Image of the glider from the Game of Life by John Conway
Skip to content

Misconceptions About Blue Security

There seems to be a lot of miscredited information spreading around the Internet like wildfire concerning Blue Security. Although I don't work for them, or know their inside operations personally, I would like to take the time to put many of them to rest. I will admit, that because I am not up close and personal with the developers or the Do Not Intrude Registry, some of this false information could be possible. Let's put on our thinking cap, and begin, well, thinking.

The first article I would like to draw from is hosted at Wired News, titled I'm the Blue Security Spammer. The first innacuracy in that article- pragraph 10 and 11.

"John Levine, a board member of the Coalition Against Unsolicited Commercial Email, said that while it's not clear the letter's author is who they claim to be, a spammer could realistically gather Blue Security's users' e-mail addresses. 'The problem with any antispam list is you can reverse engineer it,' Levine said. 'People can find out who's on the list.'"

Hmmm. Not quite, John Levine. You see, this specific list is hashed and stored in encrypted form, which means, if you know anything about computer security, you know hashes cannot be reversed at all, let alone "reverse engineered", albeit the key is stronger than 24-bits. While other anti-spam authorities may be careless with their lists, Blue Security is not. From the Blue Security FAQ:

How are members' emails addresses kept safe?

Blue Security takes precautions to protect the contents of the Do Not Intrude Registry by exposing it only in an encrypted form. In addition to members' addresses, the Registry also contains a high percentage of fake e-mail addresses and addresses of honeypot e-mail accounts used for analysis.
For more information click here.

So how does the spammer remove your email based on what is in the Do Not Intrude Registry? Simple, they run their email addresses through the hash as well. If there is a match in the database, then they are encouraged to remove the address. Remember, more than just valid email addresses are in the registry.

Next, I take you to InformationWeek, where an anti Blue Security post titled Blue Security Shoots Itself, And Thousands Of Other People, In The Foot. There is enough foul smelling turd in this post to keep me going for hours. However, I will do my best to control myself. First, we don't have to go far to find inaccuracies here. The first sentence will suit us fine.

When an outfit called Blue Security launched a service to go after spammers with vigilante justice, any idiot could've foreseen big problems.

Let's define the word "vigilante". Looking up the definition in Google, we find, "One who takes or advocates the taking of law enforcement into one's own hands." Now, either the editor for InformationWeekly just chose the wrong word, or he is as ignorant and idiodic as the people he thinks he has identified. Sending opt-out requests is not vigilante. In fact, quite the oposite. From the CAN-SPAM Act:

It requires that your email give recipients an opt-out method. You must provide a return email address or another Internet-based response mechanism that allows a recipient to ask you not to send future email messages to that email address, and you must honor the requests. You may create a "menu" of choices to allow a recipient to opt out of certain types of messages, but you must include the option to end any commercial messages from the sender.

So, as stated, the email users are given the option to "opt-out", and the spammers are required by law to agree within 10 days. So, sending opt-out requests back to the spammers is fully within the law. I guess I am failing to see where this is vigilante. Investigating further, from the Blue Security ethics page:

One message - One Complaint - The total number of complaints posted by the community is always less than or equal to the number of spam messages received.

In other words, Blue Security is sending a single opt-out for every spam message received to the inbox. Again, operating fully within the law. No single Blue Security user can be labled a "vigilante", because they are maximizing their ability to send an opt-out message for every one sent. Nice try. So your claim "Not just one unsubscribe request--they pepper the sender with multiple requests for every single spam message received." is about as far off base as you can get. Trully, you have reared your ignorant head. But hey, I'm having fun, let's continue.

We don't go far, and we reach paragraph 5, where the claim that Blue Security is effectively dishing out distributed denial of servie attacks. From the page:

The plan is that eventually the spammers will have to stop sending their spam because every single spam message will result in stepping up the DoS attack on the originating site. (Blue Security denies it's a DoS attack, but of course it is.)

Blue Security denies it is a DDoS attack, because it isn't a DDoS attack. Let's define some more definitions here. Again, from Google: "A type of denial of service attack in which an attacker uses malicious code installed on various computers to attack a single target. An attacker may use this method to have a greater effect on the target than is possible with a single attacking machine." You see, this is the big difference between a DDoS and Blue Security, is the word "malicious". I think we can all agree that malicious is the desire to harm, corrupt or destroy. Hopefully, I don't need to pull up a Google definition for that one. The design of Blue Security is to persuade. There's a big difference. With a DDoS attack, such as the one against Blue Security recently, zombie machines from all over the world where flooding the Blue Secuirty servers with packets, thus rendering them inable to process valid web requests. With Blue Security, I personally am sending opt-out requests to the spammers. Just because 500,00 others voluntarily worldwide are doing the same thing does not constitute a DDoS attack. It's not my fault the spammer servers cannot keep up with the opt-out requests. Maybe they should upgrade their hardware. I guess with this logic, we could conclude that the famous "Slashdot Effect" is a DDoS attack, isn't it? Please.

