In a novel but potentially controversial effort to fight spam, US firm Blue Security has begun distributing a free program that makes your PC part of a community which works to cripple websites run by spammers.
"Most spam-fighting tools that filter or block spam are never going to stop spammers from sending more spam," said Eran Reshef, CEO of the company. He believes that fighting back by "inducing loss" against spammers is the only way to eventually stop the problem.
When you sign up for a Blue Frog account, you install a software beta on your PC and get to submit up to three email addresses to Blue Security's Do-Not-Intrude Registry. The company then opens up multiple email accounts on your behalf – addresses you technically own, but never use. Those are managed by Blue Security and designed to attract spam.
Blue analyses the spam that goes into Blue Frog email accounts and identifies messages that are not compliant with the US CAN-SPAM (controlling the assault of non-solicited pornography and marketing) Act. These include unsolicited marketing messages that don't provide an opt-out option or that have an invalid return address.
Blue Security will warn noncompliant spammers to stop sending email to the accounts it has set up for you, as well as to the real email addresses you provided during registration. If the company can't contact the spammer, or the mail doesn't stop, things get tougher.
Blue Security follows the links inside the body of the message, which typically lead to a site that wants to sell you prescription medications, porn or a get-rich-quick. It then identifies the form fields at the spammer's site – where you're asked to input credit card data, for example – and uses the software you installed to direct your PC to insert a request to unsubscribe you from the site's mailing list. Also included is an invitation to spammers to download a Do-Not-Intrude Registry compliance tool from Blue Security's website.
Of course, the spammer wouldn't care if only one person did this. Even if a thousand Blue Frog users followed suit, he still might not care. But the software causes all of its connected users to submit the request/complaint simultaneously – and repeatedly for a period of time.
You wouldn’t notice these unsubscribe requests going out as it all happens behind the scenes on your PC. Blue Security that each of its members' computers would probably be spewing out a few thousand requests each day. In our test of the beta program there was no perceptible impact on computer usage or any slowing down of internet browsing.
The influx of tens of thousands of requests exactly at the same time floods the spammers' website, making it inoperable. And because spammers typically pay for the bandwidth of traffic to and from their sites, the massive flood of complaints means higher bills to keep the sites running, Blue Security argues.
Blue Security says that before it takes these drastic measures it will do everything it can to contact the people who send out the spam asking them to stop mailing its Do-Not-Intrude Registry members. If that doesn't work, Blue Security contact the relevant ISP and warn it of the impending flood of requests.
To comply with Blue Security's demands to stop or prevent this massive influx, spammers must use the company's compliance tool to remove all your email accounts from their lists. The Blue Security registry list is encrypted, so no-one sees your addresses. The compliance tool merely lets spammers check to make sure your real and decoy email addresses aren't on their mailing list. And because Blue’s registry list contains so many decoy addresses as well as real ones, any spammer who used Blue Security's registry to identify real email accounts to spam would only be hit harder by bounced mail.
This technique of flooding a website with information in order to cripple it may be effective, but it's similar to a DdoS (distributed denial of service) attack in which a hacker uses hundreds of zombie computers to shut down websites. Launching a DDoS attack is illegal in the US, and in most European countries.
Reshef bristles at the notion that his firm is involved with DDoS attacks. "We aren't trying to shut down any websites. We are just trying to slow these sites down so much the spammers can't earn money," Reshef said. He adds that members of the Blue Frog community have a right to complain about the spam they get.
Reshef said he is going after the worst offenders, spammers who are responsible for 90 percent of unwanted mail that isn't CAN-SPAM compliant.
Blue Security warns that this method of fighting spam won't immediately lessen the flow of spam into your inbox. Over time, however, spammers will be forced to stop emailing Do-Not-Intrude registrants or go out of business. Once the registry hits a critical mass in size, the company believes the threat of a shutdown will intimidate spammers.
Blue Security's approach is not without precedent -- but judging from the precedent, the company might run into problems. In December 2004, Lycos Europe pulled a controversial antispam screen saver from its site after coming under fire from security experts and the spammers themselves.
Much like Blue Security, Lycos Europe offered to turn the tables on spammers by overwhelming their websites with web page requests submitted by its Make Love Not Spam screen saver. The security community argued that Lycos Europe was engaging in vigilantism and had crossed a line by launching what were in essence DDoS attacks on spammers' sites.
Some ISPs even blocked access to the Make Love Not Spam site, supposedly because the screen saver generated a lot of unnecessary traffic on their networks or violated their rules on DDoS attacks. Note that a DDoS attack can bring down an entire ISP – including legitimate sites that happen to use the same hosting service.
Blue Security will definitely raise eyebrows in the security community. But even if it survives legal scrutiny (or retaliation from angry targets), the big question is whether Blue Security can recruit enough consumers to join its army of serial complainers.