Select Page

It’s over.  BlueSecurity has given up and shut their doors.

Before I get waves of loyal BlueSecurity users bemoaning the demise of the company, let me tell you what I think the key reason that the BlueSecurity idea was doomed from day one: They had a Do Not Email list.

BlueSecurity was effectively a proxy for their subscribers, fighting spammers by using the legal means available in CAN-SPAM (basically, aggressively unsubscribing their users).  And that’s not necessarily a bad idea, as long as the user’s email address is never exposed.

However, BlueSecurity exposed their users to attack by having a Do Not Email list.  While the list was not open, it was easy for spammers to find out who the users were, by simply running their lists of email addresses against the Do Not Email list.  Who came back as not mailable was the BlueSecurity users. Then, the attack could start. 

Of course, that’s exactly what happened.

The idea of being a proxy for Do Not Spam is not necessarily a bad idea.  And I know it made people feel good to fight back, and I think legally fighting back is a fine idea.  But getting users involved invites the possibility of collateral damage.  Such a fight should be done by a coordinated network of volunteers, with one face to the spammer.  You expect spammers to respect your list?  Good luck. 

Brian Krebs writes about the demise of BlueSecurity:

I had a chat with Blue Security’s CEO Eran Reshef shortly after the attack, and he shared with me some records of his online conversations with two spam sponsors, individuals in the business who handle everything from keeping the online pharmacy and other spam product Web sites running, to hiring and paying the people who do the actual spamming. Reshef said attacks from the company’s software had convinced six out of the top 10 sponsors to scrub their spam e-mail lists to remove the addresses of people who use Blue Security’s software.

Link here.


Alex Eckelberry
(thanks Michael)