To poison some phishing data you don't need to overload any server. Although the act itself of poisoning data could be seen as a DoS but since the service in question is an illegal one IANAL but I don't think it would stand in court.
It is very important to understand this from the legal stand point. If you overload a legitimate or illegitimate service you might commit a crime (depending on the country). I can give you a simple example of this in a different context. In our country you cannot go after the criminal who committed the crime and cannot cause them harm. Few years back a lady got robbed by two guys on a motorbike and she went after them and hit the motorbike with her car. She was prosecuted for assault. This is a very similar situation here. Again, depending on your country, state etc. this _might_ be a bad idea.
I see your point but anyway I think that phishers hardly will sue you for poisoning their data, because you probably just uncovered one phishing campaign but they run tens of them. Putting Justice in the loop would be much riskier for them, I believe.
