Blue Frog
Encyclopedia
The Blue Frog tool, produced by Blue Security Inc., operated in 2006 as part of a community-based anti-spam system which tried to persuade spammers to remove community members' addresses from their mailing list
s by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists.
s which hosted them (if it could be found, contacted and were willing to work with them), to other anti-spam groups and to law-enforcement authorities in an attempt to get the spammer to cease and desist. If these measures failed, Blue Security sent back a set of instructions to a Blue Frog client
. The client software used these instructions to visit and leave complaints on the websites advertised by the spam messages. For each spam message a user received, their Blue Frog client would leave one generic complaint, including instructions on how to remove all Blue Security users from future mailings. Blue Security operated on the assumption that as the community grew, the flow of complaints from tens or hundreds of thousands of computers would apply enough pressure on spammers and their clients to convince them to stop spamming members of the Blue Security community.
The Blue Frog software included a Firefox and Internet Explorer
plugin allowing Gmail
, Hotmail
, and Yahoo Mail e-mail users to report their spam automatically. Users could also report spam from desktop
e-mail applications such as Microsoft Office Outlook, Outlook Express
and Mozilla Thunderbird
.
Users who downloaded the free Blue Frog software registered their e-mail addresses in the "Do Not Intrude" registry. Each user could protect ten addresses and one personal DNS
domain name
.
Blue Frog was available as a free add-on within the Firetrust Mailwasher
anti-spam filter. It was also compatible with SpamCop
, a tool with different spam-fighting methods.
Blue Security released all its software products (including Blue Frog) as open source
: the developer community could review, modify or enhance them.
On May 1, 2006 Blue Frog members started to receive intimidating e-mail messages from sources claiming that the software was actually collecting personal details for identity theft, DDoS attacks, creating a spam database, and other such purposes. Blue Security has dismissed these claims.
One variant of the e-mailed message stated that they had found a way to extract addresses from the database for malicious purposes. Due to how the Blue Security software works, this is not possible; however, spammers can identify BlueFrog member e-mail addresses in lists they already possess. Blue Security provides spammers a free tool that allows them to 'clean their lists'. Extracting addresses directly from the program would be impossible as they are just hash
es, but a spammer can run a list through the BlueSecurity filter and then compare the results with an unaltered list, and thus identify BlueSecurity users and target them. This method can only identify Blue Frog addresses already in the spammer's possession, and cannot give them access to as-yet untargeted addresses.
. This effectively redirected the attack to blogs.com and caused Six Apart's server farm to collapse, which in turn is said to have made some 2,000 other blogs unreachable for several hours.
Individuals claiming to be members of the computer security establishment condemned the Blue Security company for the action it took while under DDoS attack. A representative of Renesys likened this action to pushing a burning couch from their house to a neighbor's.
In their defense, Blue Security Inc. stated they were not aware of the DDoS attack when they made the DNS change, claiming to have been "blackholed
" (or isolated) in their Israeli network as a result of a social engineering
hack, which was alleged to have been pulled off by one of the attackers against a high-tier ISP's tech support staff.
This claim has been disputed by many writers such as Todd Underwood, writer of Renesys blog. Most sources, however, agree that regardless of whether Blue Security were "blackholed", they seem not to have been facing attack at the time they redirected their web address. Blue Security also claimed to have remained on amicable terms with Six Apart and pointed to the fact that the blog hosting company did not blame or even name them in the press release which explained the service outage. In any event, the action was widely reported on IT security websites, possibly damaging Blue Security's reputation within that community. At the same time, the incident and its broad reporting in more general-interest media was considered by many to be a boon to the notoriety of Blue Security and the Blue Frog project.
Security Expert Brian Krebs
gives a different reason for Blue Security's website being unavailable in his article on the Washington Post website. He says that what happened was not that Blue Security was lying about being unable to receive HTTP requests (because their servers were down), saying they had been "black hole filtered" and maliciously re-directed traffic, but rather that they were actually unable to receive traffic due to an attack on their DNS servers. This makes it probable that they had essentially been telling the truth and that CEO Eran Reshef was simply misinformed as to why their users were unable to reach their site.
conversation with Blue Security.
Prime suspects for the distributed denial of service (DDoS) attack on Blue Security's servers have been identified in the ROKSO database as Christopher Brown AKA Swank AKA "Dollar", his partner Joshua Burch AKA "zMACk". Unidentified Australians and "some Russians" (Russian/Americans), notably Leo Kuvayev and Alex Blood, were also involved. The suspects were identified from a transcript of their postings in the www.specialham.com forum where both the spam attacks and DDoS attack were planned.
industry, the company's investors expressed full support for the company's decision to change its business plan.
Many users have suggested continuing the project's goals in a decentralized manner (specifically using peer-to-peer
technology, with the client distributed via BitTorrent or similar, thus making both the spam processing and client distribution elements harder for the spammers to attack). One such program was purportedly begun under the name Okopipi
though this now appears to have been abandoned.
