Q: What's worse than an anti-spam company that uses abusive tactics to try to put spammers out of business?
A: A spammer that uses abusive tactics to successfully put anti-spammers out of business.
As my previous post about Blue Security made clear, my feelings about the Blue Frog model were more than a little mixed. Like everyone else, I would dearly love to 'stick it to the spammers'. The constant tide of crap, the forgery of my domains in their 'From:' lines (and resulting backscatter), the attempts to turn my computers into a spam delivery service, the general sleaze and criminality of spam are all infuriating. But I felt - and I still feel - that Blue Security's tactics took them into what was at best a gray area.
The court is still out on whether the tactics were effective or not. What is clear is that they were effective enough to get the attention of a spammer called Pharmamaster, who unleashed a multi-pronged attack on Blue Security. The attacks included spam sent to Blue Frog users, a DDoS attack that took down blogging company SixApart and a second attack that impacted registrar TuCows, and a joe-job that sent out spam appearing to come from Blue Security's Eran Reshef.
Today, Blue Security surrendered. Blue Security's Reshef recognized the impact of the attacks on third parties and said that he was not willing to "rip up the internet to make Blue Security work". Whatever you may think about Blue Security's activities, Reshef deserves credit for this decision. It must have been galling to have to give in to a spam-thug, but putting other users first was the right thing to do.
It's also possible that Blue Security received more blame than they deserved for the SixApart outages. Reshef has claimed that the decision to redirect bluesecurity.com to the company's SixApart-hosted blog site occurred before any DDoS attack had been launched. According to Reshef, the DDoS attack began only after the move and that prior to this point the spammers had limited their activities to null-routing Blue Security's website (with the alleged cooperation of a technician at a backbone provider). If this is true, BlueSecurity's actions are less flagrantly irresponsible than they first appeared.
Todd Underwood of Renesys probably has the most convincing analysis. He confirms that the DDoS did indeed start before Blue repointed their DNS and dismisses Reshef's claims that Blue's domain was blackhole-filtered on the backbone. He speculates that the domain was actually null-routed by Blue's own hosting provider, NetVision, shortly after the attack started. It's thus possible that Blue Security were genuinely unaware that a DDoS was in progress and didn't anticipate that repointing their DNS would take down SixApart. In this interpretation, Blue Security come across as more clueless than evil (if you're prepared to overlook the ethical questions around their Blue Frog client), although the melodramatic tone of their announcements and their apparent technical ignorance suggests a company founded more on spin than substance.
The company that comes out of the whole fiasco best seems to be SixApart. I have a soft spot for SixApart anyway — the blog section of this site is based on a tweaked MovableType — but their graciousness in not pointing the finger at Blue Security when their network went down is admirable. Tucows also seem to have done well: a claim by Blue Security that Tucows had terminated their account has been denied by Tucows, who say that they stood by their customer.
At the end of the day, the worrying thing is that the spammers appear to have won. Pharmamaster's attacks took out two service providers and forced Blue Security to surrender. Even those who disapproved of Blue Security's activities can't see that as a good thing. Pharmamaster and his friends have shown their strength and demonstrated how far they are prepared to go to protect their spam business. Any other anti-spam initiative that seems to be effective could just as easily be next.
Let's be clear on one thing. Pharmamaster and those like him are the real enemy of anyone who uses the Internet. Whatever reservations I have about Blue Security, Pharmamaster's apparent victory is no cause for any kind of satisfaction.