Goodbye, Blue Frog?

According to the Washington Post, sounds like Blue Security is giving up. Blue Security provided an encrypted list of emails that spammers shouldn’t harass. If an email spammer violated that, Blue Security could send thousands of requests from users’ machines to the email spammer. It was almost like an opt-in botnet that protected its users against unsolicited email.

So how did the do-not-spam email list work? Well, if you just provide a list of email addresses and say “Don’t mail these people,” that’s giving a tour of a beautiful house to a thief and saying “But don’t rob this house.” So Blue Security provided a one-way hash. Someone could check if an individual email address was on the do-not-spam list, but they couldn’t recover the full list. Smart, huh?

Well, there’s a problem with that. Imagine that you’re a scuzzy email spammer without any, you know, ethics. You could mount a dictionary attack against the Blue Frog do-not-email list. A dictionary attack in the world of passwords would be guessing the most common passwords for a set of user accounts. Given all the email addresses you know of, plus any you can guess, you can check if each email address is on the do-not-email list. After several hundred million attempts, you could probably recover a large fraction of email addresses on Blue Security’s list. Then you just do evil things: spam those email addresses, send them viruses, etc.

That’s why Blue Security is giving up: the email spammers have probably recovered a large amount of the email addresses that people gave to them. And the email spammers are threatening to do really malicious things to users that asked not to be emailed. Kind of a shame. What’s interesting to me is that the email spammers were seeing enough of an impact that they decided to attack Blue Security.

Via Threadwatch.

70 Responses to Goodbye, Blue Frog? (Leave a comment)

  1. doesn’t this work the other way too?

    Shouldn’t bluesecurity now know who all the email spammers are, since they’ve all made requests to the bluesecurity server? That might be a fun list of ips to have 🙂

  2. I really hope somehow another that the email spammers all get taken care of one way or another. I am also curious about Ryans question.

  3. This whole SPAM thing is really tricky! SPAMMERS can switch IP addresses and networks very quickly. SPAMMING SPAMMERS isn’t a solution. There’s so much money in SPAMMING email accounts, from what I understand, that they’re investing heavily into tools that guess email addresses… in a sense, they’re probably more advanced than software developers in other markets.

  4. Ryan,
    When the attack happened to Blue Security, it was most definately done by “zombie” computers. These are systems that have been taken control of, without the owner’s knowledge or permission. So any IP addresses obtained would just be for inoccent bystanders. Also, IP addresses can be relatively faked, especially by people who can launch an attack on the scale that the spammers did. As defeating as it seems, Blue Security is acting in their customer’s best interest.

  5. Hi Matt!

    funnily enough, that issue has been pretty widely known since long before Blue Frog arrived in Nov 2005; Dr. Avi Rubin’s report to the FTC of May 2004 regarding the concept of a “Do Not Email” registry detailed these holes, as I noted at http://taint.org/2006/05/01/154216a.html .

  6. This is the problem with what I call “published security”. When you reveal information about the level of security or who you’re protecting with it, you leave yourself that much more vulnerable to counterattacks from scumnuts.

  7. From the account I’ve read about this, it seems like they used the original list and compared it to the list with the missing opted out addresses. This would provide them with all of Blue Securities addresses. Not all spammers are smart, but this PharmaMaster guy seems to know what he’s doing. Do you think he spams for pharmaceutical companies?

  8. I heard that the spammers had tried a different technique to get BS users’ email addresses.

    Basically, they took the copy of their email-database before running the tool, and after, and then compared to see what email addresses had dissappeared.

    Also, it’s not accurate to say that if a member received a spam message, that spammer would get thousands of requests. It was a simple one-to-one relationship: for every ONE time that a BS member received a spam message, the BS software would send ONE opt-out message using that spammer’s website’s online form (this is 100% legal under CAN-SPAM).

    The result is that if a spammer sent a message to 1000 BS members at once, then that spammer would quickly receive 1000 opt-out request messages. If the spammer sent 1000 spams to 1000 BS members (1 million messages), that spammer would quickly receive 1 million opt-out requests.

    So there’s a direct, equal relationship between how many spam messages are received by BS members, and how many opt-out messages the spammers receive back.

    I state again, this is 100% legal. The act mentioned above said it’s legal to send an opt-out request every time you get a spam message. Problem is, that’s just too much for most people to handle. Blue Security found a way to automate it, effectively.

