BlueSecurity Database Compromised?

EElyn writes "Numerous users of Blue Security's anti-spam system now report of a new form of aggressive spam. An unknown group of spammers claim to have derived a way to extract the member email addresses of Blue Security group's anti-spam system, called Blue Frog. Blue Frog, a small tool which once installed on the user's computer, enables Blue Security to systematically flood a known spammer's website with opt-out messages; much to the headache of the spammer. Tens of thousands of users have already signed up, so can it really be true that spammers now possess this database? Or is this yet another frail attempt by spammers to intimidate the user?" Another reader sent the text of the letter; read more to see.

Stray1 writes ""You are recieving this email because you are a member of BlueSecurity...." An email from unknown detractors has taken the Bluesecurity anti spam lists and decided to take matters into their own hands. I recieved this Email from an anonymous, and garbled host, which went on to say in not so fantastic english that I, as a Blusecurity member, would recieve this and many more (about 20 -30) spam messages a day until I left the blue security community. Blue Security, (www.bluesecurity.com)a website and community designed to lessen your Spam Email, is down for the moment. Is this what we have come to? Spam,(erm 'high volume email') companys holding your address hostage until you comply? "...We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user". I have to say, up until this point, my spam was down by about 70% to 80%."

Email I Received

[duerra]

Below is an email that I received, which pretty much confirms that they have been hacked.

----

You are being emailed because you are a user of BlueSecurity's well-known software "BlueFrog." http://www.bluesecurity.com/

Today, the BlueSecurity database became known to the worst spammers worldwide. Within 48 hours, the database will be published on the Internet, and your email address will be open to them all. After this, you will see the spam sent to your mailbox increase 10 - 20 fold.

BlueSecurity was illegally attacking email marketers, and doing so with your help. Many websites have been targeted and hit, including non-spam sites. BlueSecurity's software has been fully analyzed, and contains an abundance of malicious code. This includes: ability to send mass mail to users; the ability to attack websites with Distributed Denial of Service attack (DDoS); the ability to open hidden doors on any machine on which it is running; and a hidden auto-update code function, which can install anything on your computer and open it up to anyone.

BlueSecurity lists a USA address as their place of business, whereas their main office is in Tel Aviv. BlueSecurity is run by a few Russian-born Jews, who have previously been spamming themselves. When all is said and done, they will be able to run, hide and change their identities, leaving you to take the fall. YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it. This email ensures that you are well aware of the situation. Soon, you will be found guilty of computer crimes such as DDOS attacking of websites, conspiracy, and sending mass unsolicited bulk email messages for everything from viagra to porn, as long as you continue to run BlueFrog.

They do not take money for downloading their software, they do not take money for removing emails from their lists, and they have no visible revenue stream. What they DO have is 500,000 computers sitting there awaiting their next command. What are they doing now?

1. Using your computer to send spam ?
2. Using your computer to attack competitor websites?
3. Phishing through your files for your identity and banking information?

If you think you can merely change your email address and be safe while still running BlueFrog, you are in for a big surprise. This is just the beginning...

Re:Email I Received

[discHead]

I'm sure you're right. I have an entire domain registered with Blue Security, but it looks like the spammer has only been hitting some well-worn addresses I have seen other spammers using. I'm sure whoever it is "cleaned" his list, looked at what addresses got filtered out, and singled out those addresses for "special" treatment.

Re:So, is the database compromised?

[smokeslikeapoet]

I am a victim of the blackmail letter as well. It's easy to figure out how the spammers got my email address, they already had it. They simply backed up their address book, cleaned their list with Blue Security's tool, then "diffed" the database to figure out who was BlueSecurity member.

Another note, BlueSecurity is not Slashdotted. It is unavailable because of a DDoS attack started sometime earlier this week. The attack started submitting invalid PHP requests, making the site slow to a crawl and at times be completely unavailable.

I write about it on my blog. More on the attack here. The threating letter I received is also on my Slashdot journal.

Re:What must be done

[mpaulsen]

http://www.straightdope.com/classics/a2_356.html

'According to rule 917.243(b) in the Domestic Mail Manual, when a business reply card is "improperly used as a label"--e.g., when it's affixed to a brick--the item so labeled may be treated as "waste." That means the post office can heave it into the trash without further ado.'

They don't have the database!

[drosoph]

From what I am seeing, I am now receiving 1,000s of these stupid "Because you are using the BlueSecurity Software ...." emails .... but they are all being directed to Mike, Jan, Cindy, Lucy, Bobby, and Greg@mydomain.com .... They are NOT directed to MY email address. These addresses that they are using were ONCE entered by an ignorant relative of my onto one of those online greeting card sites, (even mispelled) and those are the addresses that are being spammed. Since I ALSO registered my DOMAIN with BlueSecurity, I would ponder to guess that the spammers are using the domain list, matching it up to ANY email they have in their spam database with that domain and spamming the heck out of it. They HAVE NOT, I repeat, HAVE NOT hit ANY of my REGISTERED email addresses with BlueSecurity. They are only hitting random crap email addresses on my domain. They're shooting in the dark, they're angry, and they're running scared ... and I hope that you all keep up the good work!

Re:So, is the database compromised? No.

[MrNougat]

Comments on BlueSecurity forums last night demonstrate that users with multiple protected addresses are getting these attack spams to some, but not all, of the protected addresses.

What's lkely happening: Spammer has a mailing list. Spammer uses BlueSecurity's "cleanlist" tool to clean registered addresses from his mailing list. Compare original list to cleaned list - email addresses that are in the first but not the second are BlueSecurity registered.

By this logic, email addresses that the spammer does not already have are not made available to the spammer in any way via BlueSecurity's own list. Delivery patterns of the attack spams support this observation.

I'll also note that Gmail's own spam filters are already capturing all of these attack spams; I only got two in my mailbox this morning, about 50 more were filtered.

This is the first time I'm aware of that a spam prevention service has worked so well that it's got a spammer pissed off enough to lash out. BlueSecurity++

DoS and Explanation

[cheshire_cqx]

According to this article BlueSecurity is the target of a DoS attack.

Also, here's their explanation of the spammer's countermeasure:

This sounds scary, but it's not as bad as it sounds. Blue Security's email address registry remains secure contrary to what this spammer would have you believe. The way subscribers' emails were obtained was by checking the spammer's own list of emails against the Do Not Intrude registry. Normally spammers will get the emails of those who subscribe returned to them and will then remove those emails from their spamming lists. This one, however, has taken another approach. Instead of taking those hits off of his spam lists, he is sending them these intimidating emails.

Makes sense to me, and explains why only BlueSecurity users are getting the emails.

Re:What must be done

[Pollardito]

When somebody sends you a credit card offer, send it back to them, writing "Take me off your list".

you can get off the prescreened credit mailing lists altogether, just use one of the methods suggested on the FTC website