As I believe I’ve made abundantly clear before, I’m not big fan of Blue Security’s Blue Frog. Just like the Lycos ‘Make Love not Spam’ DDOSing screensaver, and the bandwidth-stealing Mugu Marauder, Blog Frog is founded on the concept that DDOSing is ok if you’re doing it to someone you don’t like.
However, Blue Security offers an added twist, making it even worse. Because it actually DDOSses the web forms found at the website found at the URLs found in the spam. Even if they don’t belong to the spammer. Even if they belong to an innocent third party.
Now, sounding also very much like another program, the new Michigan and Utah child email address registries, Blue Security has set up a “Do Not Intrude” registry, containing the email addresses of those consumers who have registered with them for the Blue Frog program, and against which spammers (yes, real spammers) are supposed to match (listwash) their mailing lists, to have the email addresses of those who are in the registry removed, so that they don’t spam t hem.
First..oh c’mon, do you really think that spammers are going to do this?
But second, Brian McWilliams, author of Spam Kings, has found that Blue Security not only seeds their registry with fake entries, but they pull addresses which aren’t even really matched off the spammer’s list. In other words, they make fake matches. Showing, of course, that every time you run a list against their registry, you get hits, so you’d better keep doing it.
They call this “blurry hashing”, and Blue Security’s white paper on this, explains McWilliams, has this to say about that:
“When a spammer notices that an e-mail address has been deleted from his list, he has no way of knowing if it was filtered because it was a legitimate user’s e-mail address or if it matched one of the random entries in the blurry hashed Registry.”
Can you believe that they got VC funding for this croaking frog?
You can read Brian McWilliam’s excellent expose here.
|Get notified of new Internet Patrol articles for free!
|Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!
Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
[Ed. note: based on several responses in the comments below, it’s pretty clear that people who sign up for Blue Frog really don’t get what they are signing on to. Did you not read the following before you gave them your email address, and let them start using your computer as part of a distributed attack against machines which may not even know they are harbouring spammers (much like you may not know you are using your computer to attack what may be innocent machines?)
|We know you're sick of ads on websites. But we still need to pay to keep the lights on for you. So instead of huge ads and video ads, we use smaller, plainer ads. Still, if you'd like to support the Internet Patrol but not the ads, please consider supporting us here:|
This is from Blue Frog’s own website (read it all):
“Opt-out requests are posted by the Blue Frog client application used by consumers that added their personal e-mail addresses to the Registry through Blue Security’s free consumer offering.
Requests are not posted by Businesses and organizations that added their e-mail domains to the Do Not Intrude Registry through Blue Security’s paid business offering.
For each site advertised by spam, Blue Security develops a script for the Blue Frog client, instructing it how to submit an opt-out request on that site.
Each user’s Blue Frog client retrieves the scripts from Blue Security servers and posts the opt-out requests. A single opt-out request is posted per each spam message received by that user.
Complaints are posted in a manner similar to the way a user would manually try to opt-out of spam – Blue Frog opens an HTTP session with the spamvertised site, visits the site according to the flow of instructions included in the script and posts the opt-out text in forms found on the Web site, such as registration or purchase forms.
Opt-out requests do not contain any information that may jeopardize the users’ privacy. The Request encourages the merchant, email marketers and spammers to download the Registry Compliance Tools, remove all e-mail addresses listed in the Registry from their mailing lists and stop sending spam to Blue Security customers.”
Now, before you rush to your own and their defense, really read what this says. It says that it takes information and populates webforms. It doesn’t submit a real opt-out request, and if it did, it wouldn’t do any good, because spammers don’t honour opt-out requests.
Instead it goes to whatever website is there, and finds whatever webforms it can, and puts “unsubscribe me” language in that webform, no matter what that webform is, no matter to whom it actually belongs.
Your own computer may only send a few to each site, but to how many sites is it sending? And combined with however many others are being sent at the same time to the same site from the thousands that Blue Frog claims, that is the very definition of a DDOS.]
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!