Two weeks ago, I wrote about the demise of Blue Security's Blue Frog antispam service. You recall that the company decided to terminate the service in the face of overwhelming attacks on its servers by spammers. Even after Blue Frog was terminated, the attackers attacked again. I questioned whether Blue Security made the right decision in terminating Blue Frog. Some of you wrote to express your opinions, and I'll share some of those this week, then fill you in on what I think is some good news.
One reader wrote, "I don't know how you \[can\] claim that Blue Frog was 'an incredibly effective method of fighting spam' when it has this kind of outcome. If it was effective, Blue Security wouldn't have had to surrender. An effective solution would have been one where the problem was resolved and no new problems were produced."
I think this opinion is a bit idealistic. Sure, Blue Frog had some problems, but the service did stop spam. Blue Security reported that 6 out of 10 of the world's top spammers completely stopped sending spam to users of Blue Frog.
Another reader wrote "Look, it was a terrible, horrible, miserable idea doomed to failure. Nothing wrong with opting out automatically. Nothing wrong with making spammers lives miserable. \[But there is\] everything wrong with having a 'Do Not Email' list. All a spammer had to do was check his own database against \[Blue Security's\] database and they had all the email addresses of Blue's subscribers."
In response, I'll quote well-known security expert Marcus Ranum, with whom I agree on this matter. Last year, Ranum wrote an extensive analysis of Blue Frog (at the URL below) that included his opinion about its hashed "do not email" list. Ranum wrote, "... there is no evidence that \[spammers\] care about the accuracy of their lists--since it costs them nothing to send the messages in the first place, there is no reason for them to concern themselves with ensuring that their lists are accurate. Furthermore, if the Blue Security registry were used by an offender to improve their recipient list, they would be including in that list a significant number of the honeypot addresses, which would prove the fact that they were intent on ignoring the do not email registry."
Finally, another reader wrote, "Unfortunately, the only ones organized and motivated sufficiently to win this \[cyberwar\] are those with monetary interests in doing so. A spam company, backed by grey market or even criminal enterprises, can devote all its resources to launching and sustaining DOS attacks against Blue Security or any other would-be Blue Frog indefinitely, while Blue Security will eventually need to justify itself to shareholders. Blue Frog demonstrated its effectiveness, and showed us a way to beat spam. But I think that only the formation of free companies, in the sense of mercenaries, will enable our side to continue this fight."
That leads me to the good news. A new open-source project, Okopipi, has been formed to perform the same basic service as Blue Frog. Okopipi will work similarly to Blue Frog, but its overall architecture will be different.
Okopipi (the local name for the South American Blue Poison Dart Frog) will be based at least in part on Blue Frog's code, which was made available as open source prior to the service's demise. However, unlike Blue Frog, Okopipi will use a peer-to-peer model with hidden decentralized servers that will help safeguard against potential Denial of Service (DoS) attacks. Spammers might be able to discover and attack a few nodes of the network, but in theory they won't be able to discover all nodes and thus won't be able to bring down the entire network.
You can learn more about Okopipi, which is just starting to ramp up, at the URL below. If you're a programmer, consider joining the effort to develop the software; if you have design or management talents, consider lending your guidance to those who will take part in the project.
Now just for a second, while keeping in mind that Windows is used on roughly 80 percent of all desktops around the world, imagine that Okopipi were distributed with every copy of Windows. Imagine the impact that those millions of users could have on stamping out spam. Imagine Microsoft philanthropically backing the Okopipi project. Wow, what a great dream.