Why Challenge/Response is Bad

By David Via | Published: April 15, 2005 | 2 Comments

Challenge/response (C/R) is disliked by users and legitimate bulk mailers alike. Unfortunately, anti-spam technologists who should know better keep re-inventing it.

Although useful in some environments, it’s generally worse than today’s state of the art spam filters, which use techniques such as Bayesian filtering, heuristics, and "out of band" connection data analysis. Here’s why…

Users hate receiving challenges; especially if their email address has been forged by a spammer and they’ve never even heard of the person it came from, let alone emailed them. A significant number of people just don’t respond to challenges, which means that the false positive problem is worse than with conventional filtering.

Legitimate mailers hate it because they can’t deal with the flood of challenges when they send out newsletters. Again, the false positive (or "deliverability") problem is worse. Much worse, in this case.

C/R shifts the cost of spam
from recipients to the senders of legitimate mail. How dare you make me prove that I am who I say I am? I’ve already published an unambiguous SPF record that says that my IP address is permitted to send email from my domain; what more do you want? We won’t win the war against spam until the costs are shifted to the spammers.

Users who employ C/R are seen by some as spammers in their own right. It’s part of the phenomenon known as "backscatter." Imagine if your email address was used by spammers to forge the "sender" of their pill-pushing messages. You would expect to receive many non-delivery reports from mailboxes that no longer exist, "we don’t want your spam" bounces from badly-configures spam filters, and challenges from people running C/R systems. How is this better than the spam we’re trying to kill?

If you run a C/R system, you are likely to be blacklisted for spamming, and your ISP will receive abuse complaints about you. You may even lose your connectivity as a penalty for violating your ISP’s Terms Of Service or Acceptable Use Policy.

  • Vendors: enough with the C/R reinvention already!
  • Users and IT managers: don’t buy it. There are much better ways to filter spam without the problems that C/R will cause you.

[Edit: fix typos]

One Comment

  1. spacer bertoch
    Posted December 27, 2006 at 11:39 AM | Permalink

    poor baby.
    I don’t care if it shifts the cost to you. Price of doing business.

    Reply

One Trackback

  1. By Richi'blog on May 2, 2005 at 3:25 PM

    Why C/R is bad

Post a Comment Cancel reply

Your email is never published nor shared. Required fields are marked *

*
*
spacer
spacer
spacer

*

You may use these HTML tags and attributes: <a class="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Other articles

    • Lexbe's Hosted Litigation Support
    • E-Discovery Important for All Large Organizations
    • AOL Instant Messaging's Enterprise Federation Program
    • Exchange 2010 RTMs with over 5 Million Users on Production
    • Measuring False Negatives and IP Reputation
  • Join the museum community and gain access to premium reports and Webinars.

    Join for Free
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.