A number of users have recommended all users to uninstall the Blue Frog program, as it is no longer useful without the Blue Security servers active.
Electronic mailing list
An electronic mailing list is a special usage of email that allows for widespread distribution of information to many Internet users. It is similar to a traditional mailing list — a list of names and addresses — as might be kept by an organization for sending publications to...
s by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in a hashed form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists.
Information
Community members reported their spam to Blue Security, which analyzed it to make sure it met their guidelines, then reported sites sending illegal spam to the ISPInternet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
s which hosted them (if it could be found, contacted and were willing to work with them), to other anti-spam groups and to law-enforcement authorities in an attempt to get the spammer to cease and desist. If these measures failed, Blue Security sent back a set of instructions to a Blue Frog client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
. The client software used these instructions to visit and leave complaints on the websites advertised by the spam messages. For each spam message a user received, their Blue Frog client would leave one generic complaint, including instructions on how to remove all Blue Security users from future mailings. Blue Security operated on the assumption that as the community grew, the flow of complaints from tens or hundreds of thousands of computers would apply enough pressure on spammers and their clients to convince them to stop spamming members of the Blue Security community.
The Blue Frog software included a Firefox and Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
plugin allowing Gmail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
, Hotmail
Hotmail
Windows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
, and Yahoo Mail e-mail users to report their spam automatically. Users could also report spam from desktop
Desktop environment
In graphical computing, a desktop environment commonly refers to a style of graphical user interface derived from the desktop metaphor that is seen on most modern personal computers. These GUIs help the user in easily accessing, configuring, and modifying many important and frequently accessed...
e-mail applications such as Microsoft Office Outlook, Outlook Express
Outlook Express
Outlook Express is an email and news client that is included with Internet Explorer versions 4.0 through 6.0. As such, it is also bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and is available for Windows 3.x, Windows NT 3.51, Windows 95 and Mac OS 9...
and Mozilla Thunderbird
Mozilla Thunderbird
Mozilla Thunderbird is a free, open source, cross-platform e-mail and news client developed by the Mozilla Foundation. The project strategy is modeled after Mozilla Firefox, a project aimed at creating a web browser...
.
Users who downloaded the free Blue Frog software registered their e-mail addresses in the "Do Not Intrude" registry. Each user could protect ten addresses and one personal DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
.
Blue Frog was available as a free add-on within the Firetrust Mailwasher
Mailwasher
Mailwasher is an e-mail filtering software for Windows, Unix, and Macintosh systems that can detect and delete spam from a user's e-mail when it is on the mail server, before being downloaded to the user's computer....
anti-spam filter. It was also compatible with SpamCop
SpamCop
SpamCop is a free spam reporting service, allowing recipients of unsolicited bulk email and unsolicited commercial email to report offenders to the senders' Internet Service Providers , and sometimes their web hosts...
, a tool with different spam-fighting methods.
Blue Security released all its software products (including Blue Frog) as open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
: the developer community could review, modify or enhance them.
Spammers' backlash
One variant of the e-mailed message stated that they had found a way to extract addresses from the database for malicious purposes. Due to how the Blue Security software works, this is not possible; however, spammers can identify BlueFrog member e-mail addresses in lists they already possess. Blue Security provides spammers a free tool that allows them to 'clean their lists'. Extracting addresses directly from the program would be impossible as they are just hash
Cryptographic hash function
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...
es, but a spammer can run a list through the BlueSecurity filter and then compare the results with an unaltered list, and thus identify BlueSecurity users and target them. This method can only identify Blue Frog addresses already in the spammer's possession, and cannot give them access to as-yet untargeted addresses.
Controversy
In May 2006, the Blue Security company was subject to a retaliatory DDoS attack initiated by spammers. As their servers folded under the load, Blue Security redirected its own DNS entries to point to the company weblog which was announcing their difficulty. The company weblog was hosted at the blogs.com webportal, a subsidiary of Six ApartSix Apart
Six Apart Ltd., sometimes abbreviated 6A, is a software company known for creating the Movable Type blogware, TypePad blog hosting service, and Vox. The company also is the former owner of LiveJournal. Six Apart is headquartered in Tokyo and is planning to open a new, U.S.-based office in New York...
. This effectively redirected the attack to blogs.com and caused Six Apart's server farm to collapse, which in turn is said to have made some 2,000 other blogs unreachable for several hours.
Individuals claiming to be members of the computer security establishment condemned the Blue Security company for the action it took while under DDoS attack. A representative of Renesys likened this action to pushing a burning couch from their house to a neighbor's.
In their defense, Blue Security Inc. stated they were not aware of the DDoS attack when they made the DNS change, claiming to have been "blackholed
Black hole (networking)
In networking, black holes refer to places in the network where incoming traffic is silently discarded , without informing the source that the data did not reach its intended recipient....
" (or isolated) in their Israeli network as a result of a social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
hack, which was alleged to have been pulled off by one of the attackers against a high-tier ISP's tech support staff.