    So all the cries of “evil vigilante” or “spamming the spammer” are totally inaccurate, and I felt it necessary to help clear the air.

    In case you couldn’t tell, I myself am … well, was … a BS member.

    With that in mind, I think it’s very sad that BS has had to close its doors. I think it was an effective tool against something threatening to make the ‘net and email useless. However, I’m confident that while this battle’s lost, the war’s not over.

    I’m anxiously watching to see where it goes from here.

  9. I agree that this is just a start. The method for ticking off spammers is now known to work and just because Blue Security doesn’t want to fight them doesn’t mean somebody else won’t. The spammers won this battle, but the war is just starting.

  10. there is a real simple solution to email spam:

    Stop buying things from email… especially viagra.

    PS, Matt. Google for “Buy Viagra”.. has at least 2 cloaked pages or redirects in the top 10.

  11. By the way, they’re not the real Blue Frog. My buddy Alison is.

    Hey Alison! You’d better post some more once you start reading your logs. And you owe me a steak at Shooters. 🙂

  12. It’s not “ethics” vs “do evil”: it’s “ethics” vs “truckloads of money”.

    If you make $1000 a day and someone is threatening to take that away from you (or forces you to [gasp] work), then you can easily justify spending a part of that on “security measures” (such as paid hackers, threats, etc.).

    Make spam harder to “work” and you’ll see it disappear (for low-profit items at least).

  13. So your saying there’s no profit in fighting spam? I disagree, people don’t want this crap in their inboxes no less than the advertisers want them to have it.

  14. I agree with Smoke2Much. I think fighting spam has a huge opportunity if done correctly.

  15. As far as I know, they were taken down by a fierce DDoS attack that lasted for over two weeks and had impact on other sites, as well (Typepad, some other sites hosted by Tucows). You can read the whole story here:

    http://www.securitypronews.com/insiderreports/insider/spn-49-20060517BlueFrogKilledBySpammers.html

  16. The only way there’s money in SPAM fighting is if it works. It’s a cat and mouse game, the same with SPAMMERS in search engines.

    As a developer I’ve written JavaScript codes so I am able to display email address on web sites without spiders being able to render the address. What happens if a spider is able to recognize that address and can SPAM that address? I have to write some new sort of method to display it. After I do, a spider will be updated to be able to read it with a new version of the robot. This is only on the web page side of SPAM.

  17. Blue Security has proven that their method works, otherwise they wouldn’t have been attacked. They started to fight spammers very effectively, and after the spammers fought back, they got scared and ran. Spammers are definitely not going to lay down without a fight. BS was warned about possible retaliation but did nothing to sure up their network. This war will need to be fought by the major players like Google and Microsoft, and whoever DOES fight them WILL reap all the benefits.

  18. Spoiala Cristian

    Fighting spam is like fighting with terrorists.

  19. Bandwidth for “Bulletproof hosting” costs a spammer more than bandwidth over DSL or cable modem costs you. So there’s asymmetry here and it’s on the user’s side.

    If you want a quick-and-dirty “roll your own Blue Security”, you can mash up Technorati and Google.

    Post spamvertised URLs to your blog with rel=nofollow and a Technorati tag like “bluefroglives” or “foadspammer” Then subscribe to the Technorati feeds for those tags, use Google to check that the sites using it are legit blogs and not spammers running a joe job, and go nuts.

  20. This isn’t surprising at all.. Years ago I used to fight spam every day.. Now I just ignore it and let spam assassin and thunderbird deal with the vast bulk of it.. As long as someone is will to buy what is being offered it will continue to be offered.. You can make it illegal, you can make it hard, but spam is like drugs, as long as there are buyers there will be pushers..

    There is a good book out there now, been out for a while really, that digs into spammers and their mentality.. It’s a couple years old but still a good read.. Spam Kings..

  21. I hate spammers. It’s too bad someone with the requisite resources (*ahem*, *google*, *ahem*) doesn’t mount attacks on known spammers on behalf of us victims. After all, just not being evil is one thing. Doing good for the rest of us is another. 😉

  22. Blue Security does have the option of simply redefining itself. It could aid in the development of a hi tech / middle layer/ email filtering system – with would automatically kill email identified as Junk before it gets to the server – and send verification requests to those emails that the Algos are unsure of, or doing reverse IP lookup, as another safeguard.

    Several companies are doing this already – and as the technology evolves, it will virtually elimate Junk mail – users are allowed to customize the algo settings to eliminate false positives.

  23. Sounds like they had a positive and semi-successful approach to spam.

    Maybe a large, ethical company with deep pockets could find 20% of one person’s time to take this forward … there’s be plenty of grateful people out here!

    And when that person had finished, maybe Google Groups could get some attention ;o)

  24. Can someone tell me why Blue Security redirected their site to their blog on SixApart rather than just straight back the spammer’s address. If they just redirected their site to the spammer’s website surely the DoS attack would have backfired?

    As to spamming the spammers I say there should be an open source solution to spam all of these spammers. If a million people spam the spammers I’m sure they could be taken down. A distributed attack with no central co-ordinator would basically give no real comeback for the spammers.

  25. I used to work on the #1 email product in the early 90’s and eliminating spam is almost trivial and has been for a long time but requires everyone to agree to upgrade their email systems and many large companies would just fail to comply.

    A good start is the Sender Policy Framework but it’s somewhat lacking in a couple of areas that require beefing up to be workable.

    Putting together a service to thwart spammers is so simple it’s silly we’re still discussing spam, but getting 100% adoption will always be the issue, and as long as there are hold-outs the ant-spam upgrade won’t work.

    If you could get the big networks like AOL, Yahoo, MSN, Google, Earthlink, Comcast, BellSouth, etc. to all buy into the plan without squabbling, then you could simply force the little guys to upgrade over time by cutting them off from everyone on the large networks if they don’t comply.
    .
    However, I don’t see it happening anytime soon, oh well.

  26. I agree with Aaron.Handling SPAMMERS is one of the great challenge.

  27. The attack on blue frog seems to have been organized at a spammers forum called ‘specialham.com’.

    Some people don’t think its completely fair that Blue Frog should vanish and Specialham should live on.

    Bereaved blue frog users are convening at a web forum:
    http://thecarpcstore.com/phpbb2/viewforum.php?f=1

    … discussing possible responses to this iniquity.

  28. The problem with Blue Frog was it wasn’t just a preventative measure, it was also a counter-attack.

    While their intentions may have been good and they got results, they basically entered into a pissing competition that they could have avoided from the start with a less antagonistic approach.

    PS.
    Matt tell your counterpart/s at Yahoo! that they need a method in place to report YPN spam!

  29. Ben, head on over to timconverse.com and tell Tim Converse. 🙂

  30. Ever since using Blue Frog from Blue Security I’ve gotten QUADRUPLE THE SPAM than before. Thanks a lot Blue Security!

  31. *Utills*, I think the guys don’t know what the spammers website is. Also, I believe, he has a lot of sites. Would you aim such an attack at a computer (server) without being sure who it belongs to?

    I believe that if they had the chance of knowing the real address of the spammer they would have contacted the Russian autorities and things could be different now. Unfortunately, those type of attacks are pretty hard to track down to the source.

  32. Interesting and in some ways analogous to the bigger challenges facing you at Google and counterparts at Yahoo, MS, Ask. I’m concerned that so much of the online landscape is now defined by spam and spammers it’s leaving increasingly infertile ground for creativity, innovation, and content improvement.

  33. Email spammers don’t make their money from the 2-4% of recipients who click on the emailed links. They make their money by charging unwitting or unscrupulous advertisers for the service of delivering the message.

    I’ve always thought the CAN-SPAM law was so ironically named. It has done nothing but encourage and increase spam.

  34. Dave (Original)

    RE: “The result is that if a spammer sent a message to 1000 BS members at once, then that spammer would quickly receive 1000 opt-out request messages. If the spammer sent 1000 spams to 1000 BS members (1 million messages), that spammer would quickly receive 1 million opt-out requests.”

    That’s if we assume the spammers were recieving emails. Personally I cannot see this ever working as spammers send emails from account x, it’s unlikely IMO that they also recieve via the same account.

  35. Actually “Geo” I meant the spammer’s clients. If you can get to the spammer by affecting the places it markets then you can ultimately provide a reason for these shallow companies to stop using the spammer to market its products.

