Frequently Asked Questions
From The Okopipi Wiki
Read this FAQ in alcnac4tg Translations: en | da | de | es | fr | he | it | nl | no | pl | pt | ro | ru | th | zh
Common Questions
About the name
What is the project's official name?
The project's official name is "Okopipi". It is not "Blue Frog" or "Black Frog".
How do you pronounce "Okopipi"?
It's pronounced "oko-pip-e" as in "Pippi Longstockings".
Why "Okopipi" and not "Black Frog"?
The term Black Frog was rejected due to the possibility of trademark infringement.
What happened to the "Black Frog" project?
The project "blackfrog" merged with the Okopipi project. Its founder joined the Okopipi team.
The media keeps mentioning "Black Frog". Are you saying they're wrong?
Yes, they are. We have sent them notifications about this. So please stop using the term "Black Frog", the official name is "Okopipi".
What does Okopipi stand for?
The okopipi is a poisonous blue frog found in Suriname. It was the mascot of the Blue Security project.
More information about the okopipi can be found here Okopipi on Wikipedia.
About the Project
What is Okopipi?
The purpose of Okopipi is to reduce the amount of spam received by users. This is not a spam filter, although it may be used in conjunction with one. Okopipi's goal is to stop spam from being sent to users subscribed to the Okopipi "Do-Not-Intrude List".
How does it work?
Okopipi works by submitting opt-out requests to the merchants' sites associated with spam (spamvertised sites). The network creates opt-out scripts on behalf of all the members that reported the spam. Each Okopipi client will also submit the opt-out requests for its user.
It is important to understand that Okopipi is not a Distributed Denial of Service (DDoS) network (see below). The network will be designed to specifically prevent overloading the merchant servers. It's purpose is simply to empower users with the ability to complain about the spam they have received.
For more technical details, see the Project Description.
What is the cost?
Okopipi is a free open source project. Its users should never have pay to use this service, although donations will be appreciated.
Who are the official representatives of the project?
See the page on the Steering Committee.
Approximately when will it be ready for beta-testing?
No approximate date exists yet
What is Okopipi 1.8a?
- It purports to be a Thunderbird Add-On released by Will. [1]
- It reports spam to the SpamCop and optionally to the FTC. It also allows you to put in your own custom addresses to report spam to organizations such as your ISP or corporate abuse address.
- This will properly forward any message in your current folder marked as junk to the places you configure in your preferences. All you will have to do is hit send.
How do I know that an Okopipi "offering" is kosher?
Email enquiries at okopipi.org
How can I help?
If you believe you can help the project. Please sign up on the Volunteer_Signup page with your skills and contact info and we will contact you when your skills are required.
Project Goal
What is Okopipi's goal?
Spammers break the law by not providing users with means to opt-out from their mailing lists.
- Our goal is first to prevent spammers and merchants from breaking The Law, by providing citizens and law enforcement agencies with easy mechanisms to enforce the CAN-SPAM act (or its equivalent in other nations), and second to send opt-out to the merchants so that they stop using non-complying spammer's services or force their current spammer to comply.
Is your goal to "Stop All Spam" or to "Eliminate all spammers?"
No, it is not. This must be clear. We cannot go beyond The Law. If The Law says spammers are legal, so must we. Four of the top ten spammers had already reached an agreement with (the now defunct) Blue Security by removing e-mails in the do-not-intrude list from their mailing lists.
Is Okopipi going to DDoS Spammers?
No, it will not. This is the common consensus of the community, and the decision of the Steering Committee, and it will not change.
What is a DDoS?
A DDoS is a Distributed Denial-of-Service attack. It is based on telling many machines (usually infected with intelligent trojans, and forming a "botnet") to submit many requests to a website, domain server or IP-address (legitimate or otherwise) to overload it with traffic and shut it down.
Some spam-haters, also called "anti-spammers" or simply "antis", agree with DDoS-ing spammers' websites, but this is illegal.
