PDA

View Full Version : "Blue Frog" Part Deux


rlohmann
May 1st, 2006, 07:33 AM
This showed up in my E-mail this morning. I have no idea whether it's real or not, but....

[beginning of text]


X-Gmail-Received: b5760fbaf4a638840a0c70d57f2d1190f471dcb2
Delivered-To: rlohmann@gmail.com
Received: by 10.64.150.6 with SMTP id x6cs77720qbd;
Mon, 1 May 2006 04:52:35 -0700 (PDT)
Received: by 10.36.96.10 with SMTP id t10mr83668nzb;
Mon, 01 May 2006 04:49:13 -0700 (PDT)
Return-Path: <woens@geo.uu.nl>
Received: from 633F768 ([218.13.100.21])
by mx.gmail.com with SMTP id 17si2554509nzo.2006.05.01.04.50.33;
Mon, 01 May 2006 04:50:42 -0700 (PDT)
Received-SPF: neutral (gmail.com: 218.13.100.21 is neither permitted nor denied by best guess record for domain of woens@geo.uu.nl)
Received: from 218.49.240.52 by 218.13.100.21; Mon, 01 May 2006 16:43:30 +0400
Message-ID: <OXFCMKTIVXWVYSKIQOZGTFTIT@esbe.co.uk>
From: "LEESA REYNA" <woens@geo.uu.nl>
Reply-To: "LEESA REYNA" <woens@geo.uu.nl>
To: rjparker1@gmail.com
Subject: Wow! I can't beleive it!
Date: Mon, 01 May 2006 13:43:30 +0100
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--41914387934148954"
X-Priority: 3
X-MSMail-Priority: Normal

----41914387934148954
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

You are being emailed because you are a user of BlueSecurity's well-known software "BlueFrog." http://www.bluesecurity.com/

Today, the BlueSecurity database became known to the worst spammers worldwide. Within 48 hours, the database will be published on the Internet, and your email address will be open to them all. After this, you will see the spam sent to your mailbox increase 10 - 20 fold.

BlueSecurity was illegally attacking email marketers, and doing so with your help. Many websites have been targeted and hit, including non-spam sites. BlueSecurity's software has been fully analyzed, and contains an abundance of malicious code. This includes: ability to send mass mail to users; the ability to attack websites with Distributed Denial of Service attack (DDoS); the ability to open hidden doors on any machine on which it is running; and a hidden auto-update code function, which can install anything on your computer and open it up to anyone.

BlueSecurity lists a USA address as their place of business, whereas their main office is in Tel Aviv. BlueSecurity is run by a few Russian-born Jews, who have previously been spamming themselves. When all is said and done, they will be able to run, hide and change their identities, leaving you to take the fall. YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it. This email ensures that you are well aware of the situation. Soon, you will be found guilty of computer crimes such as DDOS attacking of websites, conspiracy, and sending mass unsolicited bulk email messages for everything from viagra to porn, as long as you continue to run BlueFrog.

They do not take money for downloading their software, they do not take money for removing emails from their lists, and they have no visible revenue stream. What they DO have is 500,000 computers sitting there awaiting their next command. What are they doing now?

1. Using your computer to send spam ?
2. Using your computer to attack competitor websites?
3. Phishing through your files for your identity and banking information?

If you think you can merely change your email address and be safe while still running BlueFrog, you are in for a big surprise. This is just the beginning...

----41914387934148954--

[end of text]

Judy G. Russell
May 1st, 2006, 10:27 AM
Ewww. Nasty. I don't see anything on slash.dot or other news sites, but...

ndebord
May 1st, 2006, 10:47 AM
Ewww. Nasty. I don't see anything on slash.dot or other news sites, but...

Judy,

I remember vaguely that some time ago Lycos (where I keep a spare email address) was pushing an IM client that supposedly had spyware bundled in some fashion. I'm very careful these days about what I let run on my computer, even when it is supposedly from a reputable vendor.

