The company will today launch its Do Not Intrude registry, which marries the ideas of spam honeypot accounts and automated complaint software that could create denial-of-service effects on spamvertized web sites.

Blue chief executive Eran Reshef told ComputerWire that the system is ethical, hard for spammers to evade, and does not allow spammers to farm the list for email addresses, which has been the major drawback of previous notional do-not-spam registries.

When users sign up for the new service, their genuine email address is added to a list. Blue also creates a phony honeypot address for them, which is published somewhere on the web where spammers can find it. This address is added to the same list.

Users install some software called Blue Frog on their computers. Whenever their honeypot account receives a spam email, Blue Frog sends a single complaint to the web site being advertised in the spam.

The idea is that spamvertized sites will be hit by so many complaints that they will be unable to transact their regular business, compelling them to download the Do Not Intrude registry and remove the listed addresses from their mailing list.

The idea of a do-not-spam registry has been touted in the past. The US Can-Spam Act instructed the Federal Trade Commission to explore the idea, and the FTC concluded that it would be a waste of time, and worse, would probably be a ‘do spam’ registry.

Blue plans to avoid this problem by only making encrypted addresses available to the spammers, so they can never farm addresses that they are not already aware of from the list, according to Reshef.

When a spammer decides to honor the registry, they download some software and a list of hashed addresses. This software runs the same hash operation on the spammer’s own mailing list, and cleans it of addresses that are on the Do Not Intrude registry.

Reshef, without going into details about how the honeypot accounts are created and publicized, said that it would be very hard for the spammers to distinguish between the genuine addresses on the list and the honeypots.

But why would spammers sign up for the registry in the first place? Because Blue Frog users, if there are enough of them, could cripple the spamvertized sites with their automated complaints.

The software does not send an email complaint. Rather, it automatically visits the spam web site and fills out any HTML form it finds with a complaint along the lines of Your site was advertised in spam with a link to the Blue Security site.

The only thing that works in most spamvertized web sites in the bit where you enter your contact or credit card details, Reshef said.

Each user complains once for each spam they get. Collectively, that could amount to a distributed denial-of-service effect on the offending web site, but Reshef said he believes the system to be ethical.

It’s not a DDoS, people are exercising their right to complain about spam they get, he said. We’re not trying to do anything illegal or unethical. We’re only doing ethical things, but we are being active.

In theory, this kind of system, if it were fully automated, could be used to execute a joe job attack on an innocent party. By spamvertizing a legitimate site, the software would complain and cause the DDoS effect.

But Reshef said this is avoided by the fact that Blue Security’s researchers are manually blacklisting and whitelisting sites, based on their knowledge of what sites are currently in use by certain groups of known spammers.

Currently, Blue is tracking 65 spam groups that Reshef estimates are responsible for 90% of the spam received. The manual review element means it would not be possible to joe-job, say, google.com, he claimed.

Blue Security, which is backed by $3m of venture capital financing from Benchmark Capital, has its corporate headquarters in Menlo Park, California and its R&D lab in Herzliya Pituach on Israel’s Silicon Coast.

The company plans to give the software and service away for free to consumers. After the public beta, launched today at www.bluesecurity.com, the company will start to offer it to enterprise users for a fee.