MillerHighLife21 writes: I'm at a business that has to deal with a lot of phishing attacks and we've spent a significant amount of time over the last year building security policies to deal with it (Geographic account locking, etc). It's helped to protect accounts when compromised, but the continued phishing is a huge annoyance and a waste of time. I've been wondering about trying to actively become just as much of a pain to them as they are to me by setting up a bot to spam the login forms of phishing sites that our users report to us until we get them taken down. I figure at the very least polluting the data they are gathering could help make it less effective or even potentially just drop in some fake logins that we can use to flag IP addresses that try to login with them. Anybody know if something like that would be legal?