Anti-Spam, BlueSecurity and the Kickback

[Update – 09.05.2006]

Well since I posted the entry below, a lot has happened!

The spammers, realising that their FUD attempt failed on most BlueSecurity users, ramped up the attempt. Oh, and how! If the following doesn’t demonstrate the fear that these groups are feeling, I’m not sure what does!

Quoted from the CastleCops forums:

A small group of spammers have mounted a concerted attack on Blue Security. Over 5 days from May 1, they have

    Stage 1 sent a wave of spam messages containing misleading information about Blue Security, and scurrilous attacks on its executives, urging members to cancel

    Stage 2 sent another wave of spam with threats against Blue Security members

    Stage 3 sent a third wave of spam purporting to be from members of Blue Frog Members, with forged sender name, Blue Security, but describing its operation in misleading terms. This spam is targetted to annoy those people on the spammer lists who usually complain the most

    Stage 4 mounted a denial of service attack on all Blue Security web sites

    Stage 5 May 5 0400 GMT sent a fourth wave of email containing the “whois” lookup on presumably to remind Blue Security members of the original threat to target them. Subject line: “”

    Stage 6 May 6 sent a fifth wave of email again with Subject line: “”. Content was an extortion threat, and reference to an attached zip file which did not make it. Forged signature: Blue Security Inc. The forged From: and Reply-to: addresses were taken from the blue security list, as were the To: addresses, so that members would receive both the spam, and some delivery failure messages as well.

    Stage 7 May 7 sent a sixth wave of email containing an attack on Blue Security’s CEO Eran Reshef. Subject: “”Simulated DDoS Network Attacks and Network Intrusions”. Mail refers to Skybox Security Solutions which developed an offering for for that purpose. It quotes “Eran co-founded Skybox Security and served as its Chairman. Prior to Skybox Eran founded and managed Sanctum (acquired by WatchFire), the leader in web application security. Eran holds a variety of security-related patents that are based on his inventions. ” The obvious implication is that the beta tested Blue Security should not have been vulnerable to a DDOS attack itself. This spam is a smear campaign directed at Eran Reshef himself.

    Projection Another attack expected from this group, is another Joe Job (see ) campaign similar to stage 3. It will consist of a spamming run to a large number of people, where the “From” address will be forged using addresses of the Blue Security membership. The effect will be a series of bounce-backs coming to Blue Security members, and complaints from recipients of the spam.


BlueSecurity have posted up a “Timeline of PharmaMaster Attacks on” account found on their announcement pages.

Slashdot has also run a “What Happened to Blue Security” article – with a phenomenal overwhelmingly positive response to Blue Security, and what is most impressive is the number of supportive postings from non-members and soon-to-become members alike.

For all the latest and more check out the BlueSecurity Forums.

[Original Posting]
Greetings and Salutations,

Recently, I started playing around with the FireFox web browser. One of the nice features that this browser sports is “Extensions”. These are available for pretty much anything – Search Engine enhancements, Mail Checking, Spell Checking, RSS readers, Anonymous proxies … well, you get the idea.

About a month or so ago, I downloaded an Extension that intrigued me “Blue Frog SRT”. The reason is simple – from their own web page :

Spam Reporting Tool for Firefox and Internet Explorer users

The Blue Frog “Spam Reporting Tool” enables Firefox and Internet Explorer users with Gmail, Hotmail & Yahoo web mail accounts to actively fight spam reaching their web mail accounts and make spammers stop sending them additional spam.

When entering your web mail account, Blue Frog will automatically report all the spam messages in your junk folder to Blue Security. Blue Frog also allows you to easily report spam messages reaching your Inbox – messages that were not identified as spam by your web mail application.

Messages you report will be analyzed by our Operations team that will prepare special scripts instructing Blue Frog how to complain at the web sites advertised by spam. Your Blue Frog desktop application will automatically retrieve those scripts and post opt-out complaints on spammers sites.

So, I joined up, and bang, off I go – automatic spam fighting …

Then yesterday I get this eMail in one of my “protected” accounts:

You are being emailed because you are a user of BlueSecurity’s well-known software “BlueFrog.”

Today, the BlueSecurity database became known to the worst spammers worldwide. Within 48 hours, the database will be published on the Internet, and your email address will be open to them all. After this, you will see the spam sent to your mailbox increase 10 – 20 fold.

BlueSecurity was illegally attacking email marketers, and doing so with your help. Many websites have been targeted and hit, including non-spam sites. BlueSecurity’s software has been fully analyzed, and contains an abundance of malicious code. This includes: ability to send mass mail to users; the ability to attack websites with Distributed Denial of Service attack (DDoS); the ability to open hidden doors on any machine on which it is running; and a hidden auto-update code function, which can install anything on your computer and open it up to anyone.

BlueSecurity lists a USA address as their place of business, whereas their main office is in Tel Aviv. BlueSecurity is run by a few Russian-born Jews, who have previously been spamming themselves. When all is said and done, they will be able to run, hide and change their identities, leaving you to take the fall. YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it. This email ensures that you are well aware of the situation. Soon, you will be found guilty of computer crimes such as DDOS attacking of websites, conspiracy, and sending mass unsolicited bulk email messages for everything from viagra to porn, as long as you continue to run BlueFrog.

They do not take money for downloading their software, they do not take money for removing emails from their lists, and they have no visible revenue stream. What they DO have is 500,000 computers sitting there awaiting their next command. What are they doing now?

1. Using your computer to send spam ?
2. Using your computer to attack competitor websites?
3. Phishing through your files for your identity and banking information?

If you think you can merely change your email address and be safe while still running BlueFrog, you are in for a big surprise. This is just the beginning…

Naturally, I forwarded this to BlueSecurity Support with a “please explain” – their response:

Earlier this morning, one major spammer (apparently in great distress) has just started spamming our members with discouraging messages in an attempt to demoralize our community. This spammer is using mailing lists he already owns that contain your email address. The email you had received is part of a spam campaign containing millions of such messages.

As you may already know, many spammers had already listened to the voice of reason and chose comply with the Registry (see our recent blog posts at for more details). This spammer chose a different type of response – but in vain.

Our answer to those criminals should be one – we will not be discouraged; We will continue to exercise our right to opt-out of spam.

Make spammers hear you load and clear – report your spam and let Blue Frog fight spammers on your behalf.

Keep on the good work and let spammers know – we will prevail!

We’re sorry for the inconvenience and would would be happy to assist in answering any further questions you may have.

Thank you again for your support.

So, not to be Cynical, but I thought I’d check to see What had to say about this organisation. From their last Newsletter I found this entry:

Company Will Pay Hefty Fine for Violating Anti-Spam Law (24 March 2006)
Internet marketing company Jumpstart has agreed to pay a US$900,000 fine “to settle charges it violated federal anti-spam laws.” Jumpstart allegedly sent out spam offering free movie tickets in exchange for five friends’ email addresses. The company allegedly sent unsolicited email messages to the addresses it gathered with misleading subject lines and headers in an attempt to evade spam filters and to make the messages appear to come from friends. In its complaint, the Federal Trade Commission (FTC) accused Jumpstart of sending email with falsified or misleading subject lines, not identifying it as commercial email and not clearly informing recipients of ways to opt out of receiving more email.

[Editor’s Note (Grefer): The fact that Jumpstart was willing and able to settle with the FTC to the tune of US$900,000 provides an inkling of the profits still involved in sending out spam. Please help to fight back and give the offenders a taste of what they’re dishing out. Subscribe to the Do Not Intrude Registry and letBlueSecurity’s Blue Frog utilize its Active Deterrence.

So, maybe I’m being ignorant, but I tend to think that if SANS is willing to support this group, then so am I.

The other thing to consider, of the eMail addresses registered in my Blue account, only two are being attacked this way – so, if the DB was compromised – why aren’t the other accounts being targetted??

So, this post is to let you all know that BlueFrog is worthwhile. Check it out. Install it! If you’re not a windows user – then campaign them to make it available for your platform!

If you’re a spammer – pffft!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s