Philip P. Ide

Author, programmer, science enthusiast, half-wit.
Life is sweet. Have you tasted it lately?

User Tools

Site Tools


blog:articles:general:bluemail

Bluemail is Malware

I've been using Thunderbird for one of my email accounts, and whilst I can say it is functional, the UIX was designed by an amateur with no experience in program design. It sucks big-time, consuming a vast amount of real-estate that it doesn't use, forcing you to make the program occupy even more of your screen's valuable real-estate. So I started looking for something else.

Bluemail has arrived for Linux, so I took a look and liked what I saw: a neat and tidy interface, and the free version has all the options I require.

Then I cam across reports that it is malware, that it sends your mailbox's login credentials to Blix's servers - Blix being the manufacturers. If you're running Bluemail on Android, there's pretty much nothing you can do about it. You should uninstall it and change your mailbox password. I can't think of any reason they need to store that info, except to synchronise your details on different devices you own, but there are better ways to do that without storing the data on a middle-man server. In fact, they store it there whether or not you want to sync with another device - which you may not have, so then they have no legal or legitimate reason to hold that info. Period. Besides that, the fact that they store your login credentials represents a serious security flaw. A disgruntled employee (or just a criminal employee) could sell your data, or Blix could get hacked - and let's face it, with such valuable information to be had, black-hat hackers will definitely be trying.

Blix denied it, of course, saying it was 'fake news', lies and defamation. So another chap decided to test whether it was true and published his method for determining what was being sent to their servers and showing the results: one year after the first report had been published and they were still doing it.

I decided to do a little test of my own, one that was much simpler. It doesn't prove what was being sent to their servers, but positively proved whether or not they were still contacting their servers. It was simple enough to do.

After installing Bluemail, I configured it to link to one of my email accounts and then checked my pihole logs to see what it showed. Sure enough, there were entries for *.bluemail.me and *blix.* addresses, some of which when I booted up Bluemail, and some were when I saved my mailbox login creds.

I blacklisted those addresses using wildcards to also block variants, reloaded Bluemail, edited my mailbox credentials. There were more entries to different addresses. Obviously they have a stack of them the program will try if it can't access the domain. I had to rinse and repeat this process several times before I managed to block the program.

After changing my password and carefully scrutinising the DNS logs to make sure there weren't any other unexpected domain requests going through, I let it run for an hour, then checked the DNS logs again. Bluemail was attempting to connect to every one of the domains I'd blocked it from accessing every sixty seconds!

During that period, I hadn't touched the thing, so it was sitting there idle, so there were no “this is how the program is being used” data sets to up upload. I have uninstalled Bluemail and reverted to Thunderbird until I can find something better.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
blog/articles/general/bluemail.txt · Last modified: 2024/02/21 14:39 by Phil Ide

Except where otherwise noted, content on this wiki is licensed under the following license: Copyright © Phil Ide
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki