An anti-challenge-response Xmas linkfest

December 14, 2006 at 1:01 pm Uncategorized -->

As all right-thinking people know by now, Challenge-response spam filtering is broken and abusive, since it simply shifts the work of filtering spam out of your email, onto innocent third-parties — either your legitimate correspondents, people on mailing lists you read, or even random people you have never heard of (due to spam blowback).

I’ve ranted about this in the past, but I’m not alone in this opinion — and frequently find myself explaining it. To avoid repeating myself, here’s a canonical collection of postings from around the web on this topic.

  • Spamcop FAQ: Why are auto responders bad?:

Description: This “selfish” method of spam filtering replies to all email with a “challenge” – a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

  1. Does not scale: If everyone used this method, nobody would ever get any mail.
  2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
  3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
  4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.
  • Karsten M. Self: Challenge-Response Anti-Spam Systems Considered Harmful:

C-R systems in practice achieve an unacceptably high false-positive rate (non-spam treated as spam), and may in fact be highly susceptible to false-negatives (spam treated as non-spam) via spoofing.

Effective spam management tools should place the burden either on the spammer, or, at the very least, on the person receiving the benefits of the filtering (the mail recipient). Instead, challenge-response puts the burden on, at best, a person not directly benefitting, and quite likely (read on) a completely innocent party. The one party who should be inconvenienced by spam consequences ¿ the spammer ¿ isn’t affected at all.

Worse: C-R may place the burden on third parties either inadvertantly (via spoofed sender spam or virus mail), or deliberately (see Joe Job, below). Such intrusions may even result in subversion of the C-R system out of annoyance. Many recent e-mail viruses spoof the e-mail sender, including Klez, Sobig variants, and others.

  • John Levine: Challenge-response systems are as harmful as spam:

The collateral damage from widely used C/R systems, even with implementations that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness, this was written in 2003.]

Challenge systems have effects a lot like spam. In both cases, if only a few people use them they’re annoying because they unfairly offload the perpetrator’s costs on other people, but in small quantities it’s not a big hassle to deal with. As the amount of each goes up, the hassle factor rapidly escalates and it becomes harder and harder for everyone else to use e-mail at all.

  • Ed Felten: A Challenging Response to Challenge-Response:

I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it¿s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

  • Jeremy Zawodny: TMDA Users Can Blow Me (heh):

If these systems are so brain-dead as to not bother adding my address to the whitelist when the user sends me e-mail, I have serious trouble understanding why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s no mail header to warn me that “this message is from a TDMA user”, because then I’d be able to procmail ‘em right to /dev/null where they belong.

Ugh.

This bullshit is not going to “solve” the spam problem, people. If that’s your solution, please let me opt out. Forever.

  • Michele Neylon: Why C/R is not a good idea:

C/R slows down and impedes communication by placing unwanted barriers between you and your clients/suppliers.

If you must insist on using some form of C/R please make sure that you whitelist my address before you contact me as I will not reply to challenges.

  • TidBITS policy on Challenge-Response:

We will not answer any challenges generated in response to our mailing list postings. Thus, if you’re using a challenge-response system and not receiving TidBITS, you’ll need to figure that out on your own. Also, if you send us a personal note and we receive a challenge to our reply, we may or may not respond to it, depending on our workload at the time.

  • Fedora Project policy on UOL — a Brazilian ISP that uses C-R extensively:

uol.com.br uses a very broken method of anti-spam. Everytime someone sends an email message to one of their members, they send back a verification message, asking the original sender to click a link before they will allow the message through. These messages are themselves a form of spam, and the resulting back-scatter of these messages is altogether bad for the Internet, the UOL member, and all of the UOL member’s contacts. UOL is aware of the complaints against them, and they refuse to correct the issue, claiming that their members love the service.

  • Matt Sergeant: C-R spam solutions:

I hate C/R systems. With a passion. I absolutely will not respond to them. They go in the trash. I don’t get them very often but I get them more and more. I think they have the potential to seriously damage email communication as we know it. And I’m not alone in this opinion.

  • Richi Jennings: ‘Challenge/Response makes you a spammer.’

  • BusinessWeek: Stephen Wildstrom: A Spam-Fighter More Noxious Than Spam: ‘Challenge-response filtering systems are likely to wipe out e-mails you want, too.’

  • and lots more at Spamlinks.net

Phew.

Tags: abuse, anti-spam, backscatter, blowback, bounces, c-r, challenge-response, email, filtering, rants, smtp

Permalink

32 Comments »

  1. Chase Venters said,

    December 14, 2006 @ 6:20 pm

    I wrote a C/R system specifically for my address at work. Why? I really didn’t have a choice. We have a hosted mail solution (which is really stupid but not for me to decide). We also used to have a prankster co-worker who took it upon himself to sign my work address up for all kinds of spam. Suddenly there was a great flood… and the spam filtering was doing nothing to stop it.

    I hardly ever receive legitimate mail from people outside the company, and the company itself is whitelisted (of course), so I consider it a perfectly valid use of the technology, especially considering that it took me from 50 spam messages every morning to maybe 1 a month (when the unwanted mail is sent from a semi-legitimate advertiser that doesn’t forge its headers and also employs an auto-responder).

    The last thing I’d say is that the war on /autoresponders/ is worse than than C/R systems. Some parties like SpamCop are insane enough to imply that anyone who implements any kind of autoresponder is subject to being branded a spammer… and then they propose breaking Internet mail queues just so they can avoid bounce messages… and they never seem to say what to do about majordomo…

  2. Justin said,

    December 14, 2006 @ 6:33 pm

    Chase — if you wanted to be on the bleeding edge, you could modify the autoresponder to only respond to mails that had passed SPF/DK/DKIM sender verification. That takes care of the “auto-response to spammer forgery” issue, and would avoid you being listed by Spamcop…

  3. Richi Jennings said,

    December 14, 2006 @ 10:06 pm

    Chase “hardly ever receives legitimate mail from people outside the company”, but I’m betting he receives a load of non-legitimate mail “from” people who are now innocent victims of his home-grown C/R system.

    Nothing “perfectly valid” about that. Of course, now we see the usual clarion call of the C/R user: “It took me from 50 spam messages every morning to maybe 1 a month” (i.e. “It works great for me, so stop moaning about having to filter my vomitus.”)

    As for “the war on autoresponders” — PUT A SPAM FILTER IN FRONT OF THEM! (Sorry for shouting, but I’m fed up of saying it to admins who object to polite backscatter reports.)

    As for “breaking mail queues” — that’s just specious. It’s quite simple: 1. 5xx reject at your boundary MTA, don’t accept-then-bounce. 2. If you can’t handle the message temporarily, 451 it.

    And if you can’t understand all this, you don’t deserve to be an email admin. Give the job to someone competent.

  4. Richi Jennings said,

    December 14, 2006 @ 10:09 pm

    Oh, and may I abuse my position while I’m here with a sad report about another C/R startup?

    In case you’ve not heard, it’s called Boxbe. It’s a service that promises to forward unsolicited email only from those willing to pay a fee for your attention. In other words, an economic “solution” to spam. More details at m’blog.

  5. Chase Venters said,

    December 15, 2006 @ 12:40 am

    Richi:

    For the record, my C/R system e-mails me a log file every night that lists the sender and subject of every message as well as its disposition. So if legitimate senders are getting caught up in my C/R system, I notice it.

    The vast majority of challenges I send end up bouncing. After a host bounces a few challenges, they are automatically blacklisted for 6 months.

    I also love the fact that opponents of C/R systems are quick to call us (the users) out for how much we are supposedly victimizing other people due to misdirected backscatter. What makes your opinion less relevant than mine (other than the fact that this is my e-mail account we are talking about) is that I monitor real, live data from my system. As I said before, most of my challenges bounce. This means that the envelope on the original mail was not only forged, but forged to come from a host that either does not exist or does not itself take mail. In fact, I don’t think I’ve ever seen a valid individual’s e-mail address in my reporting.

    Backscatter could happen, in theory, but opponents of C/R would rather blame those that use C/R than the spammer that sent the forged spam in the first place. Why must you further make assumptions about the volume of backscatter my system generates? I am telling you that it is close to nil.

    I wouldn’t use C/R on most of my addresses. I use it at work because of the special circumstances I described in my original post.

  6. miles said,

    December 15, 2006 @ 1:56 am

    Wonder if the captcha test frequently used by C/R have ever been used a la porn monkeys (show free porn in exchange for answering a captcha that signs up a yahoo/hotmail/whatever account).

    One of the issues subtlely or not mentioned is the dictionary attack. The blowback problem can look like a server dictionary attacking a domain. I’ve seen issues where large ISPs have been auto blocked (and rightly so) by other large ISPs because the blowbacks were going to so many invalid recipients.

    From the user perspective, I’m definitely in the ‘why do you think my time is less valuable than your time’ camp — if you don’t want to read my email, don’t, abut you better not complain about it!

  7. Justin said,

    December 15, 2006 @ 2:49 pm

    Chase –

    ‘The vast majority of challenges I send end up bouncing. After a host bounces a few challenges, they are automatically blacklisted for 6 months.’

    How does that help avoid creating C/R blowback for real recipients?

    ‘As I said before, most of my challenges bounce. This means that the envelope on the original mail was not only forged, but forged to come from a host that either does not exist or does not itself take mail.’

    Here’s a maths lesson.

    • Let’s say you get 1000 spams per day; of that, most — let’s say 99% — of the spam uses forged env-sender addresses instead of some (real) third party’s address.

    • Now let’s say there are 100 other people using C/R filters, with a similar mail load.

    • If that third party’s address is used for a spam run that hits all those 100 people, he’ll now get (1000 * (1/100)) * 100 = 1000 C/R bounces.

    in other words, even though real-address forgeries are insignificant from your point of view, from the addressee’s POV, it’s a major problem — due to the scale of spam!

    ‘Backscatter could happen, in theory, but opponents of C/R would rather blame those that use C/R than the spammer that sent the forged spam in the first place. Why must you further make assumptions about the volume of backscatter my system generates? I am telling you that it is close to nil.’

    Adding to the problem does not help.

  8. Richi Jennings said,

    December 15, 2006 @ 3:08 pm

    Chase says:

    my C/R system e-mails me a log file every night that lists the sender and subject of every message as well as its disposition. So if legitimate senders are getting caught up in my C/R system, I notice it … I don’t think I’ve ever seen a valid individual’s e-mail address in my reporting

    Huh? How on Earth is that going to tell you whether an innocent 3rd party has received a challenge from you? I’m not really sure you quite understand the issue.

    I don’t see any “special circumstances” in your post that would forgive this kind of email abuse. If you’re receiving spam, use a spam filter like the rest of us do.

    And it’s not a question of “victimization”. You’re just unfortunately misguided. These are my email accounts we’re talking about (not just my spamtraps). Accounts that are receiving abusive challenges from people like you.

  9. Chase Venters said,

    December 15, 2006 @ 4:56 pm

    Justin -

    ‘How does that help avoid creating C/R blowback for real recipients?How does that help avoid creating C/R blowback for real recipients?’

    It is a measurement, not a mechanism — it doesn’t do anything except illustrate that the alleged blowback problem is very small, if it is a problem at all.

    Addressing both Justin and Richi -

    I agree that backscatter is a problem. But I’m telling you that you are misdirecting your rage. There are simply too many legitimate cases for auto-responders to enact blanket prohibitions on them:

    1. Majordomo, or mailing list managers. How do you propose we replace them? What if someone sends an incorrectly formatted message, or sends a message to post to the list and an authentication problem occurs? What if someone sends mail to a subscribe address — is it okay to challenge them then, or would you prefer the mailing list simply accept the subscription as real and begin transmitting messages immediately?

    2. Sites where mail does not arrive at the final destination in one hop cannot refuse mail to the original sender’s server at the door in all failure cases. If mail finds its way to a queue on your local site and then later can’t be delivered, users expect a bounce message. It’s not just an expectation – it’s a well-practiced standard.

    3. Ticket systems for customer service groups often respond to a message and assign a case number. Are you also a victim of these services?

    I will agree that if you are going to enable some kind of a service that automatically generates a response to any incoming e-mail, you should take the necessary steps to prevent mail loops and also to put some kind of filtering in front of the service.

    But it boils down to this – if you are not willing to step up and say that Majordomo (and its kind) must die, then you are being a total hypocrite because its response messages could be just as misdirected as any other form of automailer, and because it is actually a mailing list (often made up of multiple e-mail addresses), then chances are it is also more widely published (and hence surely the target of far more spam).