This claim has been disputed by many writers such as Todd Underwood, writer of Renesys blog. Most sources, however, agree that regardless of whether Blue Security were "blackholed", they seem not to have been facing attack at the time they redirected their web address. Blue Security also claimed to have remained on amicable terms with Six Apart and pointed to the fact that the blog hosting company did not blame or even name them in the press release which explained the service outage. In any event, the action was widely reported on IT security websites, possibly damaging Blue Security's reputation within that community. At the same time, the incident and its broad reporting in more general-interest media was considered by many to be a boon to the notoriety of Blue Security and the Blue Frog project.
Security Expert Brian Krebs
Brian Krebs
Brian Krebs is an American journalist specializing in cybercrime and computer security. His father worked in the intelligence industry and his mother was a homemaker...
gives a different reason for Blue Security's website being unavailable in his article on the Washington Post website. He says that what happened was not that Blue Security was lying about being unable to receive HTTP requests (because their servers were down), saying they had been "black hole filtered" and maliciously re-directed traffic, but rather that they were actually unable to receive traffic due to an attack on their DNS servers. This makes it probable that they had essentially been telling the truth and that CEO Eran Reshef was simply misinformed as to why their users were unable to reach their site.
Attackers identified
Soon after the attack started, Blue Security CEO Eran Reshef claimed to have identified the attacker as PharmaMaster, and quoted him as writing "Blue found the right solution to stop spam, and I can't let this continue" in an ICQICQ
ICQ is an instant messaging computer program, which was first developed and popularized by the Israeli company Mirabilis, then bought by America Online, and since April 2010 owned by Mail.ru Group. The name ICQ is a homophone for the phrase "I seek you"...
conversation with Blue Security.
Prime suspects for the distributed denial of service (DDoS) attack on Blue Security's servers have been identified in the ROKSO database as Christopher Brown AKA Swank AKA "Dollar", his partner Joshua Burch AKA "zMACk". Unidentified Australians and "some Russians" (Russian/Americans), notably Leo Kuvayev and Alex Blood, were also involved. The suspects were identified from a transcript of their postings in the www.specialham.com forum where both the spam attacks and DDoS attack were planned.
Shutdown of Anti-Spam Service
Blue Security ceased its anti-spam operation on May 16, 2006. The company announced it will look for non-spam related uses of its technology. In a rare move for the venture capitalVenture capital
Venture capital is financial capital provided to early-stage, high-potential, high risk, growth startup companies. The venture capital fund makes money by owning equity in the companies it invests in, which usually have a novel technology or business model in high technology industries, such as...
industry, the company's investors expressed full support for the company's decision to change its business plan.
Many users have suggested continuing the project's goals in a decentralized manner (specifically using peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
technology, with the client distributed via BitTorrent or similar, thus making both the spam processing and client distribution elements harder for the spammers to attack). One such program was purportedly begun under the name Okopipi
Okopipi (software tool)
Okopipi was started in May 2006 to be an open source project intending to create a successor to Blue Security's Blue Frog anti-spam project after Blue Frog was abandoned following attacks by spammers...
though this now appears to have been abandoned.
A number of users have recommended all users to uninstall the Blue Frog program, as it is no longer useful without the Blue Security servers active.
See also
- Anti-spam techniques (e-mail)
- CollactiveCollactiveCollactive Inc. is an Israel based privately held start-up company. Collactive offers a system designed to influence ratings on sites which allow users to rate articles or other items....
, founded by the Blue Security team. - OkopipiOkopipi (software tool)Okopipi was started in May 2006 to be an open source project intending to create a successor to Blue Security's Blue Frog anti-spam project after Blue Frog was abandoned following attacks by spammers...
External links
- http://www.wired.com/wired/archive/14.11/botnet.htmlWired news article on botnetBotnetA botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
s and the DDoSDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
attack on Blue Frog, Oct 31, 2006] - Wired News Article on shutdown, May 16, 2006
- "In the Fight Against Spam E-Mail, Goliath Wins Again" Brian KrebsBrian KrebsBrian Krebs is an American journalist specializing in cybercrime and computer security. His father worked in the intelligence industry and his mother was a homemaker...
, Washington Post, May 17, 2006 - "Blue Security Kicked While It's Down", May 17, 2006 Brian KrebsBrian KrebsBrian Krebs is an American journalist specializing in cybercrime and computer security. His father worked in the intelligence industry and his mother was a homemaker...
on the spammers victory and its implications - Summary of Blue Frog
- Marcus J. Ranum - Enabling the Complaint Department
- David Johnston: "Spammer Desperately Tries to Undermine Blue Security"
- Suspects in the DDOS attack
- Transcript of the Spammer attack plans
- Spammers Win, Anti-Spam Software Firm Shuts Down. Day to Day, 17 May 2006.
- Renesys' overview
- KnujOn.com - Another anti-spam service, "a multi-tiered response to Internet threats, specifically email-based threats"