TELECOM Digest OnLine - Sorted: A Do-Not-Spam Registry That Might Work


A Do-Not-Spam Registry That Might Work


Kevin Murphy (murphy@telecom-digest.org)
Thu, 21 Jul 2005 14:43:41 -0500

By Kevin Murphy

Blue Security Inc has come up with a novel twist on the do-not-call
registry to fight spam that seems to address many of the problems
inherent to previous attempts.

The company will today launch its Do Not Intrude registry, which
marries the ideas of spam honeypot accounts and automated complaint
software that could create denial-of-service effects on spamvertised
web sites.

Blue chief executive Eran Reshef told ComputerWire that the system is
ethical, hard for spammers to evade, and does not allow spammers to
farm the list for email addresses, which has been the major drawback
of previous notional do-not-spam registries.

When users sign up for the new service, their genuine email address is
added to a list. Blue also creates a phony honeypot address for them,
which is published somewhere on the web where spammers can find
it. This address is added to the same list.

Users install some software called Blue Frog on their computers.
Whenever their honeypot account receives a spam email, Blue Frog sends
a single complaint to the web site being advertised in the spam.

The idea is that spamvertised sites will be hit by so many complaints
that they will be unable to transact their regular business,
compelling them to download the Do Not Intrude registry and remove the
listed addresses from their mailing list.

The idea of a do-not-spam registry has been touted in the past. The US
CAN-SPAM Act instructed the Federal Trade Commission to explore the
idea, and the FTC concluded that it "would be a waste of time, and
worse, would probably be a 'do spam' registry".

Blue plans to avoid this problem by only making encrypted addresses
available to the spammers, so they can never farm addresses that they
are not already aware of from the list, according to Reshef.

When a spammer decides to honor the registry, they download some
software and a list of hashed addresses. This software runs the same
hash operation on the spammer's own mailing list, and cleans it of
addresses that are on the Do Not Intrude registry.

Reshef, without going into details about how the honeypot accounts are
created and publicized, said that it would be "very hard" for the
spammers to distinguish between the genuine addresses on the list and
the honeypots.

But why would spammers sign up for the registry in the first place?
Because Blue Frog users, if there are enough of them, could cripple
the spamvertised sites with their automated complaints.

The software does not send an email complaint. Rather, it
automatically visits the spam web site and fills out any HTML form it
finds with a complaint along the lines of "Your site was advertised in
spam" with a link to the Blue Security site.

"The only thing that works in most spamvertised web sites in the bit
where you enter your contact or credit card details," Reshef said.

Each user complains once for each spam they get. Collectively, that
could amount to a distributed denial-of-service effect on the
offending web site, but Reshef said he believes the system to be
ethical.

"It's not a DDoS, people are exercising their right to complain about
spam they get," he said. "We're not trying to do anything illegal or
unethical. We're only doing ethical things, but we are being active."

In theory, this kind of system, if it were fully automated, could be
used to execute a "joe job" attack on an innocent party. By
spamvertising a legitimate site, the software would complain and cause
the DDoS effect.

But Reshef said this is avoided by the fact that Blue Security's
researchers are manually blacklisting and whitelisting sites, based on
their knowledge of what sites are currently in use by certain groups
of known spammers.

Currently, Blue is tracking 65 spam groups that Reshef estimates are
responsible for 90% of the spam received. The manual review element
means it would not be possible to joe-job, say, google.com, he
claimed.

Blue Security, which is backed by $3m of venture capital financing
from Benchmark Capital, has its corporate headquarters in Menlo Park,
California and its R&D lab in Herzliya Pituach on Israel's Silicon
Coast.

The company plans to give the software and service away for free to
consumers. After the public beta, launched today at
http://www.bluesecurity.com, the company will start to offer it to
enterprise users for a fee.

NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.

*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Blue Security.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Greff Keizer: "Blue Security Plans to Overload Spammer Web Sites"
Go to Previous message: Jim Haynes: "Bell Telephone Music"
TELECOM Digest: Home Page