  36. Jonathan Nelson

    I too agree that spam should be taken care of once and for all!!!

    Just fyi…I’m not promoting this site or anything…but I do use SpamArrest.com for my Yahoo account and it works amazingly well. I love my personal Yahoo address but there spam filtering sucks big time. I even paid $20 at one time for their premium features….bahhhh…premium features and extra spam filtering my butt lol.

  37. Well, I tried Blue Frog and it just worked – after two, three weeks, I only received about 25% (!) of the spam I received before, which was about 3-4k emails per month. Awesome, really timesaving. My inbox as well as my usual spam protection were happy.

    But now, we just see what could have easily been anticipated before – Blue Frog’s method of fighting back wasn’t that “clean”, as it corresponded to a DDoS attack anyway, and the spammers wouldn’t accept that, ‘course not. And since spammers don’t care about inboxes, why should they care about opposing individuals or organizations at all…

    In the long run, we’ll more often need to pull the release cord and just shutdown and change our email addresses. If spammers didn’t already start to send their literary masterpieces to *@*, that is.

    (Duh, I’m fed up with that spam problem.)

  38. Security through obscurity doesn’t work. After all, that mentality is exactly what prompts most unethical behaivior. I think the best way moving forward in the combat of spam is to change the way email is issued and sent, unfortunately.

    Here is the theory (feel free to provide critisism):
    Email should be issued from a trusted authority of standards, which in essence would be the only body able to provide email licenses. These licenses would have individual codes that could be provided to a server/ip block owner and then each email issued would be appended with an imprinted code hash.

    Any emailers founxd to be spamming, could then be found and prosecuted.

    I am sure there is always a way to exploit something like this, but it’s simple, and if done right could be quite effective, especially if combined with Blue Security’s service.

  39. Todays email thoughts “I often log into gmail in the morning and hit the spam button many times, it adds to the massive database of email spammers Google must have on it’s list”.

    Maybe someone mentioned this above, (too busy to read) BUT does Google use the gmail spam data to get a handle on this mess?

    I know that the directory I just deleted hanging off one of my sites had over 1000 spammers trying to get inclusion, if I was a search engine it would be easier than catching sunfish in a bathtub to get a handle on this.

    Yes? No?

  40. Yeah Aaron, I’ve also wondered about that too.. I keep hitting spam in gmail hoping it will work.

    I’ve also all but abandoned email. I have one official address I use for my websites (not posted many places on the internet.. matt you’re lucky it’s in the blog here!)

    I also have a work address that only people who work with me know.

    That’s it.. anybody else, I gladly give out my AIM, MSN, or Yahoo name and my Gmail account…. I have about 50 domain names (and only about 10 or 12 active sites).. and I literally get about 4-5k spam emails / day at the address listed for all of those domains. I can literaly come home, turn on outlook, and take a shower… then watch it download the last few emails when I get out.

    So I just gave up on it… I can see why Matt doesn’t give his email address out either.

  41. Thanks Matt, I dropped him an email. 🙂

    Aaron, your thoughts lead in an interesting direction.

    I wonder how long until we see Google providing an api other anti-spam software can query to get a (probably very) accurate yay or nay on an email.

    If that’s not being developed already Matt, think about it. I’ll be off patenting the concept just in case you use it ;).

  42. Getting a data base of IPs or domains will only have limited short term effects on stopping email SPAM, most SPAM emails are spoofed.

    What would really help is an (ICANN?) REQUIREMENT that all SMTP mail servers do a verification check of the sender.

    I just had to change ISPs, I found out the hard way that the one I have been using (M$N) is now blocking all access to pop3… The wrong way to go IMO.

  43. Until someone replaces the wide open SMTP protocols with a secure and tracable mail system, spam mail will be one of the three pains of the internet (the other two being viruses/malware and google SERP spam). The current mail protocol system allows for all headers to be faked, making the source of the mailing almost untracable. Combine that with simple DNS redirection tricks, bounce points, and other crap and you end up with effectively untracable spammers.

    Anyone out there want to take a shot at writing a secure mail protocol?

