It seems that Challenge-Response solutions to the spam problem are getting more popular, with lots of people using systems like ASK, TMDA and several commercial systems (including Earthlink now offering C/R to their home users).
Now I hate C/R systems. With a passion. I absolutely will not respond to them. They go in the trash. I don't get them very often but I get them more and more. I think they have the potential to seriously damage email communication as we know it. And I'm not alone in this opinion.
But, it occurred to me that maybe I'm being too strict. I'm thinking back to the early days of the web, when we also predicted that cookies had dire consequences, and were a really fundamentally bad idea, and would damage the web as we knew it. But they didn't really. I use cookies every day, and use them in the web sites I develop.
I think the above is wrong though. We're all familiar with C/R systems in mailing lists - you get a challenge when you subscribe to confirm that your email address is valid and you really wanted to subscribe. That confirms that you want to receive mails from the list. But with a C/R anti-spam system you're confirming that you want to send mails to somewhere, and that seems backwards to me. If I didn't want to send something there I wouldn't have, umm, sent something there, and I'd really rather not be questioned about it, thanks.
As a company we need to be able to deal appropriately with the rise in C/R systems, and be able to talk about them sensibly if we're going to dismiss them as a solution, so feel free to post any pros/cons to this entry. I have a list of my own somewhere but I'm interested in other people's opinions.
Like you, I encounter these periodically and I don't like them either. The particularly annoying scenario I encountered recently was that someone sent me email. I replied to their question and was then expected to leap through hoops to shepherd my reply through their challenge response system.
Re:Not a fan of C/R Email
inkdroid on 2003-05-14T11:59:59
That's a poorly designed C/R system. The C/R systems that I've seen (and liked somewhat) will automatically whitelist an email address when an email is *sent* to that address. This means that people within an organization can send an email to whoever they want, and when that person responds it will go straight through.
If email lists sent from the same address that you sign up at, then C/R systems that use the whitelisting technique above would have no problems receiving emails sent from legit email lists. The problem is that the list software I'm familiar with (listserv, ezmlm) have you sign up at different addresses than the list which email is sent from. I imagine this could be adjusted somehow though. If C/R systems were to catch on.
I must be different because the first time I got a challenge from a C/R system I was intruiged and thought it was rather interesting. Presumably the challenge could also contain some question that it would be hard for spammers to automate an answer to. Perhaps if I understood more why people disliked the systems then I would understand more. As with implementations of SMTP, there are applications that do a sloppy job, and some that do a better job. The same will certainly be true for C/R systems as well.
Matt, just to play devil's advocate here: are you against C/R systems because (if widely adopted) they would make spam filtering no longer a viable business niche? Heresy!
Re:Not a fan of C/R Email
Matts on 2003-05-14T14:22:05
Haha!
No, I'm against them because spammers lie. They forge the reply address to someone innocent. That means that the amount of spam I receive is going to double (as I count C/R requests as spam).
I have a good mind to respond to C/R's that are the result of a joe-job against my domains just to prove this point.
Mostly though I'm against them because I consider it impolite. A C/R anti-spam system is a cost shifting exercise. It shifts the recipients cost of spam to everyone who sends him email. That cost *should* be pushed to the spammers, not to legitimate users.
I have a list of other problems, but it's a few pages;-) Re:Not a fan of C/R Email
inkdroid on 2003-05-14T14:57:52
Just to take my devil's advocacy a bit further &evilgrin; When a spammer lies, using another persons email address as the From, then the content of their original email would not be delivered, thus reducing the incentive to send it in the first place. The few C/R systems I've interacted with did not include the content of the email I sent as part of the challenge.
Sure, someone else would get the "challenge"...But if that person was also using a C/R system then they would never need to know...would they? All this amounts to alot more email traffic, but the existing Spam situation is already leading to a spike in traffic. I'd be interested to see your list, as I'm sure there are good points on there.
Re:Not a fan of C/R Email
vsergu on 2003-05-14T15:05:49
The idea is for the spammer to use 'From' addresses taken from the same group the 'To' addresses came from (for example, they appeared on a web page together). Then there's a chance the addresses have been whitelisted previously and the spam will get through.
