Why Challenge-Response is a Bad Idea


tardigrade.net policy: If you send a challenge to any of my personal addresses, it will be treated as spam and discarded unread. If you send challenges to the majordomo address, to a list or listowner address, or to contributors of a mailing list that you subscribed to, there is a strong possibility that you will be banned from subscribing to that mailing list, or even be prevented from sending mail to tardigrade.net at all. You may never know what happened, because I won't be able to send you an explanation (read the first sentence of this policy again.) It's entirely your own responsibility to figure it out and deal with it. I currently entirely block mail from the following domains from tardigrade.net, which do nothing but provide challenge-response services: spamarrest.com, mailblocks.com, ipermitmail.com, mailsoap.com.

What is Challenge-Response?

Challenge-response (CR) is the generic name for a spam blocking technique that requires a potential correspondent to reply to an email message or go to a web site and verify that they're 'human' before you accept mail from them. The intent is to stop spam, because it's assumed that spammers won't go to the trouble of verifying themselves. It works to some extent--it will stop some spam, though the spammers are already finding ways around it. But it has many fatal flaws. CR has two of the same anti-social characteristics that spam itself has: the potential to overload mail systems at someone else's expense, and to increase the difficulty of sorting out which mail is worth opening. Overloaded mail servers raises everyone's isp costs. Some of the other flaws have the potential to kill mailing lists, or even email, completely.

Challenge-Response is a guilty-until-proven-innocent scheme

It requires a potential correspondent to reply to an email message or go to a website and verify that they're human before you accept mail from them. The intent is to stop spam, because spammers won't go to the trouble of verifying themselves. So far the scheme works, in a manner of speaking--it will stop some spam, though the spammers are already finding ways around it. But at what cost to yourself and others?

Challenge-Response will prevent you from getting a wide variety of real mail:

But, you say, you can periodically check the rejected mail to make sure you aren't missing anything good! Then why bother with it at all? Use regular spam filters and you're better off--same number of spam subject lines to scan for false rejections, and you'll never confuse or irritate any real people.

Challenge-Response will keep you off of a lot of mailing lists

You may never know why, because the list server won't be able to send you a confirmation request. If you do manage to subscribe to a list somehow, it's downright rude to send such challenges to the people who post to the list, and nearly as bad to direct them to the listowner address. You've already explicitly agreed to accept list mail by subscribing at all. As a listowner, I won't allow any member to confuse and punish contributors with challenges to their humanity. Challenge-Response has come up on several lists for listowners recently, and the opinion has been unanimous against the technique.

The Challenge is just as annoying as spam--and now, challenges often are spam

Spammers have already started disguising their spam as challenge messages, and worms and viruses won't be far behind. So you'd be expecting your legitimate correspondents not only to prove that they're human, but to spend a lot of time trying to determine if your challenge is genuine. It's much easier and safer for your correspondents to direct all challenges to the trash.

Some Challenge-Response providers are spammers

SpamArrest, Mailblocks, and several other providers of challenge-response 'services' collect the addresses of their clients' correspondents, and use them for sending out their own spam. Just read the fine print of their privacy (sic) policies--if you can find them!

Challenge-Response can overload mail servers

All incoming mail, including spam, generates challenges. This doubles the amount of mail that your server has to deal with, increasing the price you pay for service. Because spammers forge the mail headers, the challenges are sent to either innocent or non-existent users. If it's a non-existent user, the server that receives the challenge replies with an error message. The error message generates a new challenge which goes to the other mail server address, possibly triggering a new error message from a different account, which in turn generates a new challenge. This can set off a runaway loop between error messages and challenges. If challenge-response becomes common, it could potentially cause denial-of-service attacks across the entire network.

Just say NO to Challenge-Response.

Dealing with incoming spam directly is a nuisance, but missing out on real mail can be the pits. Prospective employers aren't going to jump through hoops to send you a job offer. If your great-uncle gets confused about the process, he'll miss the invitation to a family reunion

Use responsible filtering instead. There is a new kind becoming available that is extremely effective. It's called Bayesian filtering, and you train it to recognize the kind of mail that you do and don't want to receive. There are many products in the pipeline, both free and commercial. Some are available now, such as Mozilla 1.3 for all platforms, and a SpamBayes add-in for Outlook. Many others should be ready soon, including filters built into Eudora 6 for both Mac and Windows.

A few articles about Challenge-Response


Send mail to the Webmaster: webmaster@tardigrade.net.

http://tardigrade.net/challengeresponse.html     Monday, 03-Jul-2006 18:57:46 PDT.