Blue Frog

Last updated
Blue Frog
Developer(s) Blue Security
Operating system Microsoft Windows
Extension for Mozilla Firefox
License Open-source [ specify ]
Website Blue Security Inc. (archived)

Blue Frog was a freely-licensed anti-spam tool produced by Blue Security Inc. and operated as part of a community-based system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists. The tool was discontinued in 2006.

Contents

Information

Community members reported their spam to Blue Security, which analyzed it to make sure it met their guidelines. Then, they reported sites sending illegal spam to the ISPs which hosted them (if they could be contacted and were willing to work with them), to other anti-spam groups, and to law-enforcement authorities in an attempt to get the spammer to cease and desist. If these measures failed, Blue Security will send back a set of instructions to a Blue Frog client. The client software will use these instructions to visit and leave complaints on the websites advertised by the spam messages. For each spam message a user received, their Blue Frog client would leave one generic complaint, including instructions on how to remove all Blue Security users from future mailings. Blue Security operated on the assumption that as the community grew, the flow of complaints from tens or hundreds of thousands of computers would apply enough pressure on spammers and their clients to convince them to stop spamming members of the Blue Security community.

The Blue Frog software included a Firefox and Internet Explorer plugin allowing Gmail, Hotmail, and Yahoo! Mail e-mail users to report their spam automatically. Users could also report spam from desktop email applications such as Microsoft Office Outlook, Outlook Express and Mozilla Thunderbird.

Users who downloaded the free Blue Frog software registered their e-mail addresses in the "Do Not Intrude" registry. Each user could protect ten addresses and one personal DNS domain name.

Blue Frog was available as a free add-on within the Firetrust Mailwasher anti-spam filter. It was also compatible with SpamCop, a tool with different spam-fighting methods.

Blue Security released all its software products (including Blue Frog) as open-source: [1] the developer community could review, modify, or enhance them.

Spammers' backlash

A variation of the hoax messages. Blue Frog discredit b.png
A variation of the hoax messages.

On May 1, 2006, Blue Frog members started to receive intimidating e-mail messages from sources claiming that the software was actually collecting personal details for identity theft, DDoS attacks, creating a spam database, and other such purposes. Blue Security has contested these claims. [2]

One variant of the e-mailed message stated that spammers had found a way to extract addresses from the database for malicious purposes. Due to how the Blue Security software works, this is not possible; however, spammers can identify BlueFrog member e-mail addresses in lists they already possess. Blue Security provides spammers a free tool that allows them to "clean their lists". Extracting addresses directly from the program would be impossible as they are just hashes, but a spammer can run a list through the BlueSecurity filter and then compare the results with an unaltered list, and thus identify BlueSecurity users and target them. This method can only identify Blue Frog addresses already in the spammer's possession, and cannot give them access to as-yet-untargeted addresses.

Controversy

In May 2006, the Blue Security company was subject to a retaliatory DDoS attack initiated by spammers. As its servers folded under the load, Blue Security redirected its own DNS entries to point to the company weblog, which was announcing its difficulty. The company weblog was hosted at the blogs.com webportal, a subsidiary of Six Apart. This effectively redirected the attack to blogs.com and caused Six Apart's server farm to collapse, which in turn is said to have made some 2,000 other blogs unreachable for several hours.

Individuals claiming to be members of the computer security establishment condemned the Blue Security company for the action it took while under DDoS attack. A representative of Renesys likened this action to pushing a burning couch from their house to a neighbor's. [3]

In its defense, Blue Security Inc. stated that it was not aware of the DDoS attack when it made the DNS change, claiming to have been "blackholed" (or isolated) in its Israeli network as a result of a social engineering hack, which was alleged to have been pulled off by one of the attackers against a high-tier ISP's tech support staff.