And everyone not using C/R gets bombarded with ever-increasing numbers of challenges.
C/R is a poorly thought-out attempt at solving the spam problem. It needs to be stopped before it makes the situation worse.Re:Not a fan of C/R Email
inkdroid on 2003-05-14T15:30:04
Oh, I hadn't thought of that. Duh. I guess one solution to that problem would be to only position C/R systems in between the Internet and an organizations Intranet: so internal emails would never go through it, and email posing as internal email with common username would be rejected. But you are right, this gets way to complicated way too fast, and if widely adopted would result in way too much complexity.Re:Not a fan of C/R Email
vsergu on 2003-05-14T15:55:12
When I said the same group, I didn't necessarily mean the same domain. I'm not really talking about people in the same organization, just people who seem to be associated in some way and thus might be on each other's whitelists. Such people may show up on a web page together, for example.MD5 it
Purdy on 2003-05-14T18:03:58
You know what'd be an interesting twist - if you look at all the headers and MD5 checksum a concatonation of the server routes, from origin to destination and when you add the e-mail to a whitelist, you also associate it with the MD5 checksum of the traffic route. Any spammer forging the 'From' address won't be able to reproduce the route.
JasonRe:Not a fan of C/R Email
Matts on 2003-05-14T15:54:05
So in order for C/R to work everyone has to implement it?Re:Not a fan of C/R Email
inkdroid on 2003-05-14T16:12:46
Well, that is the case with SMTP as well no? And communism:-) Re:Not a fan of C/R Email
WebDragon on 2003-05-14T13:14:00
This is exactly why I don't like them either. As the other person said, if there was an automatic whitelisting of the e-mail that the person sent TO expecting a reply FROM that would then bypass the C/R I'd be okay with it.
As it is, it tends to get in the way of communication, which is ostensibly what the internet is all about. The more difficult we make communication, the less of it is likely to happen. Basic principle of quantum laziness.:) Re:Not a fan of C/R Email
vsergu on 2003-05-14T13:31:56
I have yet to reply to one, though so far the only ones I remember encountering have been when some moron has subscribed to a mailing list but neglected to whitelist it and then every time anyone posts they get the challenge (at least it hasn't gone to the list address). I really wish they could be nipped in the bud, but I fear the plague will spread.
As far as I'm concerned, anyone who wants to offload their spam problem onto me isn't worth writing to. Handle your spam yourself, and don't bother your correspondents with your problems.
Sounds to me like we don't quite understand the problem fully. Or, rather, the current C/R anti-spam solutions are simple, obvious and totally wrong.
To get the desired effect, a general purpose anti-spam system needs to work on the receiver's end, so sender-side C/R is broken as designed. I think that the issue C/R systems are trying to automate is whitelist management for the receiver. With that in mind, a good whitelist management tool would:
I think the answer here is to quarantine messages from unknown senders. If I get more than, say, 5 messages from someone without responding to a single one (or automagically adding the sender to my whitelist), then all future messages from that sender should go into a "gray" folder, because chances are pretty good I don't want to read this message. That should accomplish the desired goal: automate maintenance of whitelists, blacklists and greylists.
Re:Sender vs. Receivers
tombu on 2003-09-11T17:45:11
I completely agree that C/R systems should treat mailing lists differently than regular email. Fortunately, almost all mailing lists set the header "to:" field to the name of the mailing list. A C/R system should not challenge a message if the header "to:" is not to the user of the C/R system. It should put these messages into a special bin and give the user an easy way to say that this "to" is a mailing list (and the messages should be allowed to pass through). This is what knowspam.net does (I am the author of knowspam).
Also, a C/R system is less bothersome if it only challenges a senders address once, even if the sender sends email to more than one of the C/R systems users. If the sender responds, then they should be "verified" for all of the C/R systems users. Obviously, this creates a hole for spammers . knowspam closes this hole by requiring that the sender re-verify themselves after they have sent mail to 50 knowspam users that did not have the sender on their whitelist already.
The appeal of C/R systems is that they are very effective at blocking spam ( Man who gets 3,000 spams a day ). I don't think they break the internet -- spam has broken the internet.
