The company has ceased all anti-spam operations, a Blue spokesperson said. As an entity, the company will remain open and explore new business opportunities for the technologies they have developed.
That means the Do Not Intrude Registry and the BlueFrog service, which together gave users a way to fight back against spammers using methods some said were de facto denial-of-service attacks, have been terminated.
The shutdown comes after a series of devastating DDoS attacks that not only took out Blue’s site and service, but also caused outages for millions of bloggers who host their blogs with Six Apart Ltd’s Typepad and LiveJournal services.
The bad guys won, in other words.
We once described BlueFrog as a do-not-spam registry than might work. It didn’t. Or, if it did, it worked too well.
After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks, Blue said in a letter to its members. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.
Blue launched last year with a novel method to combat spam. Users installed software on their PCs and placed their email addresses in a database. They were also assigned a dummy honeypot email account.
Any spam sent to that honeypot would trigger the software to automatically send an unsubscribe request to the web site advertised in the spam.
With hundreds of thousands of unsubscribes, the idea was to clutter the spammer’s e-commerce systems with junk. The only way for spammers to stop it would be to remove Blue’s subscriber list from their own mailing lists.
Critics said the service was little better than a DDoS attack, but Blue maintained until the end that its service was both legal and ethical. Under the US CAN-SPAM Act, it said, all spammees have the right request an unsubscribe when they receive a spam.
While a couple of big spammers cleaned their lists of Blue’s subscriber database, one, a Russian-speaker Blue identified as PharmaMaster, decided to launch a counterattack.
At first, PharmaMaster spammed Blue’s users, telling them they would get more spam unless they uninstalled BlueFrog and quit the service. Then he launched a massive DDoS attack against Blue’s web site.
Blue couldn’t take the traffic, so the company set up a new blog to keep its users up to date with what was happening. Unfortunately for Six Apart, that meant all the DDoS traffic hit LiveJournal and Typepad instead. Millions of blogs went down.
This is not the first time a spammer has been successful in killing off his enemies.
In 2003, at least four smaller anti-spam players, including Compu.net Enterprises, Bluebottle Systems and Osirusoft, which ran spammer blackhole lists, threw in their towels after suffering under weeks of DDoS and Joe-job attacks.
The lesson is clear: if you plan to do something that will tick off determined criminal spammers, you’d better have enough bandwidth to handle the response. Also worthing noting: there’s no such thing as enough bandwidth.