I've seen many people talking about DDoS in your groups. Why?
Sometimes irate spam victims want to take revenge against spammers, which is understandable. But they're not representative of the group's intentions. Remember that the discussion groups are a non-moderated medium, and anyone can post his/her opinion.
Also, note that there are spammers trying to discredit the project, just as they did with Blue Security.
Didn't Blue Security DDoS spammers' websites?
No, they didn't. Opt-outs were throttled in such a way that the process of sending the opt-outs would not take down the servers.
How will you prevent Okopipi from DDoS-ing spammers' websites?
We are designing the software so that it will throttle the opt-out requests to spamvertised websites over time. This will prevent us from overloading the servers and bringing them down.
If Okopipi is not going to DDoS spammers' websites, what good is it for?
What Okopipi is going to do (what Blue Security did), is fill the spammers' order forms with complaints. It's similar to when an angry customer calls the sales phone number of a company to complain about the irresponsiveness of tech-support. It is an inadequate channel, but if it's the only channel available, then it's legal. As we understand, CAN-SPAM ensures the right to opt-out, but does not specify which channels must be used to opt-out.
The point of this is to make the spammers (or their customers) go through the same manual scanning of data that users have to go through when scanning through e-mails and deleting spam manually. By doing this, the spammers' customers earn less money and the spammers get their funds cut. In a way you could say it's a tit-for-tat situation, but because of CAN-SPAM, it's perfectly legal.
Notice that as long as a spamvertised website complies with the CAN-SPAM act and filters out e-mails on the Do-Not-Intrude Registry, the spammer won't get his/her databases loaded with opt-out requests.
Is Okopipi a "botnet"?
No, Okopipi is not a botnet.
From urbandictionary.com: "Botnets (network of bots / zombie computers) are computers infected by worms or Trojans and taken over surreptitiously by hackers and brought into networks to send spam, more viruses, or launch denial-of-service attacks."
Since Okopipi installs are voluntary, and not controlled by hackers to send spams, viruses or even denial-of-service attacks (see above), by definition, Okopipi can't possibly be a "botnet".
Is the project legal?
This probably depends on where you live. The short answer is yes.
- United States?
- Yes as per CAN-SPAM act of 2003[2]
- Canada?
- Most probably. It is a gray area in Canada. The Personal Information Protection and Electronic Documents Act, the Competition Act and the Criminal Code prohibit unsolicited electronic mail from unknown, unverifiable or fraudulent sources. However, the Canadian legislation is vague on the issues of law enforcement and regulation [3]
- Japan?
- Australia?
- European Union?
- Yes as per section 44 and section 45 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector which started implementation in member states on 31 October 2003 PDF
- Denmark?
- Yes as per Markedsføringslovens § 6a (The Marketing Practices Act section 6a).Consolidated Act No. 699 of 17 July 2000 as amended by Act No. 428 of 6 June 2002, Act No. 450 of 10 June 2003 and Act No. 352 of 19 May 2004 [4]
- United Kingdom?
- Yes as per section 22 and section 23 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 "Statutory Instrument 2003 No. 2426" which came into force on 11th December 2003. [5]
How will you prevent spammers from faking spam and using your network to attack innocent sites?
The opt-out scripts and authorization to begin requesting opt-outs (not "attacking") will be reviewed by authorized staff and signed with their secret private keys. Public Key certifications cannot be faked, and their inherent security provides the basis for all electronic commerce.
Moreover, we plan to include a white-list on publicly known websites.
What other measures will Okopipi take against spammers?
We plan to cooperate with other anti-Spam organizations, like SpamCop. They can report botnet-infected machines being used to distribute spam. This is important because botnets can also participate in DDoS attacks like the one perpetrated against Six Apart on May 2006.
What is your opinion on current laws regarding Spam?
Each member of the Okopipi project has his own personal opinion on the merits of various spam laws, and we have our agreements and differences. However, we are unanimous in our decision to remain completely legal and adhere to legal requirements and regulations across the board.
