Okopipi leaps in where Blue Security left off

By Eric B. Parizo, News Editor 25 May 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Defeated antispam vendor Blue Security may be no more, but that's not the case for its technology and its spam-fighting hubris.

A new independent group called Okopipi intends to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends "unsubscribe" messages to spammers and/or reports them to the proper authorities.

Though only a few weeks old, the group is already the product of a merger between the Okopipi team and a similar effort known as Black Frog. Brian Cook, an Okopipi volunteer based in central Florida, said both factions formed on message boards hours after the demise of Blue Security.

Related news articles Antispam crusade backfires: Blue Security shuts down Blog beatdown for antispam vendor

The Menlo Park, Calif.-based vendor announced it was shuttering its operations about 10 days ago, after spammers initiated an immense denial-of-service attack against the company in retaliation for its aggressive spam-fighting tactics.

Cook said the group began organizing formally a week ago via wiki and has so far recruited about 160 independent programmers. He said those individuals are already hard at work dissecting the open source code from Blue Security's Blue Frog product, and many are eager to initiate another relentless assault against spammers.

"PharmaMaster -- the spammer who brought down Blue Frog -- was quoted in an ICQ session saying 'Blue [Security] found the right solution to stop spam, and I can't let this continue.' So our method to get spammers to cleanse their lists will be the same: one opt-out message will be posted to the Web site for each spam sent to a member," Cook said via an email interview. "We will also have a review team to insure the opt-outs are going to the correct Web sites and are sent in the most effective way possible."

Dissecting Okopipi
Cook said Okopipi, named after a poisonous speckled frog found in South America, is not intended to serve as a spam filter, but can be used in conjunction with one. By automatically sending opt-out requests to Web sites referenced in received spam messages, he said it won't reveal users' email addresses, but will tell spammers how to cleanse their lists of Okopipi users.

While still in its early design phase, the software is expected to pull its data from users' spam reports. That processing will take place on client machines and later be sent to a series of main servers, the addresses of which will be hidden to prevent a denial-of-service attack.

Linking the clients with the main servers will be a set of handling servers. Hundreds or thousands of these units -- dedicated machines and Web sites or small businesses donating bandwidth -- will collect spam data and pass it on to a select few handling servers that will periodically open a secure connection with the main servers to upload information. Each distributed client and each handler only communicates with a finite number of handling servers, which is intended to prevent an attacker from taking down the entire system.

"At most, a spammer will be able to take down a bunch of handlers, because each client only knows about a handful of handlers -- when there are hundreds (maybe even thousands) of other handlers serving other clients," said project organizers on its wiki. "We hope that spammers won't be able to take down the main servers, because no one will know about them."

Security Wire Weekly In a recent edition of our Security Wire Weekly podcast, analyst Mike Rothman breaks down the Blue Security controversy. Download the podcast or subscribe to Security Wire Weekly.

Okopipi's warts
Blue Security had been leading its 522,000 users in a counterattack against spammers by flooding them with simultaneous return e-mails. That in turn led spammers to counter with the denial of service that took down millions of other Web sites, including popular blog-host sites TypePad and LiveJournal.

"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyberwar that we just don't have the authority to start," CEO Eran Reshef told The Washington Post. "Our users never signed up for this kind of thing."

But Okopipi users, many of whom are former Blue Security customers, are willing to assume that risk. However, Cook said many core members wish to remain anonymous, so much so that many key organizers aren't revealing their true identities or locations, even to each other.

Richi Jennings, an analyst with San Francisco-based Ferris Research, said the Okopipi concept seems feasible because it seeks to remove a single point of failure, which is what made Blue Security vulnerable to attack. But he said project organizers must ensure that spammers don't infiltrate the effort and plant backdoor programs within the software.

"If I'm going to download the Black Frog application," Jennings said, "I want to be sure that the spammers aren't inserting code into it to use my machine as a zombie."

Martin McKeay, a security professional based in Santa Rosa, Calif., said in his blog that "attack-back" antispam technologies are prone to misuse and abuse, and put users at risk.

"Spammers are going to figure out how to misuse this technology fairly quickly," McKeay said. "All they'd have to do is include bogus information in the unsubscribe links that point to a legitimate site, which would cause the software to flood the legitimate site with unsubscribe traffic."

Jennings admitted that project participants are placing themselves -- and potentially the organizations for which they work -- in spammers' crosshairs because their IP addresses will be easy to expose, but he said that if the effort leads to hundreds of thousands of client users, it may prove too difficult for spammers to lash out against all of them.

Dimitri Alperovitch, principal research engineer for Alpharetta, Ga.-based antispam vendor CipherTrust Inc., said his company supports any effort to combat criminal activity and reduce spam, but questions whether Okopipi can be successful.

"It seems as if the system is based on the assumption that the community can keep the central servers a secret by limiting the knowledge of their locations to only Okopipi administrators," Alperovitch said. "We're curious as to what will happen if the servers' locations get out."

Okopipi organizers are collecting e-mail addresses of those interested in participating, in hopes of giving the project a "quick kick start" once it is ready to debut. It's unclear when the first version will be ready, Cook said, "but with so many developers, it will be a matter of months, not years."

Senior News Writer Bill Brenner contributed to this article.

Tags: Open Source Security Tools and Applications,  Software Development Methodology,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Open Source Security Tools and Applications Screencast: Samurai offers pen-testing nirvana Rootkit Hunter demo: Detect and remove Linux rootkits When to use open source security tools over commercial products Screencasts: On-screen demonstrations of today's IT tools Maltego demo: Identifying a website's trust relationships Free HP SWFScan tool detects Adobe Flash flaws L0phtCrack returns How to use (almost) free tools to find sensitive data Should open source disk-encryption software be used? Open source security concerns can trump cost savings Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Email and Messaging Threats (spam, phishing, instant messaging) How to prevent brute force webmail attacks Unified communications: Securing a converged infrastructure Chained Exploits: How to prevent phishing attacks from corporate spies 3FN.net ISP shutdown interrupts spam campaigns Swine flu outbreak results in spam pandemic What does 'invoked by uid 78' mean? Economy fuels malware, spam Internet Explorer 8 includes a bevy of security features Adobe JBIG2 exploits being spammed, IBM warns Fierce competition prompted new Cisco email security options Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary