While some in tech circles lamented anti-spam company Blue Security’s demise last week, e-mail marketers for once found common ground with some anti-spammers who historically have been their philosophical adversaries.
Both could applaud Blue Security’s demise as fitting end to a terrible idea that did nothing to make the Internet safer for legitimate e-mail, marketing or otherwise.
The company closed itself last week after a series of attacks—suspected to have been committed by a Russian spammer known as PharmaMaster—crippled its site and thousands of other sites, mail servers and blogs hosted by the same service.
“After recovering from the attack, we determined that once we reactivated the Blue community, spammers would resume their attacks,” wrote Blue Security’s CEO, Eran Reshef, on the company blog. “We cannot take the responsibility for an ever-escalating cyberwar through our continued operations.”
The decision would be laudable if Blue Security’s business model wasn’t so irresponsible to begin with.
Under Blue Security’s anti-spam scheme, people who wished to no longer receive unsolicited commercial e-mail registered for the company’s “do-not-intrude” list. They would then download a piece of software called the Blue Frog.
Blue Security would then open up multiple e-mail accounts designed to attract spam on the registrant’s behalf. The company would reportedly monitor spam hitting those addresses and first try and contact senders of unsolicited e-mail to try and get them to stop.
However, if Blue Security was unsuccessful at getting the spammer to stop, the company’s technology would follow the links inside the e-mail to the spammer’s site, find the form where the spammer collected information, and start filling it out with one unsubscribe request or complaint for each piece of spam sent to its registrants’ mail boxes—resulting in potentially thousands of system-crippling requests to the spammer’s servers.
Proponents claimed all Blue Security did was give spammers a taste of their own medicine. People with even a lick of common sense saw the scheme for what it was: irresponsible vigilantism that could only end badly.
By burying spammers’ servers in complaints, Blue Security hoped to get the spammers to scrub their lists against Blue Security’s no-e-mail list and take registrants’ names off their e-mail lists.
Blue Security combined two god-awful ideas—employing a do-not e-mail registry, and fighting spam with abusive e-mail tactics of its own—into one spectacular disaster-waiting-to-happen and limped off in a whimper as soon as it came under fire.
Blue Security’s Reshef claimed the company’s tactics were working before the pissed-off Russian spammer decided to fire back.
“When we founded Blue Security in 2004, we believed that if we automated a way for users to rise up and exercise their rights under the Can Spam Act, we could reduce the amount of spam on the Internet,” wrote Reshef on the company blog. “Over the past few months we were able to leverage the power of the Blue community and convince top spammers responsible for sending over 25% of the world’s spam to comply with our users’ opt-out list. We were making real progress in eliminating spam from the lives of our users.”
However, before the attacks that took Blue Security offline, the Russian spammer apparently reverse-engineered Blue Security’s no-e-mail list to find e-mail addresses on his list that had signed up for Blue Security’s service. The Russian then began sending Blue Security’s registrants e-mail threatening them with more spam unless they stopped using Blue Security’s service.
Some tech writers who should know better tried to position the Blue Security debacle as a win for the Internet’s bottom feeders.
“As skeptical as we were over Blue Security’s original model, and the risks it entailed, this still seems like bad news,” wrote “Mike” on Techdirt.com. “It certainly will embolden spam attackers to hit hard at anyone who takes them on. In the end, perhaps that was the worst legacy of Blue Security's system: it simply escalated the war with spammers to new, unfortunate, levels.”
Nonsense. Too many people saw Blue Security’s implosion coming to pretend it will give spammers any more ammunition than they already have.
Before Blue Security launched, its executives shopped the business model around to every anti-spam group they could find, according to the Coalition Against Unsolicited Commercial E-mail’s John Levine.
“We all told them: ‘You’re nuts, go away,’” said Levine.
Moreover, Blue Security failed to gird itself for the kind of attacks that eventually took it out, said Levine.
“It was the same kind of [hosting service] you and I would [buy] if we were going to sell greeting cards with puppies on them,” said Levine. “It was that level of infrastructure.”
Meanwhile, one company is seizing Blue Security’s implosion as a new-business opportunity.
Anti-spam concern Spam Arrest is offering former Blue Security customers a 90-day free trial of its service.
At least maybe someone other than a two-bit Russian hacker can profit from this mess.
