Interesting press release this morning from Blue Security, touting their new “Do Not Intrude Registry”. The basic concept is simple: you sign up for their service and install an agent on your local computer. Blue creates honeypot mailboxes, which it then monitors. If spammers spam those mailboxes with messages that don’t comply with the CAN-SPAM law, Blue asks the spammers to stop. If they don’t, the Blue agent (which they call a Blue Frog, after the blue poison arrow frog) starts spamming the spammers by posting junk data to their order form. This is no big deal if only one agent does it– but the agents are cooperative, so if the spammer sends out 10,000 messages, they get 10,000 junk order submissions.
The PR calls this “ethical and effective”. I disagree on both counts; it’s nothing more than a botnet in disguise. If it’s wrong for J. Random Attacker to mount a DDoS against a website they don’t like, it’s wrong for Blue to mount DDoSes against spammers. Despite the fancy language deployed by Blue’s CEO in this InformationWeek article, it’s pretty clear that this is a clear-cut DDoS approach– Blue is trying to hit the spammers where it hurts by degrading their operational capacity to take orders.
I don’t condone spammers, but descending to their level isn’t an ethical approach. In a remarkable coincidence, most of the sentiment on /. seems to agree that this is a bad idea.
Update: but don’t take my word for it; legendary guru John Levine has weighed in with his thoughts (including the interesting fact that Blue tried to get sponsorship from a number of anti-spam orgs, all of whom rejected the idea).
Paul's Down-Home Page 