*** UPDATE: Please see our May 2nd blog entry ***
A considered and thought-provoking paper from Marcus Ranum reviews the spam response system from Blue Security. The system combines the advantages of a widespread user base monitoring their inboxes for spam (which guards against malicious or inept spam reporting), with automated responses that aim to flood spammers with complaints (in effect, a denial of service attack but with self-imposed ethical limits i.e. one response per complainant). A further key feature is the manual intervention before the multi-barrel bit-guns are unleashed: the Blue Security team contacts the relevant domain admins/users to ask for an explanation, and gives them an opportunity to respond. If the spammer machine is in fact a zombie that has been compromised by a hacker and used by a spammer without the legitimate owner even being aware of the issue, the contact gives them the chance to take their machine off the web and clean it up.
Spammers are cordially invited to cleanse their mailing lists of Blue Security registrants, which unfortunately implies that other email addresses are fair game. The system designers have paid attention to the potential security implications of allowing spammers access to opt-out mailing lists, and use cryptographic techniques to obfuscate the list. However, personally, I would question the need for this function, and hence the associated residual risk, at all. Those spam recipients who do not actively opt-out are clearly disadvantaged. The merest hint of a business model starts to rear its ugly head at this point.
Active response is generally frowned-upon by the professional information security community in principle but it sounds to me as if Blue Security may have invented a workable and ethical scheme.
More email security resources