Spam Slayer: Bringing Spammers to Their Knees

ByTom Spring, Pc World

— -- Tip of the MonthIs your PC running malicious code that may have turned it into a spam-spewing zombie? Microsoft's Malicious Software Removal Tool scans, identifies, and extracts threats. Symantec also offers a free online virus detection service and a software program that identifies existing problems on your PC and determines how safe it is from potential online threats. Symantec also offers dozens of virus-removal tools.

In a novel if potentially controversial effort to fight spam, a firm called Blue Security this week begins distributing the beta of a free program that, once installed on your PC, makes it part of a community that works to cripple Web sites run by spammers.

"Most spam fighting tools that filter or block spam are never going to stop spammers from sending more spam," says Eran Reshef, founder and chief executive officer of Blue Security. He believes that fighting back by "inducing loss" against spammers is the only way to eventually stop spam.

Here is how Blue Security's Blue Frog software and antispam initiative works:When you sign up for a Blue Frog account, you install a piece of software on your PC and get to submit up to three e-mail addresses to Blue Security's Do-Not-Intrude Registry. The company then opens up multiple e-mail accounts on your behalf--accounts you technically own, but never use. Those e-mail accounts are managed by Blue Security and are designed to attract spam.

Blue Frog analyzes the spam that goes into your Blue Frog e-mail accounts (and those of other community members) and identifies messages that are not compliant with the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (known as CAN-SPAM). These include unsolicited marketing messages that don't provide an opt-out option or that have an invalid return address.

Blue Security says it will attempt to warn noncompliant spammers to stop sending e-mail to the accounts it has set up for you, as well as to the real e-mail addresses you provided during registration. If Blue Security can't contact the spammer, or the spam doesn't stop, things start getting nasty.

Blue Security follows the links inside the body of the spam message, which typically lead to a site that wants to sell you prescription medications, porn, a get-rich-quick scheme, or the like. It then identifies the form fields at the spammer's site (where you're asked to input credit card data, for example) and then uses the software you installed to direct your PC to insert in those fields a request to unsubscribe you from the site's mailing list. Also included in the form fields is an invitation to spammers to download a Do-Not-Intrude Registry compliance tool from Blue Security's Web site.

Now, the spammer wouldn't care if only one person did this. Even if a thousand Blue Frog users followed suit, the spammer still might not care. But Blue Frog's software causes all of its connected users to submit the request/complaint simultaneously--and repeatedly--for a period of time.

You would likely not notice these unsubscribe requests going out because it all happens behind the scenes on your PC. Blue Security says that each of its members' computers would likely be sending out requests a few thousand times a day. In my test of the beta program there was no perceptible impact on my computer usage or any slowing down of my Internet browsing.

The influx of tens of thousands of requests exactly at the same time floods the spammers' Web site, causing it to become inoperable. And because spammers typically must pay for the bandwidth of traffic to and from their sites, the massive flood of complaints means higher bills to keep the sites running, Blue Security argues.

Blue Security says that before it takes these drastic measures it will do everything it can to contact the people who send out the spam and those who run the Web sites those messages link to, asking them to stop spamming its Do-Not-Intrude Registry members. If that doesn't work, Blue Security will attempt to contact the Internet service provider hosting the site and warn it of the impending flood of requests.

To comply with Blue Security's demands in order to stop and/or prevent the massive influx of requests, spammers must use the company's compliance tool to remove your real e-mail address and your dummy Blue e-mail accounts from their mailing lists. The Blue Security registry list is encrypted, so spammers never see your addresses: The compliance tool merely lets spammers check to make sure your real and decoy e-mail addresses aren't on their mailing list. And because Blue Security's registry list contains so many decoy e-mail addresses as well as real ones, any spammer who used Blue Security's registry to identify real e-mail addresses to spam would only be hit harder by bounced e-mail.

This technique of flooding a Web site with information in order to cripple it may be effective, but it's arguably very similar to a distributed denial of service attack in which a hacker uses hundreds of zombie computers to shut down Web sites. Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.

Blue Security's Reshef bristles at the notion that his firm is involved with any type of DDoS attack. "We aren't trying to shut down any Web sites. We are just trying to slow these sites down so much the spammers can't earn money," Reshef says. He adds that members of the Blue Frog community have a right to complain about the spam they get.

Reshef says he is going after the worst offenders, spammers who are responsible for 90 percent of unwanted e-mail that isn't CAN-SPAM compliant.

Blue Security warns that this method of fighting spam won't lesson the flow of spam into your inbox in the short run. Over time, however, spammers will be forced to stop e-mailing Do-Not-Intrude registrants in order to remain in business. Once the registry hits a critical mass in size, the company believes the threat of a shutdown will intimidate spammers.

Blue Security's approach is not without precedent--but judging from the precedent, the company might run into problems. In December 2004, Lycos Europe pulled a controversial antispam screen saver from its site after coming under fire from both security experts and the spammers themselves.

Much like Blue Security, Lycos Europe offered to turn the tables on spammers by overwhelming their Web sites with Web page requests submitted by its "Make Love Not Spam" screen saver. The security community argued that Lycos Europe was engaging in vigilantism and had crossed a line by launching what were essentially DDoS attacks on spammers' sites.

Some ISPs even blocked access to the Make Love Not Spam site, supposedly because the screen saver generated a lot of unnecessary traffic on their networks or violated their rules on DDoS attacks. Note that a DDoS attack can bring down an entire ISP--including legitimate sites that happen to use the same hosting service as a spammer's business.

Blue Security will definitely raise eyebrows in the security community. But even if it survives legal scrutiny (or retaliation from angry targets), the big question is whether Blue Security can recruit enough consumers to join its army of serial complainers.

ABC News Live

ABC News Live

24/7 coverage of breaking news and live events