BlueSecurity Database Compromised?

EElyn writes "Numerous users of Blue Security's anti-spam system now report of a new form of aggressive spam. An unknown group of spammers claim to have derived a way to extract the member email addresses of Blue Security group's anti-spam system, called Blue Frog. Blue Frog, a small tool which once installed on the user's computer, enables Blue Security to systematically flood a known spammer's website with opt-out messages; much to the headache of the spammer. Tens of thousands of users have already signed up, so can it really be true that spammers now possess this database? Or is this yet another frail attempt by spammers to intimidate the user?" Another reader sent the text of the letter; read more to see.

Stray1 writes ""You are recieving this email because you are a member of BlueSecurity...." An email from unknown detractors has taken the Bluesecurity anti spam lists and decided to take matters into their own hands. I recieved this Email from an anonymous, and garbled host, which went on to say in not so fantastic english that I, as a Blusecurity member, would recieve this and many more (about 20 -30) spam messages a day until I left the blue security community. Blue Security, (www.bluesecurity.com)a website and community designed to lessen your Spam Email, is down for the moment. Is this what we have come to? Spam,(erm 'high volume email') companys holding your address hostage until you comply? "...We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user". I have to say, up until this point, my spam was down by about 70% to 80%."

Eye for an Eye?

Blue Security to systematically flood a known spammer's website with opt-out messages; much to the headache of the spammer.

And by flood I taeke it you mean spam

When will the world learn, violence begets violence and spam begets spam. Lets find a real solution to the problem rahter then a vigalante justice.

Re:Eye for an Eye?

[Fordiman]

Blah blah blah.

'Vigilante' would imply something illegal is going on. This is market forces at work - more effective, generally, than government intervention.

Re:Eye for an Eye?

[suv4x4]

When will the world learn, violence begets violence and spam begets spam. Lets find a real solution to the problem rahter then a vigalante justice.

Naaah, let's just spam the bastards 'till they're blue. If I got a blackmail message like that, I'd change my e-mail (I know it'as not easy but it isn't THAT hard too) and setup a friggin server cluster to spam the spammers.

It's the war against spam people, if you're not with us... you're funding spam activities, there we go.

Re:Eye for an Eye?

[Fordiman]

Vigilantism is the act of taking the law into your own hands. It carries an implication of illegal, or more specifically, 'by any means necessary'.

This is 'a community action to produce a market incentive', which is wholly different from 'vigilantism', at least in a literal sense.

Sure, sure, it looks like we're locked in this huge digital superhero battle between the evil spammers and the innocent citizenry, but face it: We're making an attempt to prevent high-volume e-mail to our e-mail addresses from being profitable, and that is all. We are consciously generating market pressure to achieve a goal, and we are doing it in an unorthodox, but morally and legally clean way.

A segment of the population has said, 'High-volume e-mail is annoying enough to be a breach of the peace, as far as I'm concerned. I want none of it, and I will make an effort to prevent my mailbox from recieving them, by filter and by incentive."

Your use of the term 'vigilante tactics' is an obvious attempt to cast a dim light on the activities of the Blue Security community. It brings a baseless accusation to mind - and this being slashdot, I'm inclined to make it - but I think I'll leave the obvious to the outside observer.

Frelling trolls.

Re:Eye for an Eye?

I was shot in the leg when I was 17 and dealing heroin.

I didn't stop dealing heroin until I was 27.

I did start carring a gun.

Violence alwasy begets violence. There is no questions about that. The only way violence ever stops future violence is if one party is killed.

Re:Eye for an Eye?

[Fordiman]

Actually, it seems - strictly from your story - that desperation (addict needing a fix and happening to have a gun) and greed (competing dealer wants your territory) begets violence, which appears to beget self protection (have you ever shot someone out of anything but self-defense?).

I was both addict and dealer back in my late teens. I got out of there damned quick when I saw how dangerous it was (got clipped in the ear during a soured deal - damned lucky I got out alive).

You say you continued to work in an extremely dangerous field for ten years AFTER the world suggested to you that it might be a bad occupation for you, yet you still put that statement out as if it's supposed to validate your little nugget of cliched wisdom.

Seriously, nobody likes violence, but like anything it's a tool, and its use is only as evil as its weilder (shoot a lunatic who has a knife to your wife's throat: good or evil?)

Re:Eye for an Eye?

[plague3106]

I was shot in the leg when I was 17 and dealing heroin.

I didn't stop dealing heroin until I was 27.

I did start carring a gun.

The fact that you were too stupid to get out does not mean that violence is never a way to stop other violence.

Re:Eye for an Eye?

[jank1887]

"I was shot in the leg when I was 17 and ... The only way violence ever stops future violence is if one party is killed."

