Monday, December 12, 2005

Blue Security Spams Spammers

Blue Security says its program can take on spammers by giving them a taste of their own medicine. Critics say it might be poisonous to more than just rogue web sites.
Like many boys growing up, Eran Reshef was fascinated by an animal that would gross out most adults: the blue frog, a poisonous species with luminous cobalt blue skin and shiny black warts found in the tropical forests of South America.
Twenty-three years later, the Israeli serial entrepreneur’s fascination has come full circle, with a startup called Blue Security. Its flagship product is the downloadable Blue Frog anti-spam application, which is represented on the company’s web site by a wide-jawed blue frog with bulging eyes and a three-fingered hand raised in a sort of a wave.
“When I was a kid I used to read about these frogs so poisonous that after one brush with them, for the rest of their lives predators try to avoid eating them again,” says Mr. Reshef.
He hopes the program will act much like its namesake in the wild, but targeting a different predator—the people who send spam, and the companies whose products are touted in the unwanted emails.
Blue Frog allows users to complain about spam proactively. When an email is classified as spam by a user, the program sends an opt-out request to the web site being advertised in the spam email.
Though Blue Frog sends out only one request per user, the total installed base of frogs can end up flooding a rogue site with a flurry of opt-out requests. To escape the deluge of incoming requests, the web site has to scrub itself clean of email addresses that have registered with Blue Security.
The company’s big idea in the fight against spam is a list of email addresses modeled on the lines of the “Do-Not-Call” registry created for telemarketers. Blue Security also hopes to force merchants to take responsibility for spam that markets their products by sending complaints to them instead of the spammers.
It’s a bold task, and a noble one, considering the huge problem that spam poses for email users. According to security software maker Symantec, spam made up 61 percent of all email traffic for the first six months of 2005; 51 percent of all spam received worldwide originated in the United States.
All of those unwanted emails also represent a huge market opportunity. Despite the abundance of companies trying to solve the problem, few have really managed a solution that works. Filters, the most popular method of reducing spam in inboxes, haven’t proved very effective, nor have federal laws like the U.S.’ CAN-SPAM Act of 2003.
The problem begs for a radical solution, and that is what Blue Security promises to deliver. But the startup’s idea has sparked a debate, with critics calling the method unethical because it launches a disguised denial-of-service attack against a web site by flooding it with requests.
It’s a radical method, admits Mr. Reshef, a veteran of the security startup space, but difficult problems call for creative solutions.

Making the Internet a Better Place
Blue Security, launched along with his partner Amir Hirsh in 2004, is Mr. Reshef’s third venture. In 1997, he founded Sanctum, which made web application-testing products; he sold it to business management software company WatchFire a year ago. His second startup was Skybox Security, a risk management company, whose board he continues to sit on.
After Skybox, says Mr. Reshef, he wanted to do something that would make the world a better place to live in. He picked ridding the world of spam as his cause and decided to start building the “Do-Not-Intrude” list for spammers.
Abiding by the registry is the only way vendors can avoid the deluge of opt-out requests that could potentially jam their network and bring down their servers.
“These small vendors don’t have the kind of technical infrastructure that can handle requests from thousands of users,” says Mr. Reshef. “We will force them to invest in the servers and technical infrastructure they need to handle high traffic and make it unviable for them to continue spamming.”
Blue Security has also created “honeypot” email accounts to attract and capture spam so that it can be analyzed and used for research.
The startup says it has 30,000 registered users who have signed up for Blue Frog. In April, the company bagged $3 million in seed-round financing from Benchmark Capital. Blue Security splits its offices between Menlo Park, California, and Herzliya Pituach, Israel, and now has 20 employees, mostly in Israel.

‘Utterly Implausible’?
The idea of a do-not-spam registry has been around for a while, but it’s the first time a startup has decided to run with it. Some say there’s good reason why no one else has taken the idea and tried to turn it into a business.
Last year, former U.S. Federal Trade Commission Chairman Timothy Muris said that such a registry would be a “waste of time, and worse, would become a do-spam registry.”
A do-not-call registry works because most telemarketers are law-abiding businesses— unlike bulk spammers, said the FTC in a report. It is not hard to trace the number from which an errant telemarketing company places a call to a subscriber on the registry, which makes it easy to enforce the law. No such method exists to trace the source of an errant spammer.
That is precisely why anti-spam activists are skeptical about Blue Security’s plans. John Levine, co-chair of San Francisco-based Anti-Spam Research Group, a part of the Internet Research Task Force, says he can’t remember the last time an “embarrassingly naïve” idea like Blue Security’s got such heavy-duty funding.
“Blue Security’s plan is to be somehow so annoying to spammers that they will just go away,” says Mr. Levine. “It is utterly implausible how they can do that without accidentally messing up the web sites of the innocents.”
Benchmark Capital partner Mark Kremer, who also sits on the board of Blue Security, declined to comment on the investment. Anti-spam activists like Mr. Levine have a few more bones to pick. They say that Blue Security’s systems could be misused to close down a legitimate business.
The company counters that all spam messages are analyzed by its team of experts, who prevent community attacks from being directed at legitimate web sites. The analysis process includes extensive manual verification of web sites using blacklists and Internet searches, and comparing spam reported by users to that arriving into its honeypots to ensure that their user-reported spam is not the only source for analysis, says Mr. Reshef.
Mr. Levine says that, despite these measures, Blue Security is setting itself up for failure.
“The reality is that as soon as Blue Security picks the wrong spammer who has a half-decent lawyer, they will have a lawsuit on their hands,” he says.
Such a scenario could bring down the company, agrees Pete Lindstrom, research director for SpireSecurity, an industry analyst firm. But beyond that, he can’t figure out what the fuss is about. “I don’t see what the huge deal is here,” he says. “These Blue Security guys are fairly restrained, and you cannot really fault a community initiative.”
Blue Security, says Mr. Lindstrom, might not work for another reason: The Blue Frog might be poisonous not just for spammers but also users.
“I wouldn’t advise folks to sign up and install any piece of active code on their machines,” he says. “Having something that goes out and sends out messages on its own requires a huge level of trust.”
Mr. Reshef concedes that earning that trust won’t be easy. His cautiously optimistic plans for the company are tempered with the realization that critical to its success is getting a community—of at least 100,000 users—large enough to make a difference.
Making money off the idea will be another challenge. Blue Security allows individuals to download the Blue Frog client and register their email addresses for free. But once it has a large enough user base, the company hopes to turn to enterprises and charge them for putting corporate email addresses onto its do-not-spam registry.
Getting to that point will be tough. So far, registered users including Mr. Reshef haven’t seen a significant reduction in spam in their inboxes. In the wild, the blue frog’s only predator is a certain species of snake immune to the frog’s poison. Online, it could be the community of spammers that shrugs off the Blue Frog’s venom.

RED HERRING | Blue Security Spams Spammers

No comments: