Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Challenge and Response spamfilters

Several companies offer challenge and response (C/R) antispam solutions, such as Bongosoft AntiSpam. They are simple and hence cheap to develop, but not necessarily elegant or popular. Here's the principle:

  1. A sends an email to B, who uses a C/R filter.
  2. Since A's address is not yet on B's whitelist, the C/R filter will try to verify that A is a human and not some piece of bulk mail software. The filter sends a message to A, asking him to click on a URL embedded in the mail or to send a reply to the email, retyping letters seen in a graphical image embedded in the C/R mail.
  3. Once the C/R filter has seen what it considers a valid response, it delivers A's pending email to B. If the mail is not validated within a certain timeframe, such as 48 hours, it will be discarded. Some C/R filters also automatically add A's address to a blacklist in that case.
Sounds simple and effective, doesn't it? The devil is in the details. Consider this case:
  1. C sends spam or a virus to B, abusing A's address as the sender address.
  2. The C/R filter sends an email to A, who has no idea what's going on
  3. If A does not reply, he won't find out why he received the C/R mail, because to ask B any question he has to get on B's whitelist. In fact, B won't see the reason for the C/R mail to A either until A has confirmed his address. If A ignores the challenge his address may even get blacklisted by B, so he can never contact him.
  4. If A successfully responds to the challenge, he will permit a spam or a virus mail to be delivered to B.
  5. Whether or not A responds, B has sent unsolicited bulk email. If B receives 100 spams a day and 80 of these use fake senders, B will turn these 100 into 180 spams a day.
There are more problems:
  • If both A and B use C/R filters, and neither is on the other's whitelist, there can be a chicken-and-egg problem: Who solves whose challenge first? A and B may never be able to communicate.
  • C/R filters can be abused for a denial-of-service attack. If A sends emails with B's address as the faked sender to thousands of C/R mailboxes, B's mailbox will consequently be bombarded with thousands of challenges and he will have no idea what or who caused this.
It's a broken idea, but that doesn't stop it from selling. Challenge and Response systems stop the user from wasting time, but at the price of making everyone else waste time. Legitimate correspondents, such as a business replying to a sales inquiries or trying to deliver an an order confirmation, even friends and family, all are made to jump through hoops.

Considering the widespread abuse of third party email address as fake sender addresses, C/R filters do not really stop spam, they only redirect it to other innocent victims. A selfish idea for selfish times.


Anti-Spam Resources:
jwSpamSpy is spam filtering software (Now available!)
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)
"419" scam sender/contact addresses ("Nigeria connection" address book)
DNS-based IP and domain name blacklists
Dynamic IP addresses (700 KB!)
Free email providers

How to trace senders of spam
Link exchange offer spam
Getting creative with spam
Smyrnagroup spammers (in German)

Lookup an IP address on blacklists (http://dnsbl.net.au/lookup/)
AOL dial-up address ranges and mail servers