Exactly. so what your example demonstrates is that ineffective violence begets more violence. Had that guy been a better shot, it would have stopped.

Translated to this context, if the BlueSecurity effect is potent enough, it could have a subsantial effect. If it's not, it'll just spark more back-and-forth.

Re:Eye for an Eye?

[SillyNickName4me]

What a load of hippie crap.

I believe that some 2000 years ago they nailed someone to a cross who had pretty similar ideas.. Seems he has a huge following outside the hippie scene also. Ok, I have to say that he looked a bit like a hippie.

Learn the difference between initiating force and resisting it. One is perfectly moral and one isn't. Resisting violence often reduces future violence instead of 'begating violence.' Since you lack clue I'll state the obvious, the violent only attack those who they believe to be weaker. (unless they are truly insane, then all bets are off)

Well considered and restrained violence can in specific cases work as a defense, and can even be the only defense, yes. That in no way means that violence is the only way to respond to violence or will solve it most of the times.

The problem is that you are wrong about whom get attacked by 'the violent'. They attack those whome are easiest to intimidate, regardless of actual strength. (which is one reason why terrorism is such an effective offensive strategy against the USA btw)

Re:Eye for an Eye?

[Marxist+Hacker+42]

Seems to me that if you used one of several free Bayesian Spam filters out there in addition to BlueSecurity, this could be easily foiled and all such e-mails could be targeted on their misspellings alone.

Re:Eye for an Eye?

[Spudley]

The opt-out request instructs the spammer to download and *encrypted* list of member email addresses from Blue Security, which the spammer then uses to "wash" his spam list and rid it of member addresses. The spammer never sees any legitimate email addresses.

So what's stopping the spammer from washing his list, and then comparing the resulting list with his pre-wash backup? Seems like it would still give him a list of addresses to target, even if the encryption was watertight. Doesn't even need any hacking; just a diff program.

I'd call the bluff

If they're able to do so, what will stop them from *not* spamming you in the future anyway? Their ethics, integrity or your stupidity?

A head for an eye?

Yes, Let's kill the spammers.

Don't Back Down

[colonslashslash]

As Shadowknot said earlier, you may as well stay subscribed. If they have your email address and are spamming it, do you really think they are going to delete it from their lists if you unsubscribe from BlueSecurity? I doubt that. You're in the 'fight' now, no point backing down in my opinion.

All the best with it.

Re:So, is the database compromised?

[Billosaur]

BlueFrog has been criticised for it's so-called "vigilante" approach.. it's not alone in this approach, but perhaps this does go to show a potential downside: spammers are evil - pissed off spammers will simply direct the evil at the people who pissed them off.

So what do we do -- surrender, because some spammer compromises this one system? Blue Frog has its own problems, but their idea is sound, if a bit "above the law." Let Blue Frog users forward the emails to them and let the company go after the spammers (aren't they violating CAN-SPAM or the law against harrassing emails?).

Look, Wyatt Earp was a lawman looking to see justice done and occassionally he had to step outside the law. Call it vigilantism if you like, but the fact is, these spammers have been operating under the assumption that they are untouchable, and can do this all day long with no repercussions. It's time for users around the globe to go on the offensive, give them a taste fo their own medicine. Shut down their ISPs if they won't stop the spam. Jam up their systems. Let them know we're mad as hell and we're not going to take it anymore. The court system can rule against them, but so many of them are overseas that I seriously doubt they can be touched. So hit 'em where it hurts, right in the servers.

Re:Email I Received

[Too+many+errors,+bai]

Do they even realize the sheer irony in accusing others of sending mass emails?

The REST of the story ...

[GISGEOLOGYGEEK]

The Gmail spam filter is filtering nearly every one of these spams, only a couple out of 60+ yesturday got into my inbox. .... and every one of that bastard's spams advertising a website went right to bluesecurity to hurt his business. He's just shooting himself in the foot.

Contrary to what the author wrote, there's closer to 475,000 members, not just a few 10's of thousands, enough that several major spammers have already agreed to not spam members due to the huge financial hits they were taking with the bluefrog choking off their websites.

What a joke, what dumbass would really believe that the spammers will not spam you if you leave blue security? Who here will admit to believing the criminals? ... I think that about covers the points that were lost when slashdot decided to post this boring version of the story, instead of what I submitted yesturday afternoon :)

Re:What must be done

[clevershark]

The only thing that most of these "please remove me" BS forms do is confirm that the email address is a valid one, and can be resold to more spammers. If anything filling those out actually causes more harm than good.

If you're confused, read the article again; it's mentioned.

Thanks Tips, but all four links in the article seem to be unreachable.