Paragraph 10 is my favorite, and outlines your reason for your hatred and ignorance:

"The redirected DoS attack against Blue Security brought down Six Apart's popular TypePad and LiveJournal blogging services. That brought down thousands and thousands of blogs around the world (including, by the way, my personal blog)."

Oh, poor baby. Your blog was down for almost 8 hours? Ohhh. Want a baba for your booboo?

While I agree that the decision for Blue Security to point their domain to the SixApart servers wasn't exactly the best choice, or ethical for that matter, don't blame them completely. Instead of shooting at the vicitim, why don't you take out the posse? Blue Security did what they thought best, and it isn't a half-bad one at that either. Think about it. SixApart is located in the United States (San Francisco, California) where there is a federal law against DDoS attacks. Because Blue Security is located in Israel, they may not have the same laws as we do here. Thus, pointing the domain to a server that hosts thousands and thousands of blogs in the U.S., and the world for that matter, will surely get the attention of the FBI and a much broader audience. I guarantee you it did- just read the online news. Heck, I would've done the same thing.

I am refraining from continuing to point out this journalists obvious lack of thorough reporting. It'll just make me upset with his continuing "vigilante" run throught the post.

Lastly, the claim that the use of Blue Security does not decrease your spam count, but increase it. This is just ridiculous. I have been a faithful user of Blue Security for several months now, and I have seen my spam go down 67%. Thousands and thousands of other Blue Security users are seeing the same. According to Blue Security, 6 of the top 10 spammers worldwide have agreed to opt-out the users in their mailing lists. The remaining 4 are the ones sending the DDoS attacks and threatening emails. So, apparently, it is working, and working well.

In summary, users of Blue Security are not vigilantes. They are users simply sending opt-out requests as fully outlined and stated in the CAN-SPAM Act. Further, Blue Security is only issuing one opr-out per spam message, again, as spelled out clearly in the CAN-SPAM Act. Blue Security is not issuing DDoS attacks. Blue Security is merely sending out the messages that people are reporting. When you have half-a-million users doing the same, the traffic is heavy, no doubt. Just remember the difference between the words malicious and persuasion. Finally, Blue Security just works, and it works well. It is ethical, legal, and effective. Like I said, my email has dropped 67% since first using it several months ago, from 300+ messages a day to 70-100.

If you really want to engage in this conversation with me, post your comment or send me an email, and we can go head to head. I would love to clear up any misconceptions about Blue Security and its methods.

{ 7 } Comments

  1. Hans | May 6, 2006 at 7:42 am | Permalink

    Vigilante: “One who takes or advocates the taking of law enforcement into one’s own hands.”

    Let's see, from your own blog: "Bluesecurity is fighting the good fight." and "I will let my spam collect until the service is restored, then they will get hit hard. If this is the end of Bluesecurity, which I hope not, we’ll find other resorts to put spammers where they belong. In hell." Sure sounds like vigilante to me. Ok, so it's within the bounds of the law - so it's legal vigilantism.

    Now let's look at your pet word "persuade". "You see, this is the big difference between a DDoS and Blue Security, is the word “malicious”. I think we can all agree that malicious is the desire to harm, corrupt or destroy. Hopefully, I don’t need to pull up a Google definition for that one. The design of Blue Security is to persuade."

    You and Blue Security both say you are fighting spammers. I think we can all agree that fighting involves intent to harm, corrupt, or destroy. Many a war has been fought to persuade the other side into acting, thinking, or talking a certain way. So I'm sorry but I'm not buying your argument against DDoS. And yes, I'd say the slashdot effect is an unintentional DDoS - just ask anyone who's been slashdotted.

    So in short, you're just playing with words. The fact is, you picked a fight with spammers, and fight is what you got. As with any fight/war, expect criticism from all kinds including lazy or sensationalist reporters.

    I'm no spam apologist, and the BlueSecurity idea is intriguing, but let's not pretend it's something it's not. Me, I'm happy to let bogofilter do its job with 6-month tuneups and so I have no reason to get involved in a war. I have more interesting things to do with my time. Remember opportunity cost. If the spammers get you to waste time fighting them, then they're to benefit.

  2. Aaron | May 6, 2006 at 9:31 am | Permalink

    Thanks for your comment.

    Vigiliantism is taking the law into your own hands. This means, that whether or not the action is illegal, you will still pursue what you are sought out to do. In the Old West, these were commonly referred to as "outlaws". Here, users are not taking the law into their own hands, but rather operating fully withing the confines of the law. If the action was illegal, I would believe that most Blue Security users would not be participating.

    If you would like to play with words, fine. I am not. Although on the surface, the fight against spam may seem malicious, it is not. We are not out to hurt, corrupt, or destroy the spammers or their servers themselves. Heck, I don't care if they continue their spam ring operations. If they would just comply to my first request to opt-out, then I wouldn't have to keep reminding them, now would I? Persuasion can seem malicious, if all you look at is flood-requesting over and over that spammers take you off their list. But persuasion isn't always malicious, and it certainly isn't so in this case.

