Black Frog: Next Generation Botnet, No Generation Spam Fighting

By Gadi Evron
Gadi Evron

Black Frog — a new effort to continue the SO-CALLED Blue Security fight against spammers. A botnet, a crime, a stupid idea that I wish would have worked — News items on Black Frog.

Blue Frog by Blue Security was a good effort. Why? Because they wanted to "get spammers back". They withstood tremendous DDoS attacks and abuse reports, getting kicked from ISP after ISP. They withstood the entire anti spam and security community and industry saying they are bad.

The road to hell is filled with good intentions. Theirs was golden, but they got to hell, quite literally, non-the-less.

They did not hurt any spammers (okay, maybe one), as their attacks reached servers spammers had already moved from, domains spammers already dumped for the sake of thousands of other bulk-registered throw-away domains and so on.

Their attacks did reach hacked machines which hosted other sites. Their attacks reached ISP's with other users and their attacks hurt the Internet as well as these other legitimate targets.

Blue Security also got a lot of PR, good and bad, but they were not here first. Lycos Europe with their "make love not spam" effort was. ISP's globally nullrouted that service, as it was indeed, much like Blue Security's, a DDoS tool by the use of a botnet. A botnet in this case being numerous computers controlled from a centralized point to launch, say, an attack.

Lycos Europe soon realized their mistake and took their service off the air. Blue Security had 5 Millions USD of VC money to burn, so they stayed.

Even if they did reach spammers with their attacks (which they didn't), they would still hurt so many others with the attacks, and the Internet itself. When Blue Security came under attack they themselves said how Distributed Denial of Service (DDoS) attacks are bad, and their fallout hurts so much more than just their designated target.

When Blue Security went down, some of us made a bet as to when two bored guys sitting and planning their millions in some café would show up, with Blue Security's business plan minus the DDoS factor. Well — they just did.

Thing is, a P2P network is just as easy to DDoS as it has centralized points.

It is, indeed, a botnet.

I want to kick spammers' behind too, but all I would accomplish by helping these guys is performing illegal attacks and hurting the Internet as well as innocent bystanders.

This business model will not last. It will get PR, but it will not be alone. Most likely, these efforts will follow — Black Frog has made their appearance sooner rather than later.

How long is this journey of folly going to continue? Any service provider which hosts them is as guilty of the illegal DDoS attacks as anyone who signs up with them.

The way to kick spammers' behinds is to, plain and simple, put them in jail — i.e., change the economics. Make it more risky and less cost-effective for the bad guys to spam.

Stop Black Frog Now.

I will keep updating about this latest useless harmful project on the blog where this is written, http://blogs.securiteam.com.

By Gadi Evron, Security Strategist. Visit the blog maintained by Gadi Evron here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DDoS Attack, Law, P2P, Spam, Telecom

Comments

Re: Black Frog: Next Generation Botnet, No Generation Spam Fighting Matthew Elvey  –  May 29, 2006 11:54 PM PDT

Gadi, thanks for sharing your insights.

I hope you won't take this the wrong way, and I know about some of the good anti-abuse work you do, but can you provide verifiable evidence of your claims, e.g. that Blue Security did not hurt more than one spammer? 

I've read several posts elswhere making disparaging claims about Blue Security that turned out to be clearly false, so I think it's important that defensible allegations be strongly defended.

Hearsay is worthless in this environment - as trustworthly as the From: of an email.

Oh, and I'm not saying Blue Security's scheme was a good idea either.  I haven't use it.

From what I recall, Blue Frog filled out forms of spamvertised websites, and emailed spamvertized dropboxes.  How did it attack domains, per se, which you claim it did?

Are my ADDITIONS IN CAPS to your comment below inaccurate?
"BLUE SECURITY'S SO-CALLED attacks reached servers spammers had already moved from HOSTED BY COLO PROVIDERS NEGLIGENT ENOUGH TO HAVE WELCOMED SPAMMERS IN AS CUSTOMERS.

Their attacks did reach hacked machines which hosted other sites MANAGED BY WEBHOSTS NEGLIGENT ENOUGH TO HAVE WELCOMED SPAMMERS IN AS CUSTOMERS. Their attacks reached ISP’s NEGLIGENT ENOUGH TO HAVE WELCOMED SPAMMERS ON AS CUSTOMERS with other users NEGLIGENT ENOUGH TO USE SUCH DISREPUTABLE ISPs..."

Just to drive the point home, let me point out that there are major ISPs that make a LOT of money knowingly hosting spammers, and to protect those profits, I've seen some regularly pretend to be good guys and engage in active disinformation campaigns to discourage and frustrate potentially effective antispam efforts. 

I also wonder why Blue Security croaked, while some other efforts have survived and withstood attacks just as dogged. I suspect their staff weren't as skilled, or weren't getting the defensive cooperation of other efforts, not that the attacks were unprecedented: it's not like Blue Security was the biggest attackable roadblock to spammers efforts.

I welcome my doubts being proven unfounded; fire away.