Blue security must be working

[paladinwannabe2]

If BlueSecurity wasn't hurting Spammers they would ignore it. If they are fighting back it must mean that BlueSecurity is actually doing damage to them.

Re:What must be done

[The+Snowman]

Problem is, that to waste their time, you have to waste your time. I sometimes do respond to junk (paper) mail by sending random junk in the envelope. Sometimes I actually write a letter demanding they remove me from their lists. No matter what I do, it doesn't end. Capital One still sends me junk mail despite multiple letters between us -- me demanding them to stop, them reassuring me they will honor my request. Junk mail is even worse because it is more anonymous -- it is easy to forge headers and mask where a mail truly came from. Yes, there are ways to track it down, but it isn't always easy. Filling out information on a web site in the email doesn't do much, since odds are it doesn't go to the same person. Even then, it takes time to screw with the spammers, electronic or paper, and I don't want to waste my time.

Sometimes I do get bored and do screw with them. Such as using my brand new photo printer to print stuff and put it in those return envelopes. After visiting certain not-work-safe sites for photos.

Re:Sent abuse report

[Slashcrap]

I noticed a calpoly.edu address in the header, so I sent a copy of the message to abuse@calpoly.edu.

Well if it's in the header then that must be where it came from. Congratulations on your superlative detective work.

I'm sure that the abuse admin at calpoly.edu will also soon be writing to you to let you know how much he appreciates your skills.

Neville Chamberlain, is that you?

[blueZ3]

Whenever anyone says "violence never solves anything" I always remember the part in Starship Troopers where the History and Moral Philosophy teacher says "Perhaps you could tell that to the Carthagians..."

Nice FUD but...

[Eric+Damron]

Blue frog is open source...

Re:What must be done

[Alan+Jay+Weiner]

You are absolutely right. The problem is highly asymmetrical : the spammer needs spambots and webservers worth a few thousand $, and can flood the Internet with crap. If every recipient is to spend a few minutes to do a mDOS (manual denial of service), it sums up to tens of millions of lost minutes, or millions of $ in lost productivity.
We need an automated descentralized P2P network to attack the spammers and the spam-friendly ISPs.

It takes me less than 5 minutes to forward the 5000-7000 emails in my catchall account each day. I use Thunderbird with the Blue Frog plugin, and forward about 400 messages at a time - I could do it all in a minute if I could attach all the messages at once but that ends up to be too large a message...
Doing it manually would take *far* longer - I've enough time sinks as it is!

According to my Blue Security statistics, my Blue Frog has sent 11,152 "opt-out" requests in the past 7 days. (which also points out that every spam doesn't generate an opt-out) Blue Security's idea is to be enough of a thorn that it's easier to not send to the Blue Frog list than to fight it. (one of the spammer tools has recently added a "clean emails of Blue Security registered names" button - making it trivially easy to remove the registered names. This implies that Blue Security is having an effect.

Right now there are 471,000 names in the list - surely not all are really active, and not all are sending opt-out messages, but it seems spammers are sitting up and noticing now. According to Blue Security's blog, in the past month several spammers have negotiated with them and agreed to clean their lists. If I remember right they generate something like 8% or so of spam volume. Not a *lot* but I'd expect more in the coming months. Spammers are in it to make money - once they get over the initial irritation, it'll just be easier to clean their lists than to try to fight back. Which also makes sense - the list is people who won't buy from them in the first place, so in the end it's a waste of time to send spam to them.

In my opinion (everyone's got em! :) this is the best shot I've seen at drastically reducing spam. Laws aren't as helpful as they could be - especially against spam from other countries. And it takes a long time to catch and convict a single spammer. Do you *really* want your tax dollars used that way? (we don't even need to get into how gosh-darn *wonderful* CAN-SPAM is...) Filters help, but that's not stopping the spam, it's just preventing you from seeing it. Killing spammers might have an effect but seems a bit severe. (although there are days... :) Baysian filters help - but a business can't lose a mail to false positives, so they need to check the spam anyway. Challenge-response is ugly and annoying. And I sure don't want to go down the pay-for-email road! RBLs are too dangerous - throwing out the good with the bad. (one listed the entire Comcast.net domain, for example) Greylisting isn't a bad idea, but it does use extra computing power, and delays some email. Seems to me that being a thorn in the side of a spammer has a decent chance of working. They're not stupid, not even necessarily lazy. They're just taking advantage of the way things work. (excepting those who use trojans etc to take over other's machines - they're evil!) Once they reach the point where it's easier to accept and comply, and recognize they're not losing any revenue (because those emails won't become customers anyway) they'll clean their lists - and spam will go down. It won't disappear, but hopefully be significantly reduced.

- Al Weiner -