Challenge/Response eMail systems:

What is Challenge-Response?

Challenge-response (CR) is the generic name for a spam blocking technique that requires a potential correspondent to reply to an email message or go to a web site and verify that they're 'human' before you accept mail from them. The intent is to stop spam, because it's assumed that spammers won't go to the trouble of verifying themselves. It works to some extent--it will stop some spam, though the spammers are already finding ways around it. But it has many fatal flaws. CR has two of the same anti-social characteristics that spam itself has: the potential to overload mail systems at someone else's expense, and to increase the difficulty of sorting out which mail is worth opening. Overloaded mail servers raises everyone's isp costs. Some of the other flaws have the potential to kill mailing lists, or even email, completely.

Top 10 reasons why challenge/response (C/R) is bad:

[1] You end up being a spammer (the majority of spam and viruses sent to you will result in confirmation requests being sent to innocent victims).

[2] Spammers now send pretend confirmation requests, presumably to make people less likely to respond to C/R requests and to harvest new email addresses.

[3] Many people respond to C/R requests that they never initiated (sometimes intentionally, sometimes not). Some people who are fed up with bogus C/R requests respond to all of 'em, knowing that the spam will start getting through to people hiding behind C/R.

[4] C/R companies have been known to send out spam to your approved user list, harvest your outbound addresses, and then apparently selling those addresses to third party spammers.

[5] The C/R system is patented, so most anti-spam programs using C/R have legal liabilities waiting to be ironed out. The C/R program you buy today may go under tomorrow.

[6] Confirmations sent to mailing lists won't work.

[7] Confirmations sent to others using C/R won't work. If everybody had C/R, nobody could send E-mail to anybody!

     C-R - C-R deadlock?

     This is funny. While it doesn't affect all C-R systems, there are those which are vulnerable.

     How do two C-R system users ever start talking to each other?

  • User A sends mail to user B. While user B's address is then known to A, user B's C-R server's mail is not.
  • User B's C-R system sends a challenge to A...
  • ...who intercepts the challenge with A's C-R system, which sends a challenge to user B's C-R system...
  • Rinse, wash, repeat....

      Bypassing this deadlock then opens an obvious loophole for spammers to exploit.

[8] People who offer C/R as a free service end up losing money (by spending time investigating and responding to C/R systems, dealing with spam received as a result, etc.) and sometimes they just get fed up with C/R systems and eventually stop offering free advice (never knowing how many people won't get their E-mails), harming everybody.

[9] Legitimate E-mail from automated services won't be seen (such as when ordering products online).

[10] Due to #1-#9, most C/R challenges are treated as spam -- if the challenge never gets through, the response will never get through. treats all C/R challenges as spam and reports sending servers to SPAMCOP.