Blue Frog List Leaked?

Blue Frog is a company who operates a “Do Not Email” list, on the (optimistic) basis that spammers will vet their lists against it.

Reportedly, it’s been compromised. If this is true, I’m not surprised — as Dr. Aviel Rubin‘s report to the FTC of May 2004 regarding a Do-Not-Email list notes:

The scrubbing approach [to running a D-N-E list] requires that a list of live email addresses exist. While the party owning that list may be well intentioned, it is unlikely that such a valuable list would not leak out. History is replete with insider attacks, as well as external break-ins to highly sensitive sites, such as the Pentagon computers. The Do Not Email Registry represents the kind of prize that attracts hackers. In this case, the prize has monetary value as well. Once the list is exposed, there is no way to undo it.

Also, it’s almost inevitable:

If this service were running for some time, it is more likely than not that the plaintext addresses would leak at some point, given the history of computer security incidents.

Update: it appears, according to this white paper, that the Blue Frog “Do Not Intrude” list is hashed, rather than plain-text. Rubin’s advice still applies:

Without hashing, a compromise of the registry database results in exposure of all of the registered email addresses. This is a total disaster. However, even exposure of a hashed list is a catastrophe. A spammer with a copy of a hashed list of email addresses is able to find out, for any email address, if the address is in the registry. The attacker simply hashes a candidate email address and sees if the hashed value is in the list. This is very powerful. [….]

Hashing provides absolutely no security against a marketer who obtains a scrubbed list and uses that to sell the addresses that were scrubbed by the registry. Whether or not the list is hashed has no impact on a malicious marketer in the scrubbing approach.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

One Comment

  1. Blue Frog user
    Posted May 5, 2006 at 01:43 | Permalink

    Still, if they really somehow got hold of the full list (doubtful), then all the 450 thousand email addresses in the Blue Security registry would have received the blackmail. Yet, I have not received any of those blackmail messages, and many other Blue Frog users which have multiple email addresses in the registry have reported receiving the blackmail only on some of them, usually the oldest ones, which are most likely present in many spammers’ lists.

    What does this mean? Well, it means simply that some spammer ran the cleaning tool against his list of addresses, and then compared the before and after results. The removed addresses belong to Blue Frog users. So, basically, the spammer didn’t gain access to any new email addresses, he already had those in his list, and they would have been spammed regularly anyway.

    The possibility of a spammer identifying which addresses FROM HIS OWN LIST belong to Blue Frog users was known from day one. In fact, that is the whole point of Blue Security: allow the spammers to identify which addresses from their own lists belong to the Blue Frog registry, so they can avoid them, because sending to them will prove unprofitable (each single email they send to those addresses will cause a single complaint to be registered at whatever website they are advertising in the email).

    To further complicate matters for the spammer, the hashed registry also contains some honey-pot and random-generated addresses intermixed with the genuine user’s addresses, so the cleaning tools remove a bit more addresses from the spammer’s lists, which means the spammer cannot be completely certain whether an address was removed because it belongs to a Blue Frog user, is a monitored honey-pot address, or its hash matched some randomly generated garbage.