By Kevin Murphy
Blue Security Inc has come up with a novel twist on the do-not-call registry to fight spam that seems to address many of the problems inherent to previous attempts.
The company will today launch its Do Not Intrude registry, which marries the ideas of spam honeypot accounts and automated complaint software that could create denial-of-service effects on spamvertised web sites.
Blue chief executive Eran Reshef told ComputerWire that the system is ethical, hard for spammers to evade, and does not allow spammers to farm the list for email addresses, which has been the major drawback of previous notional do-not-spam registries.
When users sign up for the new service, their genuine email address is added to a list. Blue also creates a phony honeypot address for them, which is published somewhere on the web where spammers can find it. This address is added to the same list.
Users install some software called Blue Frog on their computers. Whenever their honeypot account receives a spam email, Blue Frog sends a single complaint to the web site being advertised in the spam.
The idea is that spamvertised sites will be hit by so many complaints that they will be unable to transact their regular business, compelling them to download the Do Not Intrude registry and remove the listed addresses from their mailing list.
The idea of a do-not-spam registry has been touted in the past. The US CAN-SPAM Act instructed the Federal Trade Commission to explore the idea, and the FTC concluded that it "would be a waste of time, and worse, would probably be a 'do spam' registry".
Blue plans to avoid this problem by only making encrypted addresses available to the spammers, so they can never farm addresses that they are not already aware of from the list, according to Reshef.
When a spammer decides to honor the registry, they download some software and a list of hashed addresses. This software runs the same hash operation on the spammer's own mailing list, and cleans it of addresses that are on the Do Not Intrude registry.
Reshef, without going into details about how the honeypot accounts are created and publicized, said that it would be "very hard" for the spammers to distinguish between the genuine addresses on the list and the honeypots.
But why would spammers sign up for the registry in the first place? Because Blue Frog users, if there are enough of them, could cripple the spamvertised sites with their automated complaints.
The software does not send an email complaint. Rather, it automatically visits the spam web site and fills out any HTML form it finds with a complaint along the lines of "Your site was advertised in spam" with a link to the Blue Security site.
"The only thing that works in most spamvertised web sites in the bit where you enter your contact or credit card details," Reshef said.
Each user complains once for each spam they get. Collectively, that could amount to a distributed denial-of-service effect on the offending web site, but Reshef said he believes the system to be ethical.
"It's not a DDoS, people are exercising their right to complain about spam they get," he said. "We're not trying to do anything illegal or unethical. We're only doing ethical things, but we are being active."
In theory, this kind of system, if it were fully automated, could be used to execute a "joe job" attack on an innocent party. By spamvertising a legitimate site, the software would complain and cause the DDoS effect.
But Reshef said this is avoided by the fact that Blue Security's researchers are manually blacklisting and whitelisting sites, based on their knowledge of what sites are currently in use by certain groups of known spammers.
Currently, Blue is tracking 65 spam groups that Reshef estimates are responsible for 90% of the spam received. The manual review element means it would not be possible to joe-job, say, google.com, he claimed.
Blue Security, which is backed by $3m of venture capital financing from Benchmark Capital, has its corporate headquarters in Menlo Park, California and its R&D lab in Herzliya Pituach on Israel's Silicon Coast.
The company plans to give the software and service away for free to consumers. After the public beta, launched today atthe company will start to offer it to enterprise users for a fee.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. Hundreds of new articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Blue Security.
For more information go to: