Blue Frog

Infobox_Software
name = Blue Frog



caption =
developer = Blue Security
latest_release_version =
latest_release_date =
operating_system = Microsoft Windows
Extension for Mozilla Firefox
genre =
license = Open Source
website = [http://bluesecurity.com/ Blue Security Inc.] Dead link|date=January 2008 |url=http://bluesecurity.com/

:"For a real blue frog see Dendrobates azureus".

The Blue Frog tool, produced by Blue Security Inc., operated as part of a community-based anti-spam system which tried to persuade spammers to remove community members' addresses from their mailing lists by automating the complaint process for each user as spam is received. Blue Security maintained these addresses in encrypted form in a "Do Not Intrude Registry", and spammers could use free tools to clean their lists.

Information

Community members reported their spam to Blue Security, which analyzed it to make sure it met their guidelines, then reported sites sending illegal spam to the ISPs which hosted them (if it could be found, contacted and were willing to work with them), to other anti-spam groups and to law-enforcement authorities in an attempt to get the spammer to cease and desist. If these measures failed, Blue Security sent back a set of instructions to a Blue Frog client. The client software used these instructions to visit and leave complaints on the websites advertised by the spam messages. For each spam message a user received, their Blue Frog client would leave one generic complaint, including instructions on how to remove all Blue Security users from future mailings. Blue Security operated on the assumption that as the community grew, the flow of complaints from tens or hundreds of thousands of computers would apply enough pressure on spammers and their clients to convince them to stop spamming members of the Blue Security community.

The Blue Frog software included a Firefox and Internet Explorer plugin allowing Gmail, Hotmail, and Yahoo Mail e-mail users to report their spam automatically. Users could also report spam from desktop e-mail applications such as Microsoft Office Outlook, Outlook Express and Mozilla Thunderbird.

Users who downloaded the free Blue Frog software registered their e-mail addresses in the "Do Not Intrude" registry. Each user could protect ten addresses and one personal DNS domain name.

Blue Frog was available as a free add-on within the Firetrust Mailwasher anti-spam filter. It was also compatible with SpamCop, a tool with different spam-fighting methods.

Blue Security released all its software products (including Blue Frog) as open source: the developer community could review, modify or enhance them.

pammers' backlash

On May 1, 2006 Blue Frog members started to receive intimidating e-mail messages from sources claiming that the software was actually collecting personal details for identity theft, DDoS attacks, creating a spam database, and other such purposes. Blue Security has dismissed these claims [http://community.bluesecurity.com/webx?14@183.ufdSa9Hek4V.0@.3c528f05!comment=1] .

es, but a spammer can run a list through the BlueSecurity filter and then compare the results with an unaltered list, and thus identify BlueSecurity users and target them. This method can only identify Blue Frog addresses already in the spammer's possession, and cannot give them access to as-yet untargeted addresses.

Controversy

In May 2006, the Blue Security company underwent a retaliatory DDoS attack initiated by spammers. As their servers folded under the load, Blue Security redirected its own DNS entries to point to the company weblog which was announcing their difficulty. The company weblog was hosted at the blogs.com webportal, a subsidiary of Six Apart. This effectively redirected the attack to blogs.com and caused Six Apart's server farm to collapse, which in turn is said to have made some 2,000 other blogs unreachable for several hours.

Individuals claiming to be members of the computer security establishment condemned the Blue Security company for the action it took while under DDoS attack. A representative of Renesys likened this action to [http://www.renesys.com/blog/2006/05/the_bluesecurity_fiasco_dont_m.shtml pushing a burning couch from their house to a neighbor's] .

In their defense, Blue Security Inc. stated they were not aware of the DDoS attack when they made the DNS change, claiming to have been "blackholed" (or isolated) in their Israeli network as a result of a social engineering hack, which was alleged to have been pulled off by one of the attackers against a high-tier ISP's tech support staff.

This claim has been disputed by many writers such as Todd Underwood, writer of [http://www.renesys.com/blog/2006/05/the_bluesecurity_fiasco_dont_m.shtml Renesys blog] . Most sources, however, agree that regardless of whether Blue Security were "blackholed", they seem not to have been facing attack at the time they redirected their web address.Fact|date=February 2007 Blue Security also claimedFact|date=February 2007 to have remained on amicable terms with Six Apart and pointed to the fact that the blog hosting company did not blame or even name them in [http://www.sixapart.com/typepad/news/2006/05/typepad_update_1.html the press release which explained the service outage] . In any event, the action was widely reported on IT security websites, possibly damaging Blue Security's reputation within that community. At the same time, the incident and its broad reporting in more general-interest media was considered by many to be a boon to the notoriety of Blue Security and the Blue Frog project.

Security Expert Brian Krebs gives a different reason for Blue Security's website being unavailable in his [http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html article] on the Washington Post website. He says that what happened was not that Blue Security was lying about being unable to receive HTTP requests (because their servers were down), saying they had been "black hole filtered" and maliciously re-directed traffic, but rather that they were actually unable to receive traffic due to an attack on their DNS servers. This makes it probable that they had essentially been telling the truth and that CEO Eran Reshef was simply misinformed as to why their users were unable to reach their site.

Attackers identified

Soon after the attack started, Blue Security CEO Eran Reshef claimed to have identified the attacker as PharmaMaster, and quoted him as writing "Blue found the right solution to stop spam, and I can't let this continue" in an ICQ conversation with Blue Security.

Prime suspects for the Distributed Denial of Service (DDOS) attack on Blue Security's servers have been identified in the ROKSO database as [http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5514 Christopher Brown AKA Swank AKA "Dollar"] , his partner [http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6643 Joshua Burch AKA "zMACk"] , unidentified Australians were also involved and "some Russians" (Russian / Americans) notably [http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932 Leo Kuvayev] and [http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6138 Alex Blood] . The suspects were identified from a [http://slashdot.org/comments.pl?sid=184656&cid=15249882 transcript] of their postings in the www.specialham.com forum where both the spam attacks and DDOS attack were planned.

hutdown of Anti-Spam Service

Blue Security ceased its anti-spam operation on May 16, 2006. The company announced it will look for non-spam related uses of its technology. In a rare move for the venture capital industry, the company's investors expressed full support for the company's decision to change its business plan [http://www.wired.com/news/technology/1,70913-1.html] .

Many users have suggested continuing the project's goals in a decentralized manner (specifically using peer-to-peer technology, with the client distributed via BitTorrent or similar, thus making both the spam processing and client distribution elements harder for the spammers to attack). One such program already under development is dubbed Okopipi [http://castlecops.com/postitle156112-0-0-.html] though progress seems slow.

A number of users have recommended all users to uninstall the Blue Frog program, as it is no longer useful without the Blue Security servers active. [http://castlecops.com/modules.php?name=Forums&file=viewtopic&p=768501]

See also

*Okopipi
*Anti-spam techniques (e-mail)
*Collactive, founded by the Blue Security team.

External links

* [http://www.wired.com/wired/archive/14.11/botnet.html Wired news article on botnets and the DDoS attack on Blue Frog, Oct 31, 2006]
* [http://www.wired.com/news/technology/0,70913-0.html?tw=rss.index Wired News Article on shutdown, May, 16, 2006]
* [http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR2006051601873.html "In the Fight Against Spam E-Mail, Goliath Wins Again"] Brian Krebs, "Washington Post", May 17, 2006
* [http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html "Blue Security Kicked While It's Down", May 17, 2006] Brian Krebs on the spammers victory and its implications
* [http://castlecops.com/t154098-Summary_of_the_BlueFrog.html Summary of Blue Frog]
* [http://www.ranum.com/security/computer_security/editorials/bluesecurity Marcus J. Ranum - Enabling the Complaint Department]
* [http://www.realtechnews.com/posts/3011 David Johnston: "Spammer Desperately Tries to Undermine Blue Security"]
* [http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5514 Suspects in the DDOS attack]
* [http://castlecops.com/postx154070-0-15.html#757510 Transcript of the Spammer attack plans]
* [http://www.npr.org/templates/story/story.php?storyId=5411437 Spammers Win, Anti-Spam Software Firm Shuts Down] . "Day to Day", 17 May 2006.
* [http://www.renesys.com/blog/2006/05/the_bluesecurity_fiasco_dont_m.shtml Renesys' overview]
* [http://knujon.com KnujOn] - Another anti-spam service, "a multi-tiered response to Internet threats, specifically email-based threats"
* [http://www.okopipi.org Okopipi] is a site that is hoping to be the new Blue Frog.