"This is a message that spells out, 'I am a spammer,'" says Eran Reshef, his voice echoing in the receiver from half a world away. Reshef is the CEO of Blue Security, a startup he founded in Herzliya Pituach, Israel, and we're examining an email typical of a dozen I receive daily. The subject line contains an offer for bargain-basement "generic Viagra." I've long since burned through my animosity for spammers. I use the best filter I can find and delete the garbage that makes it through. I've learned the hard way that trying to opt out from junk email only attracts more of it.
Reshef wants me to tap into my dormant rage and fight back. Don't worry, he tells me, you'll have a posse. He's organizing thousands of weary victims like me and leading us in a kind of distributed denial- of-service attack. It's a weapon normally employed by malicious hackers who use hijacked PCs to flood unsuspecting companies, but Reshef is out to cripple offensive bulk emailers. "That," he says, "is the only way to get their attention."
Reshef doesn't use the incendiary DDoS moniker for his brand of spammer attack. He tells me he prefers "active deterrence" and walks me through a typical counterattack. I download his Blue Frog software - named after a cute-but-deadly poisonous frog found in South American rain forests - which creates an email account in my name and seeds it around the Web to attract unsolicited offers. The company's analysts sift through the messages and find, say, a Viagra spammer who's violating key provisions of the Can-Spam Act of 2003. They'll email the Viagra spammer in an attempt to opt out on behalf of Blue users and check the domain against block lists from antispam outfits like Spamhaus.org. "It's important that we play the game," Reshef says, "and give them a chance to say, 'No, this is a mistake, let's fix it.'"
If rebuffed, Blue Security will send an automated script to my PC, or what it calls my frog, and hundreds of others. The script orders the frogs to visit the Viagra site, root around for the purchasing form, and use it to file a complaint. Users can submit offending emails to Blue Security, but otherwise the process is automatic. The net effect is an onslaught of data traffic that gums up the servers at this "pharmacy," bringing them to a standstill and forcing the operator to remove our email addresses from their list.
Since the firm's launch in late July, Reshef has endured a firestorm of criticism for his brand of vigilantism. Some antispam groups condemn his tactic as unethical and possibly illegal. "It looks simultaneously naive and counterproductive," says John Levine, a board member at the Coalition Against Unsolicited Commercial E-mail. "Sooner or later, they are going to DDoS something that doesn't deserve it."
Blue Security isn't the first to generate controversy by attacking spammers head-on. Last year, Lycos Europe launched a Make Love Not Spam campaign, which bombarded offending sites with screensavers. But in the face of criticism, and after some targets directed traffic back to Lycos, the company ended its campaign. The group Artists Against 419 uses online flash mobs to drain the bandwidth of Nigerian email scam sites.
Reshef calls the criticism unfounded. He says Blue Security complains once for each spam received, something every US citizen has a right to do so under Can-Spam. And the company often stops short of that; it doesn't take several thousand complaints for a spammer to take notice.
The 25,000-plus Blue users who've donated their processing power to harass generic-Viagra salespeople seem unconcerned with the ethics of it all. The system's biggest hurdle is less moral than practical anyway. Resourceful spammers may simply find ways to circumvent the frogs: They've already tried altering the purchase forms.
Ultimately, Reshef must prove he can protect people like me before he can offer his wares to corporations. Two weeks after signing up for the service, my inbox continues to fill up with "Walium CiAllis V'iagra" and "Zap the fat with a bodywrap" emails. Which has me wondering, will my posse ever be big enough?
- Evan Ratliff
POSTS
>
The Spam Vigilantes