    And if you want to kill Majordomo in your quest to end Internet spam, then I’d say you’re fighting in a holy war that has simply gone too far…

  10. Richi Jennings said,

    December 15, 2006 @ 5:29 pm

    Much of what Chase says I actually agree with. The point is, our ire isn’t directed at auto-responders, it’s directed at those auto-responders that blindly reply to forged email. That’s why I “suggested” that putting a spam filter in front of them should be job#1.

    Amongst the 25,000 backscatter messages I received over Thanksgiving were many misdirected list manager replies, acknowledgments from helpdesk ticketing systems, and the like.

  11. Chase Venters said,

    December 15, 2006 @ 6:02 pm

    Richi:

    For the record, the C/R system I employ does not even look at mail that has not passed through the site’s fairly thorough spam filtering. The only reason I went to the trouble to write one is because of the prankster co-worker that had fed my e-mail address intentionally into as many surveys and as much junk as he could find, causing pages full of spam to make it through the spam filter each day. The C/R system was written to stop the crap the regular spam filter didn’t.

  12. miles said,

    December 15, 2006 @ 7:17 pm

    @Chase:

    ‘After a host bounces a few challenges, they are automatically blacklisted for 6 months.’

    What’s a ‘host’ in this case (domain or connecting IP)? If its the domain, hopefully you have some exceptions — like if the domain has ever sent you real mail or someone in your address book has the domain, to prevent the $random@yahoo/hotmail/gmail that doesn’t exist forgery from getting the real domain blacklisted. IP would be another story…

  13. Chase Venters said,

    December 15, 2006 @ 7:20 pm

    Miles:

    I made an error… I meant to say “After a user bounces a few challenges…”

  14. daryn said,

    December 15, 2006 @ 7:23 pm

    I used to be involved with a popular c/r service, and while it was far from perfect, I think the majority of complaints people have about c/r are related to bad implementations rather than the principal concept of the system.

    Brad Templeton posted an essay once about best practices of c/r. He addresses most of the issues shown above, and how to deal with them appropriately. For example, we didn’t challenge email that failed any of the following tests: SPF, A/V, basic filtering, obvious mailing list mail, system/role messages, other c/r systems, and a bunch of other heuristics. We automatically added to your whitelist anyone to whom you sent email. We allowed many different ways for users to control their white/black lists, from email addresses (both to and from), to domains and tlds, to subject keywords, and other headers. Basically, we looked at every complaint that came in, and every step in our process, and tried to determine the best way to handle each situation.

    Our goal was to build the system in such a way that even if the users didn’t do any setup or management of their whitelist, it would still be both effective and non-intrusive to their contacts.

    Did we succeed? Well, not entirely, but the system has been running for 4 1/2 years, with a good number of happy users, and is constantly being refined.

    Is C/R the best solution? For most people, I think not. Filters are good enough for the majority of users out there, but some people need a little more (or can’t risk the false positives of filtering). For them, I think a good c/r system, on top of an effective but not overly strict filter system, is a very viable solution.

  15. Richi Jennings said,

    December 15, 2006 @ 7:36 pm

    Chase’s C/R comes after a good spam filter? Well that puts a very different complexion on things. The likelihood of abusing an innocent 3rd party should be far less. (I strongly suspect that this was the point I was trying to make yesterday, but perhaps my stream of capital letters was too subtle. ;-)

  16. Richi Jennings said,

    December 15, 2006 @ 7:51 pm

    I’ll shut up in a minute, I really will. I just wanted to comment on Daryn’s point about how “Some people … can’t risk the false positives of filtering.”

    The thing is, C/R is causing more and more FPs (yes, even SpamArrest and TMDA). Not only because people can’t be bothered with responding to challenges, or are confused by them (see Steve Bass’s case for a classic example), but also because more and more server-based spam filters are filtering them as spam.

    Practical upshot: fewer legitimate messages get delivered to these users, as a direct result of their use of C/R. Those are false positives by any measure I can think of.

  17. daryn said,

    December 15, 2006 @ 8:11 pm

    Richi – good point!

    That is, for sure, a problem, and unfortunately, for users of those systems, there really isn’t any solution around that except to stop using the system.

    I do, however prefer this happening, to the old way, where people would blacklist our entire netblock; blocking not just the c/r messages, but also messages sent from our users to their users!