Technical Questions
How will people download your software?
We plan to distribute the software through various channels: Download sites, bittorrent sites, and even maybe famous file sharing networks like eDonkey or Gnutella. We will provide hashes so people can be informed if the version they download is the authorized one.
How will you distribute the "Do-Not-Intrude List"?
The list will be generated by the Okopipi Network upon request, and we plan to distribute it via bittorrent or file sharing networks.
Additionally, we plan to distribute weekly and monthly updates. This will save spammers from the hassle of having to download the same addresses over and over.
How is the Okopipi Network designed?
The Okopipi Network is designed as a decentralized peer-to-peer Network, also called "Overlay Network".
The network is basically a moderated File Sharing Network, like Kazaa, with the difference that users will only be able to see authorized files. These files are the opt-out scripts and lists of spamvertised sites. See the "Okopipi Network Topology (flat model)" for more information.
How secure is the Okopipi Network?
How do you prevent spammers from attacking the Okopipi network?
We can't prevent them from "attacking" the network. What we can do is limit their ability to take down the network with their attacks. By using a decentralized network, we prevent spammers from targetting a "weak spot" in the system. They could try to fracture the network or slow it down, but they'd need to infiltrate a great deal of nodes into the network. Moreover, we chose a network model that is mathematically proven to resist this kind of attacks. Additionally, we are providing the network protocols with a "fail-safe" mechanism to reset the network in case of congestion.
How do you prevent spammers from poisoning the Network?
Poisoning is prevented by signing and authorizing all the scripts with public keys that are either embedded in the software, or authorized by a Certificate Authority like Verisign.
How do you prevent spammers from identifying the administrator's nodes?
We are going to use a technique called "Routing Anonymity". It prevents nodes in the network from identifying the source or destination of a particular message. And the administrator nodes are not necessary for the network to function.
How do you prevent spammers from taking over your network and using it as a botnet of their own?
Since it's a file sharing network, it does not send "commands" to the clients. It just tells them that there are scripts available for them to use, and what limit they should respect.
Additionally, scripts must be signed by a trusted private key, so that spammers can't submit bad scripts.
How do you prevent spammers from using altered copies of your software to impersonate you?
We cannot avoid that possibility, but they can as well impersonate our software with their existing botnets.
Let's suppose the Okopipi network is taken down. Will the spammers win?
As a fallback plan, we intend to provide the software with the means of submitting their own opt-outs on websites, in the remote case of the network being shut down.
Questions on pending ideas
The forums tell about voting for scripts. Can spammers vote to gain power?
The proposed voting is subject to authority, in this case, a hierarchical authority.
What is a Hierarchical Structure?
See Pending Ideas
A hierarchy depends on a top authority. What prevents spammers from shutting down the central server?
The central server would be only an administration node with top authority. But it's not necessary for the network to work - keep it mind that it's a pending idea, it can be perfected.
What is Torrent Style?
Torrent Style is another pending idea. If we make Okopipi Torrent style then it would be possible to create different clients that connect to frognet and work together. Much like after BitTorrent many different clients: uTorrent, BitTornado, Azureus, etc. were created
Is Challenge-Response a good idea?
To be honest we're going to say no, there are several problems with it.
- Spammers have been known to use things like porn offerings and warez to have someone fill out the information they need to complete the challenge-response.
- They only need a small minority of peers and some time to trace down a root node, so they could perform whatever activity that will give them higher ranking in a heirarchical structure to get them close enough to the top-tier nodes, at which point they can DDOS them.
- Just about any automated Challenge-Response can be worked around. For example, providing MAC or IP addresses. They also have a potential to cause genuine headaches for users as laptops in particular will have diffrent MAC and/or IP Addresses depending on where they are and how they are connected.
- Any Challenge-Response that affects the end user will turn away people who would potentially use the software.