  44. alex henderson, speaking as a completely newb to email protocols, it’s shocking to me that this hasn’t happened yet; it’s clearly in everyone’s best interest. And it also seems like the completely easy upgrade path:

    – support regular mail

  45. Aaron Budnick

    Just a thought, but can’t governments prosecute the companies that pay spammers? I mane, when I get spam, were I to click on it (I never have so I may be a little off base here..) then I would imagine that enough info would have to be displayed so that I can go off and buy the advertised product. Whether it is just an add for a companies product or a direct link to a store or whatever, surely there is some mention of the company. If that is reported could those companies that promote spam not be shut down?

  46. I am not that deep into SMTP myself, but I don’t believe the entire protocol needs to be rewritten.

    There are some things that can be done (like doing a sender verification check) that will drastically reduce the amount of email SPAM.

    As far as I know the SMTP protocol even calls for a sender check, but not very many email servers do sender verification checks because of the time and trouble it involves.

    If SMTP does a sender verification, spammers will no longer be able to spoof headers. If spammers can not spoof headers they will be far easier to track down and deal with.

  47. “What’s interesting to me is that the email spammers were seeing enough of an impact that they decided to attack Blue Security.”

    Amazing how a tiny blue frog could cause such a stir.

    What did the big dogs like Yahoo, Google and MSN have to say about that brave little frog? Any pithy statements? Any help from them?

  48. I thought that the spammers processed their lists through BlueFrog Do Not Intrude Registry and then used a tool to compare it (so easy) – thus giving a list of users.

    Not to mention the huge attack on their servers.

  49. ^ Yeah I wonder why Yahoo, MSN, or Google didn’t try to overtake the project, or at least help them.

  50. I think there is still room for a global filter. What Blue Frog did was in my view a tad stupid. If you wave a red flag the bull will charge. It would be like taunting a hacker while he is having a go at your server. Just filter and dump the mail. dont send emails.

  51. Adam… Yeah, talk about a delayed reaction on checking my logs — steak it is, but prolly Tube Steaks (a la our friends Maple Leaf Weiners).

    Its a shame that Blue Frog has been taken down though – anything to help reduce Spam is a good thing… I’m getting tired of people trying to make my Weiner bigger. Unfortuntely, the way they did it put the proverbial Giant-Arse-Target on their back.

  52. This just in, looks like BlackFrog will be picking up where BlueFrog left off. Added bonus: BlackFrog runs on a P2P network called Frognet making it impervious to DDoS attacks.

  53. We know that…spammers are bad…they are the enemies of search engine programmers…ooops …even researchers and webmasters… 😉

  54. I was a Blue Frog user, and I’m still receivinng increased spam on all my previously “protected” email addresses I used with Blue Frog. It’s a pity they couldn’t keep up the fight… for a while, it really had an impact (obviously, if you look at the response it received from spammers).

  55. Spammers every where.. We should fight them honestly;)

  56. That is curious. Maybe they weren’t seeing any impact at all. Prevention is, afterall, the best medicine.

  57. It is very hard to win with spammers, i agree they are the number one public enemy in the internet.
    Most of the time they aren’t dangerous but they actions are very frustrating.

  58. Nice point, Matt! Hopefully the system works fine……

  59. I thought there is a penalty if a spammer is caught. Is this not true ?

  60. I think we should have the goverment to handle this No Spam list and penalize anyone who violates it.

  61. I agree, but war whit spamers is probably impossible to win.

  62. for me spam isn’t very big problem. Most of email clients have anti-spam filter so only some few spam emails break this

  63. but if you frequently leave your email address in Internet even with filter in email program, spam can be arduous.

  64. I get 210+ pieces of Spam a day. That’s even though I use Doteasy’s email protector.

    I encrypt my email on websites.

    I use sneakemail

    I threatend, gripe and cuss.

    And still, nary a day goes by without spam harassing me.

    Sigh.

  65. So better is use more email address. One for friends and one for Internet registration etc.

  66. I have one account e-mail, and every day i have 10-20 spam

  67. I created an email account and BUUM – the next day I got a spam mail in my mailbox. There must be some catch. I didn’t give it away to anybody. Thanx for a spam trapper and spam box in my cpanel.

  68. I have 20 email account and i receive every day a lot of spam, but most of them catch spam filter in thunderbird.

  69. The problem that i have is on my website, so many robots fill out the form and submit it with links to their products. It’s driving us crazy – and spam bots still get threw even after we installed a image verify.

  70. I have two account e-mail, and for me spam isn’t very big problem.

css.php