This claim has been disputed by many writers such as Todd Underwood, writer of Renesys blog. [3] Most sources, however, agree that regardless of whether Blue Security were "blackholed", they seem not to have been facing attack at the time they redirected their web address. Blue Security also claimed[ citation needed ] to have remained on amicable terms with Six Apart and pointed to the fact that the blog hosting company did not blame or even name them in the press release which explained the service outage. [4] In any event, the action was widely reported on IT security websites, possibly damaging Blue Security's reputation within that community. At the same time, the incident and its broad reporting in more general-interest media was considered by many to be a boon to the notoriety of Blue Security and the Blue Frog project.

Security expert Brian Krebs gives a different reason for Blue Security's website being unavailable in his article for The Washington Post . [5] He says that what happened was not that Blue Security was lying about being unable to receive HTTP requests (because their servers were down), saying they had been "black hole filtered" and maliciously re-directed traffic, but rather that they were actually unable to receive traffic due to an attack on their DNS servers. This makes it probable that they had essentially been telling the truth and that CEO Eran Reshef was simply misinformed as to why their users were unable to reach their site.

Accusations of being malware

Some users accused Blue Frog of being malware itself on Mozilla's chat forums, claiming that Blue Frog spammed signatures in Yahoo! and Gmail accounts, left active remnants all over the operating system after uninstalling, and hinted that the actual reason for Blue Frog's existence in accumulating a "do-not-spam" database was to harvest fresh addresses for spammers to deluge. [6] Blue Frog shut down one week after the forum thread appeared. [ citation needed ]

After Blue Security recast itself as Collactive, it would again be accused of spamming. [7]

Attackers identified

Soon after the attack started, Blue Security CEO Eran Reshef claimed to have identified the attacker as PharmaMaster, and quoted him as writing "Blue found the right solution to stop spam, and I can't let this continue" in an ICQ conversation with Blue Security.

Prime suspects for the distributed denial of service (DDoS) attack on Blue Security's servers have been identified in the ROKSO database as Christopher Brown, AKA Swank AKA "Dollar" [8] and his partner Joshua Burch AKA "zMACk". [9] Unidentified Australians and "some Russians" (Russian/Americans), notably Leo Kuvayev [10] and Alex Blood, [11] were also involved. The suspects were identified from a transcript of their postings [12] in the Special ham forum where both the spam attacks and DDoS attack were planned. [13]

Shutdown of service

Blue Security ceased operation on May 16, 2006. The company announced it will look for non-spam related uses of its technology. The company's investors expressed full support for the company's decision to change its business plan. [14]

Many users have suggested continuing the project's goals in a decentralized manner (specifically using peer-to-peer technology, with the client distributed via BitTorrent or similar, thus making both the spam processing and client distribution elements harder for the spammers to attack). One such program was purportedly begun under the name Okopipi [15] though this now appears to have been abandoned.

A number of users have recommended all users to uninstall the Blue Frog program, as it is no longer useful without the Blue Security servers active. [16]

Complainterator

One of the former Blue Security members, Red Dwarf, wrote a program called Complainterator. [17] It runs on Windows and as an add-on to several popular email clients. It processes spam emails and produces email messages to be sent to sites hosting spamvertised products. The goal is to inform hosting sites in hopes that they will remove spam sites, thereby making it difficult for spammers to profit from spam activities.

See also

Related Research Articles

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

<span class="mw-page-title-main">Web hosting service</span> Service for hosting websites

A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing web hosting services are sometimes called web hosts.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by email

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others

Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other. This is the standard configuration expected by the Internet standards supporting many DNS-reliant protocols. David Barr published an opinion in RFC 1912 (Informational) recommending it as best practice for DNS administrators, but there are no formal requirements for it codified within the DNS standard itself.

Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.

SpamCop is an email spam reporting service, allowing recipients of unsolicited bulk or commercial email to report IP addresses found by SpamCop's analysis to be senders of the spam to the abuse reporting addresses of those IP addresses. SpamCop uses these reports to compile a list of computers sending spam called the "SpamCop Blocking List" or "SpamCop Blacklist" (SCBL).

