MAY 15 Updates May 16 22:00 GMT

Blue Security Ceases Anti-Spam Operations by Eran Reshef, CEO

When we founded Blue Security in 2004, we believed that if we automated a way for users to rise up and exercise their rights under the CAN-SPAM Act, we could reduce the amount of spam on the Internet.

Over the past few months we were able to leverage the power of the Blue Community and convince top spammers responsible for sending over 25% of the world's spam to comply with our users' opt-out list. We were making real progress in eliminating spam from the lives of our users.

However, several leading spammers viewed this change as a strategic threat to their spam business. The week before last, these spammers launched a series of attacks against us, taking down hundreds of thousands of other websites via a massive Denial-of-Service attack and causing damage to ISPs, website owners and Internet users worldwide. They also began a relentless campaign of email intimidation against many members of the Blue Community.

After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.

As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities on your behalf and are exploring other, non spam-related avenues for our technological developments. As much as it saddens us, we believe this is the responsible thing to do.

You need not do anything as a result of this change. We will continue to protect your names and addresses and honor all privacy commitments we made to you.

We have concluded we should not take Blue Security to the full deployment stage we originally planned to achieve, but we are proud of what we have accomplished thus far as a young startup company.

We are extremely proud to have had the chance to work with such a devoted and dedicated community: thank you for the vote of confidence you gave us over the past few months as well as the particularly vocal support you have shown over the last two weeks.

We will be innovating and building our technology in new, other directions and will continue to give back to you, our Community.

Thank you for your support,

The Blue Security Team.


Dateline May 3 - updated May 17 09:00 NZT, May 16 21:00 GMT

Status: http://community.bluesecurity.com/.3c54406d OFFLINE
Prolexic News item: http://www.prolexic.com/spam/spam-051006.php



LATEST NEWS:

Within hours of posting the above message on the bluesecurity website, a concerted DNS attack on the DNS name provider took the site down. Also taken down was Prolexic and thousands of its customers, who include banks and financial services. Given the amount of damage wreaked on the Internet by these attacks, closing down the target is the most responsibe action.

To avoid further problems, Blue Frog users must uninstall the browser reporting plug-ins, email reporting tools, and the Blue Frog application immediately.

RECENT EVENTS SUMMARY FROM MAY 1:

A small group of spammers mounted a concerted attack on Blue Security. Over the first 5 days from May 1, they

Stage 1 sent a wave of spam messages containing misleading information about Blue Security, and scurrilous attacks on its executives, urging members to cancel

Stage 2 sent another wave of spam with threats against Blue Security members

Stage 3 sent a third wave of spam purporting to be from members of Blue Frog Members, with forged sender name, Blue Security, but describing its operation in misleading terms. This spam is targetted to annoy those people on the spammer lists who usually complain the most

Stage 4 mounted a denial of service attack on all Blue Security web sites

Stage 5 May 5 0400 GMT sent a fourth wave of email containing the "whois" lookup on bluesecurity.com presumably to remind Blue Security members of the original threat to target them. Subject line: "http://www.bluesecurity.com"

Stage 6 May 6 sent a fifth wave of email again with Subject line: "http://www.bluesecurity.com". Content was an extortion threat, and reference to an attached zip file which did not make it. Forged signature: Blue Security Inc. The forged From: and Reply-to: addresses were taken from the blue security list, as were the To: addresses, so that members would receive both the spam, and some delivery failure messages as well.

Stage 7 May 7 sent a sixth wave of email containing an attack on Blue Security's CEO Eran Reshef. Subject: ""Simulated DDoS Network Attacks and Network Intrusions". Mail refers to Skybox Security Solutions which developed an offering for for that purpose. It quotes "Eran co-founded Skybox Security and served as its Chairman. Prior to Skybox Eran founded and managed Sanctum (acquired by WatchFire), the leader in web application security. Eran holds a variety of security-related patents that are based on his inventions. " The obvious implication is that the beta tested Blue Security should not have been vulnerable to a DDOS attack itself. This spam is a smear campaign directed at Eran Reshef himself.

