Image of the glider from the Game of Life by John Conway
Skip to content
{ 2006 05 06 }

Misconceptions About Blue Security

There seems to be a lot of miscredited information spreading around the Internet like wildfire concerning Blue Security. Although I don't work for them, or know their inside operations personally, I would like to take the time to put many of them to rest. I will admit, that because I am not up close and personal with the developers or the Do Not Intrude Registry, some of this false information could be possible. Let's put on our thinking cap, and begin, well, thinking.

The first article I would like to draw from is hosted at Wired News, titled I'm the Blue Security Spammer. The first innacuracy in that article- pragraph 10 and 11.

"John Levine, a board member of the Coalition Against Unsolicited Commercial Email, said that while it's not clear the letter's author is who they claim to be, a spammer could realistically gather Blue Security's users' e-mail addresses. 'The problem with any antispam list is you can reverse engineer it,' Levine said. 'People can find out who's on the list.'"

Hmmm. Not quite, John Levine. You see, this specific list is hashed and stored in encrypted form, which means, if you know anything about computer security, you know hashes cannot be reversed at all, let alone "reverse engineered", albeit the key is stronger than 24-bits. While other anti-spam authorities may be careless with their lists, Blue Security is not. From the Blue Security FAQ:

How are members' emails addresses kept safe?

Blue Security takes precautions to protect the contents of the Do Not Intrude Registry by exposing it only in an encrypted form. In addition to members' addresses, the Registry also contains a high percentage of fake e-mail addresses and addresses of honeypot e-mail accounts used for analysis.
For more information click here.

So how does the spammer remove your email based on what is in the Do Not Intrude Registry? Simple, they run their email addresses through the hash as well. If there is a match in the database, then they are encouraged to remove the address. Remember, more than just valid email addresses are in the registry.

Next, I take you to InformationWeek, where an anti Blue Security post titled Blue Security Shoots Itself, And Thousands Of Other People, In The Foot. There is enough foul smelling turd in this post to keep me going for hours. However, I will do my best to control myself. First, we don't have to go far to find inaccuracies here. The first sentence will suit us fine.

When an outfit called Blue Security launched a service to go after spammers with vigilante justice, any idiot could've foreseen big problems.

Let's define the word "vigilante". Looking up the definition in Google, we find, "One who takes or advocates the taking of law enforcement into one's own hands." Now, either the editor for InformationWeekly just chose the wrong word, or he is as ignorant and idiodic as the people he thinks he has identified. Sending opt-out requests is not vigilante. In fact, quite the oposite. From the CAN-SPAM Act:

It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

So, as stated, the email users are given the option to "opt-out", and the spammers are required by law to agree within 10 days. So, sending opt-out requests back to the spammers is fully within the law. I guess I am failing to see where this is vigilante. Investigating further, from the Blue Security ethics page:

One message - One Complaint - The total number of complaints posted by the community is always less than or equal to the number of spam messages received.

In other words, Blue Security is sending a single opt-out for every spam message received to the inbox. Again, operating fully within the law. No single Blue Security user can be labled a "vigilante", because they are maximizing their ability to send an opt-out message for every one sent. Nice try. So your claim "Not just one unsubscribe request--they pepper the sender with multiple requests for every single spam message received." is about as far off base as you can get. Trully, you have reared your ignorant head. But hey, I'm having fun, let's continue.

We don't go far, and we reach paragraph 5, where the claim that Blue Security is effectively dishing out distributed denial of servie attacks. From the page:

The plan is that eventually the spammers will have to stop sending their spam because every single spam message will result in stepping up the DoS attack on the originating site. (Blue Security denies it's a DoS attack, but of course it is.)

Blue Security denies it is a DDoS attack, because it isn't a DDoS attack. Let's define some more definitions here. Again, from Google: "A type of denial of service attack in which an attacker uses malicious code installed on various computers to attack a single target. An attacker may use this method to have a greater effect on the target than is possible with a single attacking machine." You see, this is the big difference between a DDoS and Blue Security, is the word "malicious". I think we can all agree that malicious is the desire to harm, corrupt or destroy. Hopefully, I don't need to pull up a Google definition for that one. The design of Blue Security is to persuade. There's a big difference. With a DDoS attack, such as the one against Blue Security recently, zombie machines from all over the world where flooding the Blue Secuirty servers with packets, thus rendering them inable to process valid web requests. With Blue Security, I personally am sending opt-out requests to the spammers. Just because 500,00 others voluntarily worldwide are doing the same thing does not constitute a DDoS attack. It's not my fault the spammer servers cannot keep up with the opt-out requests. Maybe they should upgrade their hardware. I guess with this logic, we could conclude that the famous "Slashdot Effect" is a DDoS attack, isn't it? Please.

Paragraph 10 is my favorite, and outlines your reason for your hatred and ignorance:

"The redirected DoS attack against Blue Security brought down Six Apart's popular TypePad and LiveJournal blogging services. That brought down thousands and thousands of blogs around the world (including, by the way, my personal blog)."

Oh, poor baby. Your blog was down for almost 8 hours? Ohhh. Want a baba for your booboo?

While I agree that the decision for Blue Security to point their domain to the SixApart servers wasn't exactly the best choice, or ethical for that matter, don't blame them completely. Instead of shooting at the vicitim, why don't you take out the posse? Blue Security did what they thought best, and it isn't a half-bad one at that either. Think about it. SixApart is located in the United States (San Francisco, California) where there is a federal law against DDoS attacks. Because Blue Security is located in Israel, they may not have the same laws as we do here. Thus, pointing the domain to a server that hosts thousands and thousands of blogs in the U.S., and the world for that matter, will surely get the attention of the FBI and a much broader audience. I guarantee you it did- just read the online news. Heck, I would've done the same thing.

I am refraining from continuing to point out this journalists obvious lack of thorough reporting. It'll just make me upset with his continuing "vigilante" run throught the post.

Lastly, the claim that the use of Blue Security does not decrease your spam count, but increase it. This is just ridiculous. I have been a faithful user of Blue Security for several months now, and I have seen my spam go down 67%. Thousands and thousands of other Blue Security users are seeing the same. According to Blue Security, 6 of the top 10 spammers worldwide have agreed to opt-out the users in their mailing lists. The remaining 4 are the ones sending the DDoS attacks and threatening emails. So, apparently, it is working, and working well.

In summary, users of Blue Security are not vigilantes. They are users simply sending opt-out requests as fully outlined and stated in the CAN-SPAM Act. Further, Blue Security is only issuing one opr-out per spam message, again, as spelled out clearly in the CAN-SPAM Act. Blue Security is not issuing DDoS attacks. Blue Security is merely sending out the messages that people are reporting. When you have half-a-million users doing the same, the traffic is heavy, no doubt. Just remember the difference between the words malicious and persuasion. Finally, Blue Security just works, and it works well. It is ethical, legal, and effective. Like I said, my email has dropped 67% since first using it several months ago, from 300+ messages a day to 70-100.

If you really want to engage in this conversation with me, post your comment or send me an email, and we can go head to head. I would love to clear up any misconceptions about Blue Security and its methods.

Posted by Aaron Toponce on Saturday, May 6, 2006, at 2:07 am. Filed under Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 7 } Comments