According to the Washington Post, sounds like Blue Security is giving up. Blue Security provided an encrypted list of emails that spammers shouldn’t harass. If an email spammer violated that, Blue Security could send thousands of requests from users’ machines to the email spammer. It was almost like an opt-in botnet that protected its users against unsolicited email.
So how did the do-not-spam email list work? Well, if you just provide a list of email addresses and say “Don’t mail these people,” that’s giving a tour of a beautiful house to a thief and saying “But don’t rob this house.” So Blue Security provided a one-way hash. Someone could check if an individual email address was on the do-not-spam list, but they couldn’t recover the full list. Smart, huh?
Well, there’s a problem with that. Imagine that you’re a scuzzy email spammer without any, you know, ethics. You could mount a dictionary attack against the Blue Frog do-not-email list. A dictionary attack in the world of passwords would be guessing the most common passwords for a set of user accounts. Given all the email addresses you know of, plus any you can guess, you can check if each email address is on the do-not-email list. After several hundred million attempts, you could probably recover a large fraction of email addresses on Blue Security’s list. Then you just do evil things: spam those email addresses, send them viruses, etc.
That’s why Blue Security is giving up: the email spammers have probably recovered a large amount of the email addresses that people gave to them. And the email spammers are threatening to do really malicious things to users that asked not to be emailed. Kind of a shame. What’s interesting to me is that the email spammers were seeing enough of an impact that they decided to attack Blue Security.