    "I’m no spam apologist, and the BlueSecurity idea is intriguing, but let’s not pretend it’s something it’s not. Me, I’m happy to let bogofilter do its job with 6-month tuneups and so I have no reason to get involved in a war."

    Why just use filters? You're not doing anything to stop the amount of spam coming in. You've buried your head in a hole, ignoring it, hoping it will go away. Just because it is out of sight doesn't mean it doesn't exist. It a major problem, including identity theft, porn, phishing and other illegal tactics. Would you let this sort of garbage flood your physical mailbox? I can't sit around, and do nothing about it. If there was such an antispam reporting tool for WordPress blogs, you better believe I would have that installed too.

    Let's not pretend it's something it's not? And what are we pretending it to be? It is an antispam tool that is very effective. It's eliminating spam from my mailbox. It's fighting the Good Fight, and you think I'm wasting my time by actively deterring spammers? I'm sorry you feel this way. It takes only a couple minutes to report hundreds of spam messages, so I am wondering where this lengthy time, that you are too busy with, is?

    Anyway, thanks for your comment. You may want to try it out, I think you'll have a greater understanding of how exactly it works.

  3. Corey | May 6, 2006 at 10:20 am | Permalink

    "Oh, poor baby. Your blog was down for almost 8 hours? Ohhh. Want a baba for your booboo?"

    I'm sure you'd feel the same way if your business was shutdown because somebody else was having problems. It wasn't just not "the best choice", it was downright wrong. If Blue Security wants to go around picking fights with spammers I guess that's there choice, but they better be ready for an arms race. I hope you recall that Lycos tried a similar thing a couple years ago, titled Make Love Not Spam, and it didn't work either.

  4. Steve | May 6, 2006 at 10:53 am | Permalink

    Thanks for the good post, man. That clears up a lot of questions and misconceptions I had about the service.

    It seems like some spammers obviously don't like it. Why else would they fight back if it wasn't being effective? Rock on.

  5. Aaron | May 6, 2006 at 12:17 pm | Permalink


    Thanks for the reply.

    While I agree with the ethical issue behind Blue Security pointing their domain to the SixApart servers, I am willing to bet it did more good than harm. It awoke the sleeping giant, and the spammers are in for a world of hurt if they pull that stunt again.

    The Lycos campaign was entirely different from Blue Security. With Lycos. you installed a screensaver that sent floods of packets to the spam sites. These floods of packets had nothing to do with the spam you personally received. They were just random. As such, with enough users on board, a DDoS attack was created. It was shut down, because it was against the law. Plain and simple.

    With the Blue Security campaign, each user is sending requests as outlined in the CAN-SPAM Act. So quite to the contrary, Make Love Not Spam wasn't a similar campaign at all.

    Finally, the journalist of the post, Mitch Wagner, has not blogged on his personal blog, the one that is being hosted on the SixApart servers, since June 2005. Also, there is no sign of him using his blog for a "business" as you pointed out, or any financial gain. So I am failing to see what is so important about his blog that it needs to be up every minute of every day.

    At any rate, thanks for your comments.

  6. Corey | May 6, 2006 at 11:19 pm | Permalink

    My point wasn't that Mitch Wagner had some financial interest in his blog being up, but that SixApart does. When Blue Security redirected this DDoS over there, it didn't just affect that one blog but all of TypePad and LiveJournal.

    Consider this analogy. Let's say Payless Shoes sprung a leak in a water main. They remedy the situation by hooking up a hose and piping the water next door to dump water into Albertson's. "Oh, poor baby. You couldn't buy your Cheerios for 8 hours."

    Hey, if they want to start a fight with spammers more power to them. But if one of my customers redirected a DDoS to my network because they couldn't handle the consequences of their actions, I'd have some not too pleasant words for them.

    Gah! I can't believe I spelled "their" as "there"! I sware I no how to right werds.

  7. Aaron | May 7, 2006 at 8:52 am | Permalink

    Again, I am not justifying their choice to point their domain to SixApart. If I were put in the position, I would not do it. However, the choice may have had some very positive results. If that DDoS is attempted again, there may be some legal repercusions (did I spell that right?) from all over the globe, and I think they are aware of that. Blue Security shouldn't have done it, no doubt, but look at what possibly came about it.

    On the other hand, a spammer known as "Pharma Master", upon discovering that Blue Security had a blog at SixApart, took personal joy in attaking the service and bringing down over 9,000 servers. Although Blue brought the traffic, it was a game with the spammers to see how many servers they could take down.

    Again, though, the choice by Blue to point their domain to SixApart was wrong, and unethical. I just can't help but think though that the spammers have gotten the attention, and wrath, of millions of people worldwide.

Post a Comment

Your email is never published nor shared.