A startup security firm is taking the fight to spammers by enlisting end users to create what's called a Do-Not-Intrude registry whose purpose is to make it too painful for junk mailers to operate.
If a spammer sends you spam, you have a right to complain, said Eran Reshef, the chief executive of Menlo Park, Calif.-based Blue Security. If they send you one spam, you complain one time. If they send you a thousand spams, you can complain a thousand times.
It's the volume on which spam operates and Blue Security's plan hinges.
Starting Monday, users can download Blue Security's Blue Frog client and sign up with the Do-Not-Intrude registry. Once the software's installed, users can register up to three e-mail addresses to monitor for spam. Blue Security, however, watches not only those addresses but up to a dozen accounts it sets up for that act as additional "honeypots," or accounts designed to attract spam.
Blue Security analyzes the messages it receives from the users' accounts (as well as all others who sign up), then follows the links inside the spam to (hopefully) the originating site where, for instance, products or services pitched by the junk mail are sold. There, forms are identified that accept text -- an order form, perhaps, or a customer service form -- and its fields are automatically filled with a message demanding that the e-mail account's address be removed from the spammer's list.
"I kindly ask that you cease sending me or other registered users spam," the message reads.
The idea, said Reshef, is to punish the spammer for his actions. Although the scheme doesn't generate mail to the spammer -- spam for spam, so to speak -- the volume of Web traffic should be enough to cripple the spammer's Web site.
"The sheer amount of complaints going to the spammer's site is going to make it hard [for that site] to do anything else, said Reshef.
Spam is analyzed by Blue Security staff, said Reshef, who investigate the spam, verify that it violates the federal CAN-SPAM Act, trace the message to a Web site, and pinpoint a form on the site that can be used to complain. The Blue Frog handles everything else for the end-user.
The opt-out complaints are synchronized, so that all users whose accounts are monitored file simultaneously.
Although Reshef repeatedly said that the practice was not illegal, the end result is very close to a denial-of-service attack, in which a collection of computers simultaneously try to access a Web server with the intention of bringing it down under the sheet volume of traffic.
Reshef aggressively defended the concept and rejected the idea that it was a DoS in disguise. "We have a right to complain," he said. "The spammers have the right to send us spam, and we cant say anything? No, thats not right.
"Were not creating any harm. Were not trying to shut down any Web sites. But we have the right to complain, one for one," he added.
Other fight-back tactics against spammers have failed in the past. Last year, Lycos Europe rolled out a screensaver that conducted DoS attacks against known spammers. Within days, however, Lycos buckled under pressure from security groups -- which called it vigilantism -- and ISPs, who worried that attacks originating from their members would make them liable to legal action on the part of spammers.
"Our effort is completely different from what Lycos did," said Reshef. "Lycos used a hit list of spammers. We're only responding to actual spam. And each user is responding only to the spam he or she received."
Some may see it as a difference in semantics. But Reshef sees it as effective.
"We've already seen it work," he said. "The spammers don't like what we're doing, and some of them during our tests tried to modify their site on the fly to keep out complaints." Two other sites that he declined to name, he said, have agreed to stop sending spam to the real and honeypot accounts.
"We need a critical mass of users for this to work," Reshef acknowledged. "If enough people abandon the idea of passively filtering spam and realize that unrelenting action is required, we can together stand up for our online rights."
Once its built up a sufficient community of users to ding spammers' Web sites, Blue Security plans to offer the service to enterprises for a fee.
The Blue Frog client can be downloaded free of charge from the Blue Security Web site.