Shed No Tears for Blue Security

THE ENTIRE DIRECT MARKETING industry should stand up and applaud the mid-May demise of anti-spam concern Blue Security. And not just because the company’s business model was classic Internet vigilantism that hurt innocent people — though it certainly did enough of that.

The reason DMers should be cheering Blue Security’s spectacular implosion is because the events that led up to its death give irrefutable ammunition to those who argue that do-not-e-mail registries are a dangerously bad idea.

Blue Security put itself out of its own misery after an irate Russian spammer reportedly launched a series of so-called distributed denial of service attacks on it. A DDOS attack occurs when millions of fake information requests are sent to a site to cripple its servers. The strike on Blue Security not only knocked out the firm’s Web site, but thousands of other sites, mail servers and blogs.

“We cannot take responsibility for an ever-escalating cyber war through our continued operations,” said a statement on Israel-based Blue Security’s Web site May 16. “We believe [shutting down] is the responsible thing to do.”

The site promptly disappeared.

Good riddance.

Some have gone as far as to question the Internet’s stability as a result of the Russian spammer’s success. They apparently haven’t figured out that the Russian wants the Internet to remain viable as much as anyone. It is, after all, how he makes his living.

No, he simply wanted to crush Blue Security, and was more than willing to inflict temporary collateral damage in the process.

This business model was just begging for trouble.

Under Blue Security’s anti-spam scheme, people who no longer wished to receive unsolicited commercial e-mail registered for its “do-not-intrude” list. They would then download a piece of software called the Blue Frog.

At this point Blue Security would open up multiple e-mail accounts designed to attract spam on the registrant’s behalf. The company reportedly would monitor spam hitting those addresses and try to get the senders to stop.

But if Blue Security was unsuccessful, its technology would follow the links inside the e-mail to the spammer’s site, find the form where the spammer collected information, and start filling it out with unsubscribe requests — potentially thousands of them.

By burying spammers’ servers in complaints, Blue Security hoped to get the spammers to scrub their lists against its own no-e-mail list and take registrants’ names off their mailings.

While Blue Security contends some big-name spammers agreed to use its list, the company apparently irked one ornery Russian who decided to slam Blue Security in retaliation.

“If you stand there and throw darts at big guys, you shouldn’t be surprised when they turn around and fire back,” said John Levine, a spokesman for the Coalition Against Unsolicited Commercial E-mail.

Before he began his DDOS attacks, the Russian took his first run at Blue Security by apparently scrubbing his names against Blue Security’s no-e-mail list. But rather than remove the addresses, he compared a copy of his old list to the cleaned list to identify addresses he already had that also were on Blue Security’s registry.

As a result, some Blue Security registrants began receiving e-mail threatening them with a flood of spam if they didn’t take themselves off Blue Security’s do-not-intrude list.

Blue Security posted a copy of one of the typo-laden e-mails:

“You signed up [with Blue Security] because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

“How do you make it stop?

“Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity’s database, if you arent there‥ you wont get this again.

“We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

“By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.”

So not only did Blue Security’s standoff with the Russian spammer get a bunch of innocent sites knocked offline in a series of DDOS assaults, it also put some of its members in the spammer’s cross hairs.

Nice job.

Even anti-spammers were against Blue Security’s scheme.

Before launching, Blue Security executives “talked to every anti-spam group on the face of the planet trying to get somebody to front for them, and we all told them ‘You’re nuts, go away,’” said Levine.

Well, they have gone away — for now, at least. Blue Security executives reportedly are exploring alternative uses for the technology. Let’s hope its scheme has nothing to do with national security or our food supply.

At press time, an all-volunteer group was trying to start its own Blue Security-like project hilariously named Okopipi after a South American poison-dart frog. If it hasn’t failed yet, it will.

Meanwhile, if only legislators in Utah and Michigan would be smart enough to pull the plug on their so-called child-protection do-not-e-mail registries. They present the same risks to their registrants as Blue Security’s scheme posed to its customers.

It’s simply a matter of time before someone uses one of the no-e-mail lists in Michigan and Utah to identify addresses of registrants — except this time the victims will be children, and God knows who will be sending them messages.