contained within the emails and/or report the spam to the appropriate authorities.
They outline how they intend to do this in their Project Description.
Apparently, due to an earlier client project (theirs or someone else’s) at SourceForge called BlackFrog (now returns an internal error), some have dubbed Okopipi (sourceforge project link) Black Frog (CNET) and let the cat, errrr, frog out, of the bag on May 24th. There is an interesting discussion on the naming of the client here here at Okopipi’s Google Group discussion area. For the client software, I personally hope they go with something like BFH (short for Blue Frog AND or other imaginative words, and Hammer), Speckled Frog, or even keep Okopipi (because folks will know what it is soon enough) — or anything — other than Black Frog (which definitely brings a foreboding and negative connotation and would concern many just because of the name), IMHO.
Okopipi will be based on a P2P style distributed frognet.
The biggest concern I think for anyone who might be considering using Okopipi would be one of the now defunct Blue Security’s reasons for stepping down from the fight which was two-fold if I understood it correctly. Blue Security had noted, (1) they didn’t wish to be party to an all out Internet War with innocents being hurt by the attacks by Pharmamaster (ie, innocent bystander websites/hosts who had anything to do with Blue Security or their backbones/providers). (2) concern that Pharmamaster would carry through on the threat of reverse engineering the Blue Frog client code to send viruses to all the users of the Blue Frog client and thereby crippling their computers (and/or worse, cause them to become part of their botnets).
I think the first concern may have been dealt with by going P2P distributed, but the second concern would still be there. Certainly they will be quick to fix any vulnerabilities that are found, but quick enough? I sincerely hope they are looking at that side of things very closely.
It is clear to see that many people are so fed up with spam from the discussions that some people were actually suggesting that Okopipi use reverse DDoS instead of the ‘one for one’ replies (NOTE: Blue Security and Okopipi maintain one-for-one opt out requests per spam received is fair, but neither would go any further than that — as is only right. Okopipi indicated that they would throttle down if they saw a need to do so as well). Okopipi maintains they will do only what is legal. They even go so far as to show what countries are clear on allowing opt outs and which ones are fuzzy about it or where it’s not understood how a country stands on it. Lots of interesting discussion going on to be sure.
Ferris Research also posted on Okopipi: The Blue Frog Is Dead — Black Frog Rises From Its Ashes Bulletin where Richi Jennings states after having chatted with the folks in their IRC channel:
If the new project is not to be as vulnerable to malicious attack as Blue Security was, it will need to be highly decentralized, so there is no single critical resource that can be attacked. The project should also take care not to cross the line from legitimate spam complaints to attacking spammers using DDoS-like techniques — this was an early accusation leveled against Blue Frog.
It certainly looks like the fight will continue. We will have to wait to see how things develop.
Good luck Okopipi.