PeteHall
May 1st, 2006, 12:47 PM
BlueSecurity lists a USA address as their place of business, whereas their main office is in Tel Aviv. BlueSecurity is run by a few Russian-born Jews, who have previously been spamming themselves...
So it's all an evil Zionist plot against those plucky spammers

The Direct Marketing Assoc's Email Preference Service (http://www.e-mps.org/) offers a 'washing' facility for mailing lists but they charge $600/pa... which is obviously too much for spammers to afford

Jeff
May 1st, 2006, 01:08 PM
I copied the header and a bit of the text to SpamCop. What you received came from an open proxy in China.

SpamCop's report in short, but do not click on any of these:

Cached whois for 218.13.100.21 : ipadm@gddc.com.cn abuse@gddc.com.cn anti-spam@ns.chinanet.cn.net
Using abuse net on abuse@gddc.com.cn
abuse net gddc.com.cn = ctsummary@special.abuse.net, abuse@gddc.com.cn, anti-spam@ns.chinanet.cn.net
abuse net chinanet.cn.net = anti-spam@chinanet.cn.net, ctsummary@special.abuse.net, postmaster@chinanet.cn.net
Using best contacts ctsummary@special.abuse.net abuse@gddc.com.cn anti-spam@ns.chinanet.cn.net
ctsummary@special.abuse.net redirects to ct-abuse@sprint.net
ct-abuse@sprint.net redirects to ct-abuse@abuse.sprint.net
anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces)

Using anti-spam#ns.chinanet.cn.net@devnull.spamcop.net for statistical tracking.
Message is 6 hours old
218.13.100.21 not listed in dnsbl.njabl.org
218.13.100.21 not listed in dnsbl.njabl.org
218.13.100.21 listed in cbl.abuseat.org ( 127.0.0.2 )
218.13.100.21 is an open proxy

An "open proxy" is an unintended spam relay; a hijacked computer. IOW the warning itself was apparently spam.

- Jeff

Judy G. Russell
May 1st, 2006, 01:19 PM
I remember vaguely that some time ago Lycos (where I keep a spare email address) was pushing an IM client that supposedly had spyware bundled in some fashion. I'm very careful these days about what I let run on my computer, even when it is supposedly from a reputable vendor.I'm more than just careful; I'm almost paranoid about it. There's very little out there that's worth the risk these days.

Judy G. Russell
May 1st, 2006, 01:19 PM
So it's all an evil Zionist plot against those plucky spammersI noticed that part as well. Sigh...

Gary Maltzen
May 1st, 2006, 02:38 PM
218.13.100.21 is a Chinese IP
218.49.240.52 is a Korean IP

Blue Security comment on the spam - http://community.bluesecurity.com/blog/

Marcus Ranum (SANS) 2005 editorial on Blue Frog - http://www.ranum.com/security/computer_security/editorials/bluesecurity/

rlohmann
May 1st, 2006, 03:58 PM
So it's all an evil Zionist plot against those plucky spammers I noticed that, too.

Since I posted my screed here this morning, I forwarded the message to Google and, a few minutes later, got a second message, this from a purportedly different originator, likewise with all the characteristics of spam: unknown originator, strange subject line, and an identical message.

I haven't got an answer, or even an acknowledgment, from Google yet.

rlohmann
May 1st, 2006, 03:59 PM
Thanks.

Imagine my surprise.

rlohmann
May 1st, 2006, 04:14 PM
Being a cynical paranoiac myself, I can't help wondering if perhaps "Blue Software" generated this material itsellf. (See the discussion between Sidney and me in the first "Blue Software" thread.)

A careful reading of both of the links you provided doesn't convince me that BF is legitimate. A website that uses constructions such as "pen!s" and "refi!!" intends to evade the spam filters of people who don't want spam. Consequently, the idea that these people really want to purge their database, and are eargely trying to find ways to do so, flies in the face of common sense. According to Blue Software, the bad guys are desparately seeking virtue.

I have a bridge to sell Blue Software. :rolleyes:

Mike
May 1st, 2006, 11:50 PM
From the Internet Patrol mailing list:

Blue Frog ``Do Not Spam'' Emai List Stolen and Spammed - 2006-05-01 15:06:30-04

It was inevitable. Blue Frog, the "anti-spam" company which tries to get spammers to stop spamming by spamming the webforms of spammers who spam Blue Frog's customers, had their "do not spam" email list stolen by spammers, and now that list of Blue Frog customers is getting spammed.

