Blue Frog Not Only Spams Webforms, It’s “Blurry Hashed” for Extra Inaccuracy

The Internet Patrol default featured image
Share the knowledge

As I believe I’ve made abundantly clear before, I’m not big fan of Blue Security’s Blue Frog. Just like the Lycos ‘Make Love not Spam’ DDOSing screensaver, and the bandwidth-stealing Mugu Marauder, Blog Frog is founded on the concept that DDOSing is ok if you’re doing it to someone you don’t like.

However, Blue Security offers an added twist, making it even worse. Because it actually DDOSses the web forms found at the website found at the URLs found in the spam. Even if they don’t belong to the spammer. Even if they belong to an innocent third party.

Now, sounding also very much like another program, the new Michigan and Utah child email address registries, Blue Security has set up a “Do Not Intrude” registry, containing the email addresses of those consumers who have registered with them for the Blue Frog program, and against which spammers (yes, real spammers) are supposed to match (listwash) their mailing lists, to have the email addresses of those who are in the registry removed, so that they don’t spam t hem.

First..oh c’mon, do you really think that spammers are going to do this?

But second, Brian McWilliams, author of Spam Kings, has found that Blue Security not only seeds their registry with fake entries, but they pull addresses which aren’t even really matched off the spammer’s list. In other words, they make fake matches. Showing, of course, that every time you run a list against their registry, you get hits, so you’d better keep doing it.
They call this “blurry hashing”, and Blue Security’s white paper on this, explains McWilliams, has this to say about that:

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

“When a spammer notices that an e-mail address has been deleted from his list, he has no way of knowing if it was filtered because it was a legitimate user’s e-mail address or if it matched one of the random entries in the blurry hashed Registry.”

Can you believe that they got VC funding for this croaking frog?

You can read Brian McWilliam’s excellent expose here.

[Ed. note: based on several responses in the comments below, it’s pretty clear that people who sign up for Blue Frog really don’t get what they are signing on to. Did you not read the following before you gave them your email address, and let them start using your computer as part of a distributed attack against machines which may not even know they are harbouring spammers (much like you may not know you are using your computer to attack what may be innocent machines?)

This is from Blue Frog’s own website (read it all):

“Opt-out requests are posted by the Blue Frog client application used by consumers that added their personal e-mail addresses to the Registry through Blue Security’s free consumer offering.

Requests are not posted by Businesses and organizations that added their e-mail domains to the Do Not Intrude Registry through Blue Security’s paid business offering.

For each site advertised by spam, Blue Security develops a script for the Blue Frog client, instructing it how to submit an opt-out request on that site.

Each user’s Blue Frog client retrieves the scripts from Blue Security servers and posts the opt-out requests. A single opt-out request is posted per each spam message received by that user.

Complaints are posted in a manner similar to the way a user would manually try to opt-out of spam – Blue Frog opens an HTTP session with the spamvertised site, visits the site according to the flow of instructions included in the script and posts the opt-out text in forms found on the Web site, such as registration or purchase forms.

Opt-out requests do not contain any information that may jeopardize the users’ privacy. The Request encourages the merchant, email marketers and spammers to download the Registry Compliance Tools, remove all e-mail addresses listed in the Registry from their mailing lists and stop sending spam to Blue Security customers.”

Now, before you rush to your own and their defense, really read what this says. It says that it takes information and populates webforms. It doesn’t submit a real opt-out request, and if it did, it wouldn’t do any good, because spammers don’t honour opt-out requests.

Instead it goes to whatever website is there, and finds whatever webforms it can, and puts “unsubscribe me” language in that webform, no matter what that webform is, no matter to whom it actually belongs.

Your own computer may only send a few to each site, but to how many sites is it sending? And combined with however many others are being sent at the same time to the same site from the thousands that Blue Frog claims, that is the very definition of a DDOS.]

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link


Share the knowledge

21 thoughts on “Blue Frog Not Only Spams Webforms, It’s “Blurry Hashed” for Extra Inaccuracy

  1. Blue frog reaches spammers by ignoring spoofed reply addresses and instead sending the message to the product sites either promoted by the spammer or owned by the spammer. This innocent site isn’t all that innocent. They either are the spammer or have hired the spammer. Either way, the owner of the site now has the messgae to only use clean mail lists and spammers that have a clean mail list. To do otherwise results in a bunch of opt out requests on the webforms.

    In a nutshell, it is working.

  2. “If a telemarketer calls you, over and over…And if you…throw through their window…You have broken the law.”

    But I’m not throwing things though their window. They’re making one phone call to me. I’m making one phone call to them. They’re leaving one electronic message on my system, I’m leaving one electronic message on their system. Perfectly equitable.


    Blue works.
    Blue is legal.


    Before signing up I was getting 20-30 spams each day. Worst yet, I was getting the same BigPenis spam multiple times each day. After signing up with Blue, I get around 5 spams a day.
    Sending 1 opt out request for each BigPenis email I receive is both legal and moral. The various anti-spam laws passed say that I have the right to opt out.
    The spammer getting mad at Blue and attacking Blue is proof positive that Blue works. I hope that this recent spammer attack against Blue will backfire against the spammer. More publicity for Blue = more opt out requests. God bless Blue. Rot in Hell BigPenis spammers.

  4. I don’t care, if there may be a few so called innocent third parties. BlueFrog is doing something, and it’s far better, than doing nothing.

    And what about spamming the sites.. not the opt-out ones, I mean.

    Govs do NO THING.. so we’re not dumb sheep after all, spam the hell out of spammers.. or if you have better idea, don’t hold back.

  5. lol,

    anyone who spams me because Im on any list will find themselves on the *wrong* side.

  6. I’ve been with BlueSecurity for about 2 weeks. I’s been fascinating. My SPAM went up from about 10/day to 40/day. Then I started getting the threats from SPAMmers. Then it all stopped. Down to about 2 SPAMs/day now. FOrtunately, Yahoo catches all of the SPAM e-mails so it doesn’t effect me at all. Let the SPAMmers spend all of their time sending angry SPAMs to my SPAM folder. One click delets them all!…

  7. What the hell is wrong with all of you Blue Frog lemmings? Don’t you CARE that you are doing something ILLEGAL?

    If a telemarketer calls you, over and over, even if it’s collect and they somehow force you to accept the charges, you are not allowed to go to their home or office and trash the place. You are not allowed to go to their home or office and throw a “take me off your list” note through their window. It doesn’t matter if you throw only one note per call you’ve received. And if you do it as part of a mob, each throwing one note per call through their window, and you damage their house, or make it impossible for others to get in or out of the building, guess what? You have broken the law.

    Now in the case of Blue Fog, you bet that what you are taking part in is a DDOS, and you bet that IT IS ILLEGAL!

    Here is the Federal law making it illegal:

    “Title 18 U.S.C. 1030(5)(A) states:

    “through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if:
    (I) the person causing the transmission intends that such transmission will –
    (I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or
    (II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, systems or network, information, data or program.”

    It can’t be any clearer than that. Blue Fog is using YOUR computer as part of their DDOS. It’s illegal.

    And guess what. Blue Fog doesn’t give a fuck that they are having you break the law because THEY are sitting in Israel where they can’t be touched, with a great wodge of VC cash, laughing all the way to the bank.

  8. Oh, and there isn’t any DDoS’n going on.

    That’s a completely false view of what occurs.

    1 spam = 1 complaint.

  9. Don’t let the nay sayers change your opinion of BlueFrog. Only people with limited intelligence will take this load of garbage for anything more than its worth.

    Keep fighting the good fight, BlueSecurity.

  10. You sir are a moron of the highest proportion.

    Maybe you should check some facts before you try to be a “reporter”

    I have neither the time or the inclination to show you the error of your ways, but I’m sure many will.

  11. Someone is utilizing the tbe BF list to transmit spam or has determined a methodology to correlate that list against real systems. I get emails like this every few hours, and I have over 14000 emails in my SPAM Catcher.


    You are recieving this email because you are a member of BlueSecurity ).

    You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

    How do you make it stop?

    Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity’s database, if you arent there.. you wont get this again.

    We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

    By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

    Why are we doing this?

    Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity.
    Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

    If BlueSecurity decides to play fair, we will do the same.

    We are quite sure you will think this will not continue, that we will not continue wasting our resources doing this, feel free to wait out the first 48, or the second, and see whether these stop, you will be quite suprised.

    If you have another email under the protection of bluesecurity, and have not recieved this there, do not worry, you will soon enough.

