Why Challenge/Response is Bad

Challenge/response (C/R) is disliked by users and legitimate bulk mailers alike. Unfortunately, anti-spam technologists who should know better keep re-inventing it.

Although useful in some environments, it's generally worse than today's state of the art spam filters, which use techniques such as Bayesian filtering, heuristics, and "out of band" connection data analysis. Here's why...

Users hate receiving challenges; especially if their email address has been forged by a spammer and they've never even heard of the person it came from, let alone emailed them. A significant number of people just don't respond to challenges, which means that the false positive problem is worse than with conventional filtering.

Legitimate mailers hate it because they can't deal with the flood of challenges when they send out newsletters. Again, the false positive (or "deliverability") problem is worse. Much worse, in this case.

C/R shifts the cost of spam
from recipients to the senders of legitimate mail. How dare you make me prove that I am who I say I am? I've already published an unambiguous SPF record that says that my IP address is permitted to send email from my domain; what more do you want? We won't win the war against spam until the costs are shifted to the spammers.

Users who employ C/R are seen by some as spammers in their own right. It's part of the phenomenon known as "backscatter." Imagine if your email address was used by spammers to forge the "sender" of their pill-pushing messages. You would expect to receive many non-delivery reports from mailboxes that no longer exist, "we don't want your spam" bounces from badly-configures spam filters, and challenges from people running C/R systems. How is this better than the spam we're trying to kill?

If you run a C/R system, you are likely to be blacklisted for spamming, and your ISP will receive abuse complaints about you. You may even lose your connectivity as a penalty for violating your ISP's Terms Of Service or Acceptable Use Policy.

  • Vendors: enough with the C/R reinvention already!
  • Users and IT managers: don't buy it. There are much better ways to filter spam without the problems that C/R will cause you.

[Edit: fix typos]

One Comment

  1. bertoch
    Posted December 27, 2006 at 11:39 AM | Permalink

    poor baby.
    I don’t care if it shifts the cost to you. Price of doing business.

One Trackback

  1. By Richi'blog on May 2, 2005 at 3:25 PM

    Why C/R is bad

Post a comment

You must be logged in to post a comment. To comment, first join our community.