SORBS was a list of e-mail servers suspected of sending or relaying spam. It had been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.

<span class="mw-page-title-main">Bulletproof hosting</span> Internet service for use by cyber-criminals

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies.

<span class="mw-page-title-main">CyberBunker</span> Former Internet service provider

CyberBunker was an Internet service provider located in the Netherlands and Germany that, according to its website, "hosted services to any website except child pornography and anything related to terrorism". The company first operated in a former NATO bunker in Zeeland, and later in another former NATO bunker in Traben-Trarbach, Germany.

On Internet usage, an email bomb is a form of net abuse that sends large volumes of email to an address to overflow the mailbox, overwhelm the server where the email address is hosted in a denial-of-service attack or as a smoke screen to distract the attention from important email messages indicating a security breach.

<span class="mw-page-title-main">ISPConfig</span>

ISPConfig is an open source hosting control panel for Linux, licensed under BSD license and developed by the company ISPConfig UG. The ISPConfig project was started in autumn 2005 by Till Brehm from the German company projektfarm GmbH.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the PHP-based malware kit MPack and an alleged operator of the now defunct Storm botnet.

Backscatter is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

Email spammers have developed a variety of ways to deliver email spam throughout the years, such as mass-creating accounts on services such as Hotmail or using another person's network to send email spam. Many techniques to block, filter, or otherwise remove email spam from inboxes have been developed by internet users, system administrators and internet service providers. Due to this, email spammers have developed their own techniques to send email spam, which are listed below.

MailSite is a commercial mail server, calendar software, contact manager, and collaborative software that was developed by Rockliffe Systems. It was one of the first mail servers to run on Windows NT using Internet standards when version 1.2 was released in 1996. Additionally, MailSite has been in continual development since 1996, with version 10 released in 2013, and runs on a single Windows Server as well as on a cluster of Windows Server computers. MailSite works natively with Microsoft Outlook versions 2007 to 2013 for mail, calendar, and contacts without requiring any Outlook plug-ins. It also includes an Exchange ActiveSync (EAS) server for synchronizing mail, calendar and contacts with mobile devices. MailSite also works with Internet Standards-based mail clients such as Mozilla Thunderbird.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

References

  1. "Blue Frog". SourceForge. Archived from the original on April 12, 2006. Retrieved November 2, 2010. The Blue Frog is the home for the Blue Security's open source projects. Blue Security's service enables clients to report spam and to submit opt-out requests to spammers based on their reports.
  2. "Community", BlueSecurity [ permanent dead link ].
  3. 1 2 Underwood 2006.
  4. Typepad update, Six apart, May 2006.
  5. Krebs 2006.
  6. "How to uninstall "Blue Frog" COMPLETELY". mozillaZine. May 9, 2006. Retrieved July 5, 2013.
  7. "Blue Security Resurfaces Reincarnated as a Social Networking Spammer – The Blue Frog Will Spam Digg, Del.icio.us and More with Their New Collactive Service". The Internet Patrol: ISIPP Publishing. June 7, 2007. Retrieved July 5, 2013.
  8. "Evidence", Rokso, Spamhaus.
  9. "Evidence", Rokso, Spamhaus
  10. "Evidence", Rokso, Spamhaus.
  11. "Evidence", Rokso, Spamhaus.
  12. Red Toad (2006-05-02), "Spam attack plan", BlueSecurity Database Compromised? (comment) (transcript), Slashdot.
  13. Leyden, John. "Blue Security calls it quits after attack by renegade spammer". www.theregister.com. Retrieved 2024-05-05.
  14. Singel 2006.
  15. CastleCops, archived from the original on 2006-10-28.
  16. CastleCops, archived from the original on 2007-10-04.
  17. Complainterator .

[1]

Bibliography


  1. Leyden, John. "Blue Security calls it quits after attack by renegade spammer". www.theregister.com. Retrieved 2024-01-19.