    We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user.

    You might also notice, that the BlueSecurity site( is down..

    Just remove yourself from BlueSecurity, and make it easier on you.

  12. Your information is inaccurate; BlueSecurity does not make DOS attacks. It lodges a single complaint for each spam message it processes, on the site that originated the spam message; therefore, if 50000 BlueSecurity members get a spam mail from, then will get 50000 requests to remove an email address. They are given ten days to comply, at which point their hosting ISP is notified of their spamming ways, and the federal level may be involved as well should the advertisement be for possibly illegal things (drugs)

    There is no DOS attack; there is simply an unsubscribe request, for each spam sent. If they don’t comply with the unsubscribe request (as dictated by law with the CAN-SPAM act) then they are breaking the law and should be shut down.

  13. I would assume most people already know this, but withing days of posting a parsable email address on any web page or usenet group – you’ll be on their list, which will be bought and sold at will.. Here some research from 2003:

  14. Well, I only trust the facts that I see, and the facts are: I was receiving 300/400 spam messages each day BEFORE I started to use Blue Frog. Now I receive 30/40 junk mails each day. For me, Blue Frog WORKS WONDERFULLY, and I’m happy to see the wimpy spammers whinning about and trying to confuse spreading lies in blogs and forums.

  15. Right, Nick. There’s no other explanation for your *alleged* increase in spam.

    What about the computers of all the people who have your e-mail address? They’re all secure, aren’t they. None of them could be cracked by any e-mail address-stealing malware, could they.

    No, of course not. It’s the Blue Frog, and only the Blue Frog that’s responsible. All the spammers who are running scared want everybody to believe the same thing!

  16. MY SPAM has INCREASED to 30 damn emails every hour after using blue frog for a week… it’s no coinsedence… I had been getting a couple a day for a few months then all of a sudden this HUGE increase after installation. this is ridiculous. I hate BlueFrog. NEVER EVER AGAIN.

  17. Your article is a misrepresents what Blue Security is about. Since it started, the service has adjusted its approach. It is incorrect to say that Blue Security spams, or that it is involved in DdoS attacks. You have an obligation to your readers to revisit Blue Security and inform yourself and your readers of how the Blue frog actually works.

  18. Since Spammed2Death2 thinks his comment is important enough to post twice, I’ll ditto:

    Joe Jobs and misdirected “punishments� are impossible because there are people, not bots, behind the Blue Frog who verify all potential targets. Furthermore, spammers are offered the option of voluntarily removing the names on the Do Not Intrude Registry from their mailing lists, and given ten days to comply.

  19. “I doubt very much any innocent third party could easily get caught up in this.”

    Never thought about how much damage a Joe Job could do? Spammers regularly use links to sites other than their own, and quite often bogus e-mails get started about a specific website selling something it shouldn’t. If Blue Frog decided to “punish” the spammer for bringing an innocent website into the fray, then all Blue Frog has succeeded in doing is blaming the victim for the perpetrators actions, as well as punishing the victim for letting the Joe Job happen.

    Should be interesting the first time Blue Frog DDOS’s the wrong website. Someone’s going to get a little angry.

  20. I see no problem with a system that allows those affected by spam to lodge a single complaint thru the only mechanism to actually reach the spammer – their order form. The Blue Frog does this with a 1 spam = 1 complaint ratio, which is more than fair. You haven’t explained how an ‘innocent third party’ could get caught in this system. Blue Security claim they only lodge form complaints after attempting to contact the domain owner and the ISP for ten days. Given the look of the spammy domains they have been lodging complaints about, I doubt very much any innocent third party could easily get caught up in this.

    As for the Blue Security registry producing a false positive every few thousand entries (Brian claims 1 in 1000 but didn’t publish his numbers or details of his test, Blue claims 1 in 5000 max), I really don’t care. I doubt spammers really care about their data quality to 99.99% either. In fact, that is the weakest anti-Blue Security argument I’ve heard so far.

  21. Since using Blue Frog, my spam has actually INCREASED and I’ve read similar accounts from other Blue Frog users. Blue Frog claims that most spammers don’t have the computing power necessary to break through the encryption they use to conceal member email addresses, but I suspect they do and they have. Needless to say, I have stopped using Blue Frog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.