Blue Security Gives Up, Spammer Wins

Blue Security, which debuted its spam-fighting service last summerand built up a user base of more than 500,000, decided to wave the white flag after its servers were knocked offline by an aggressive denial-of-service (DoS) attack it claimed was launched by a deep-pocket Russian spammer tagged as "PharmaMaster."

May 3, in an attempt to get out the word about the DoS, Blue Security repointed its domain to an unused blog on Six Apart's TypePad blogging service. Within minutes, PharmaMaster attacked the blog with another DoS, which brought down Six Apart and left millions without access to their blogs. Blue Security's domain name service provider, Tucows, was also hit with a DoS and knocked offline for several hours; Tucows going down took thousands of Web sites it hosts with it.

Wednesday, Blue Security said it had to give up because it couldn't sustain the fight against spammers. "Several leading spammers viewed [us] as a strategic threat to their spam business," Eran Reshef, Blue Security chief executive wrote in the message posted to the company's site.

"After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.

"As much as it saddens us, we believe this is the responsible thing to do," said Reshef, who did not respond to an e-mail requesting additional comment. Later Wednesday, a spokesman said that the company would not be making any additional statements beyond the message on its site.

"I'm not surprised that they shut down," said Todd Underwood, chief of operations and security at Manchester, N.H.-based Renesys, an Internet monitoring and routing analysis firm. "People who go after spammers get attacked by spammers."

Underwood added that although Blue Security was doomed to fail, it should have been able to weather these first rounds of attacks. "It was apparent how ill-prepared they were to deal with a DoS attack. They could have lasted a lot longer if they had been prepared."

Reshef admitted as much after the URL redirection brought down TypePad. "It wasn't the best decision to reroute traffic to TypePad," Reshelf said then.

Blue Security's model -- an automated agent sent an opt-out request in a tit-for-tat whenever a user received a spam message -- could only have worked if it accumulated a base large enough that spammers would find it impossible to strike back, Underwood argued.

Its surrender, though regrettable, was the right decision. "It was always clear that they would subject innocent users to attacks. There's simply no way to directly attack spammers that doesn't risk significant collateral damage," Underwood concluded.

Currently, Blue Security's Web site is offline. It's not clear, however, whether the situation is temporary, or if the company has closed the site for good.