Another attack expected from this group, is another Joe Job (see http://en.wikipedia.org/wiki/Joe_job ) campaign similar to stage 3. It will consist of a spamming run to a large number of people, where the "From" address will be forged using addresses of the Blue Security membership. The effect will be a series of bounce-backs coming to Blue Security members, and complaints from recipients of the spam.

DDOS attacks on bluesecurity web sites are likely to continue but with diminishing impact. The focus of the attacks will shift to the DNS provider.

Here is some good reading on what blue security is up to, the spammers haven't hit this site yet...

http://www.ranum.com/security/computer_security/editorials/bluesecurity/

Another story here and the outgoing links are getting very high ratings too.

http://www.realtechnews.com/posts/3011

Some statistical analysis after the first 36 hours of this attack:

Some members have taken their addresses out of the Do Not Intrude Registry. This number represents a mere 0.6% of protected addresses.

Spamcop reporting reached a record high for the past 30 days, an increase to 874,000 per day over an average 717,000 - that's an increase of 21%

Blue Community reported spam hit a record high, breaking through the 5 million per week barrier for the first time.

Frog campaign rates hit a record 4,800 per week, surpassing the previous peak of 4080 back on April 27.

Blue Security's phenomenal growth continues inexorably, undaunted by these attacks.

Terry Bowden

Hi Terrence!

Thank you for posting this information.

http://community.bluesecurity.com/ seems to be working periodically. The page has a message for all BF members regarding the attack on Blue Security and how we can fight back.

BF members, your spirit has me proud. You guys rock!

Myst
BF Moderator

Those are great stats tembow!

There were bound to be some that would pull out of BSec/BlueFrog. Can't be helped. For every one that leaves there'll be 10 to 20 more will sign up.

It's interesting how this thing is unfolding. Probably not since the dawn of spam has there been such an impact on it.

Cheers m8

I have read the optimistic assessments of this thread. I have to disagree. My MailWasher Pro history shows a jump in spam for me from 20 - 24 per day to more than 220, on Tuesday, May 2.

I am quite suspicious of the recent high praise being heaped on the Blue Frog team. It seems to me that their activities have actually resulted in a major Spam storm, that shows little sign of abatement.

Is it possible that the recent introduction of a BF option in the MW program may well have contributed to this storm?

I have sought advice from Firetrust on what to do. They have exhorted me to kep up the good fight. I would be happy to, if I knew for sure which side to join.

It isn't a spam storm if it is only a couple spammers involved. Several other large spammers are now cooperating so they won't be wasting their time and ours sending email to people who will never buy and will often report.

The crew that is attacking BF wouldn't devote so much of their resources to this if they weren't very worried -- they can't keep this up indefinitely. They are sending from a phenomenal number of different IP addresses -- they had to have spent a lot of time and money planning this, and it only works if they can kill off BF quickly. Their efforts aren't sustainable, and they have to return to doing something they will be paid for.

BTW, I expect another barrage of email trojans hitting the internet, as they will have to replace all the infected computers they are currently using to launch this attack.

New_Zealand:

We have a problem.

Overnight my Spam load has increased to 360 in a 24 hour period. This compared with a steadily diminishing Spam load over the previous month of about 20 a day.

This x18 is not sustainable.

I see, at the time of writing that BlueSecurity has gone down on one of their sites, while another one of their sites links this anti-spam effort to Israel's independence.

Stop the bus - I want to get off!

Before installing the frog, in some "bad days", I was getting in an hour more than 200 junk mails. Your mileage can vary but it's only spam, not the barbarian invasions. Click "delete" and end of problem. You don't need to report it if that makes you feel better. Let's say that you have given Fred a day out.

If the spammer think that I would unsuscribe BF only because he is sending me some hundreds more of the same junk that I'm already receiving, he is really brain damaged (probably due to massive ingestion of their spamvertized pills).

If I ever feel that BF don't fill my needs then I would uninstall it (but I never will uninstall a tool that *I* choose to use, only because a punk is saying me to do so).

<url removed at the request of Blue Security>

thks for original poster.

From what I observed in the increased spams I received, the spams are really from a small group of spammers. They can be easily identified by the HELO hostname in 8 figure hexadecimal like "4D731E58" (different in each spam).