Read more: http://www.theinternetpatrol.com/blue-frog-do-not-spam-emai-list-stolen-and-spammed

rlohmann
May 2nd, 2006, 04:15 AM
It was inevitable. Blue Frog, the "anti-spam" company which tries to get spammers to stop spamming by spamming the webforms of spammers who spam Blue Frog's customers, had their "do not spam" email list stolen by spammers, and now that list of Blue Frog customers is getting spammed.
You heard it here first. This morning I had 48 spam messages, all but three apparently from that group. :(

I uninstalled the Blue Frog Software about a month ago, but I didn't tell them to remove my Email address.

I think Hillary and Nancy Pelosi are behind this

sidney
May 2nd, 2006, 04:32 AM
From the Internet Patrol mailing list:

Blue Frog ``Do Not Spam'' Emai List Stolen and Spammed - 2006-05-01 15:06:30-04

It was inevitable.

No, it is not so inevitable that a company which maintains a database is going to have the database stolen, even if it is not unheard of. In this case there is no evidence that the list was stolen, only a reporter saying that he was shown a list of email addresses.

I think that the second comment on the article you linked to has the most likely scenario, that the spammer ran the do-not-mail registry cleaner on their mailing list and compiled a list of addresses that were removed. My back of the envelope calculation says that a 10 million address mailing list would get about 10,000 matches that are not really Blue Frog customer addresses, plus a match for every address on the mailing list that is either a spamtrap or a real Blue Frog customer address. One problem with the tricks Blue Frog is playing is that the spammer doesn't really have to care if there are some tens of thousands of red herrings in their reverse-filtered list. They can use the addresses to target all Blue Frog customers on their list and not care about the red herrings.

-- sidney

rlohmann
May 2nd, 2006, 04:28 PM
FWIW, the Blue Security link is down.

Somehow, the idea of sending spammers a list of "do not spam" addresses struck me as absurd from the beginning. I pointed that out in an E-mail to Blue Security about six weeks ago. One of their grundoons blew me off, telling me to read their press release. That release, of course, merely gloated about how smart they were.

Google doesn't get off scot-free, either. They obviously never looked into the workings of Blue Software before they recommended it. I wonder if Google's airy "don't do evil" excludes arrogance from its prohibitions.

rlohmann
May 3rd, 2006, 04:52 PM
I think that the second comment on the article you linked to has the most likely scenario, that the spammer ran the do-not-mail registry cleaner on their mailing list and compiled a list of addresses that were removed. That's exactly what I suggested to Blue Software when their approach initially struck me as odd, which was not very long after I loaded their software.

That's when they told me to read their press release.

It now seems unlikely that they themselves are in cohoots with the spammers. All this brouhaha suggests to me that they're probably a bunch of young kids with some good ideas, not much experience, and a great deal of arrogance.

We'll see.

Mike
May 3rd, 2006, 11:03 PM
Google doesn't get off scot-free, either. They obviously never looked into the workings of Blue Software before they recommended it. I wonder if Google's airy "don't do evil" excludes arrogance from its prohibitions.
Ralph, remember that the links you saw were selected by GMail based on the content of the message you were reading at the time.

GMail is supported by advertising, just like Yahoo mail and other "free" mail accounts. GMail's difference is that the adverts are targeted according to the content of the message being displayed on the screen at the time. The GMail software inspects the text of the message and based on certain keywords, determines the most likely context of the message to display related advertising.

rlohmann
May 4th, 2006, 06:32 AM
Ralph, remember that the links you saw were selected by GMail based on the content of the message you were reading at the time.
I know, and that's been bothering me.

I have no idea how much time and effort Google puts into reviewing the credentials of their advertisers, but regardless of what the contracts say, the effect is that Google uses its name as a vehicle to advance the interests of those to whom it sells advertising

Assuming, as I do, that they don't do much background checking; that they take money from pretty much anybody who walks in the door, something really bad is going to happen sooner or later.

Mike
May 5th, 2006, 12:50 AM
I suspect that Google doesn't do any more investigation of advertisers than does a newspaper or any other medium. All of us need to remember that just because we've seen it on the Internet, it's not necessarily true.