  18. John Payne said,

    December 18, 2006 @ 10:26 pm

    Just another data point. I will delete any C/R to an email I know I sent. I’m not filtering someone elses mail for them, thanks. However, if I receive a C/R from something I didn’t send… I don’t believe I have the right to decide for them that they shouldn’t see it. So as quickly as I can, I will respond to those challenges.

    I would encourage others to do the same. If you don’t, how long will it be before someone sues you for not allowing through their daily news/porn/medication alerts?

  19. Richi Jennings said,

    December 18, 2006 @ 10:55 pm

    My spam filters usually do the first action automagically. As to the second, it’s tempting.

  20. George said,

    December 20, 2006 @ 12:21 pm

    Hi, I read your post comment on “joedrumgoole.com/blog/2006/05/16/bebo-vs-myspace-the-world-and-ireland/” about Bebo and MySpace – what you have described is heavily accurate! (and has happened at my school) – most people in my year have Bebo (I’m 16) – I have Bebo (coz some of my friends are on it) – but I do prefer MySpace because of the music and the more cool people on it! Plus you can do more with your MySpace than on Bebo!!

    Please reply!

    Thanks,

    George – London, UK

  21. Morrisy said,

    April 3, 2007 @ 10:38 pm

    As a developer, let me comment on the below:

       1. Does not scale: If everyone used this method, nobody would ever get any mail. NOT TRUE - WE ALL WOULD GET THE MAIL WE WANT.  REMEMBER, A CHALLENGE SENT OUT TO THE INTERNET DIES ON THE VINE IF IT IS BACK AT THE SPAMMER. SPAMMERS HAVE NO WAY TO REPLY AS THEIR DOMAIN LIVES FOR 45 MINUTES.
   2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.  SOLVED IN TODAYS TECHNOLOGY BY A SNIPPET THAT IDENTIFIES WHO YOU JUST SENT AN EMAIL TO
   3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered. NOT SURE WHAT YOU SEE HERE - THE INTENDED RECIPIENT SEES THE EMAIL - NOBODY ELSE.  JUST LIKE NORMAL EMAIL.
   4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient. NO AGAIN - ARE YOU KIDDING?  UNSELFISH BECAUSE YOU ARE LETTING PROSPECTS, FRIENDS AND CLIENTS KNOW "YOUR EMAIL WILL ALWAYS BE IN MY IN BOX"  - IMAGINE IF THE POST OFFICE COULD SAY THAT!

    Reading this blog, I see a lot of far fetched protection type statements steering toward filters. I like filters, but they just do not work. The comment that CR produces SPAM is insane. The same internet is crowded with 300X the traffic for every VoIP call asking “did you get the email I sent?”

    Sending a verification back to a spammer hurts nothing. The message dies on the vine. A good CR is what we all need and that is what I see coming down the pipe.

    Who would say no to a SPAM free in-box and who would not hit “reply” once to get their resume, proposal, etc in somebody’s in-box guaranteed?

    I find your site dated and see a lot of filter guys protecting the revenue stream. SMB will be mostly CR in 2 years. Learn to live with it. It is easy and appreciated. You don’t answer the phone if the caller is blank, why would you accept an email?

  22. Justin said,

    May 30, 2007 @ 4:22 pm

    ‘Sending a verification back to a spammer hurts nothing. The message dies on the vine.’

    Morrisy — that’s exactly where you’re wrong. That’s the problem. See this comment again — those “messages dying on the vine” are in fact bombarding innocent third parties.

  23. Daryn said,

    May 30, 2007 @ 8:11 pm

    I think ultimately it’s up to the person to decide if the benefit of a spam free inbox is worth the annoyance to their correspondents, and possible negative effect on their reputation, loss of deals/relationships, etc..

    Propertly managed and configured, a good C/R system shouldn’t generate much back-scatter, certainly no more than an auto-responder or vacation system.

  24. Richi Jennings said,

    May 30, 2007 @ 8:32 pm

    Where can I get one of these “Properly managed and configured” C/R systems of which you speak? I’ve certainly never come across one.

    I’ve come across plenty of vendors who claim that their C/R system doesn’t generate backscatter, but guess what? I’ve received backscatter from every one of them in my spamtraps.

  25. D. Stussy said,

    October 1, 2007 @ 7:35 pm

    There is one point that I mentioned on Usenet (comp.mail.misc?) a couple of years ago that has been misse

Related searches:
challenge people system december response
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.