Challenging Challenge Response Anti-Spam Systems

from the false-positives-galore dept

I've been pretty vocal in explaining why I don't like challenge-response email systems for spam prevention. It seems that the problems with such plans are starting to get a lot more attention. Some are even saying that if challenge-response systems are put in place widely, it could render email useless. I wouldn't go that far, but there clearly are problems with challenge-response systems. This article mostly focuses on problems involving mailing lists, but I don't think that's the worst issue for challenge-response systems. The biggest problem, in my mind, is the "false positive" issue. Anyone who legitimately emails you, but doesn't follow through on the challenge-response can be classified as a false-positive - a legitimate email that was "blocked" by your spam filter. A good anti-spam system should look at ways to minimize both false positives and false negatives (though, there are always tradeoffs). Meanwhile, challenge-response systems can also be seen as increasing spam, for anyone who sends a legitimate email and has to deal with all the incoming challenges.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    James H Thompson, 5 Jun 2003 @ 3:18pm

    Combining spam detection and challenge/response

    I set up challenge response in combination with spamassassin. The only emails that get challenged are ones that spamassassin thinks look like spam. This has resulted in almost none of the 'good' emails getting challenged.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2003 @ 6:53am

    No Subject Given

    Despite Earthlink being sued, they still launched their spam challenge setup over the weekend. I implemented it on my accounts and have not received a spam through them yet. One nice things is that I can go in and view all the pending messages, so that if I see a message or 2 in the pending area from legit sources, I can immediately approve them without having them follow through.

    link to this | view in chronology ]

  • identicon
    todd, 6 Jun 2003 @ 7:03am

    No Subject Given

    I opened a Mailblocks account to try it out and I haven't used it much, but:
    - when you set it up in Outlook, you see both your inbox (good, verified email), and your pending email, so you can pull someone out of "jail" even if they haven't responded to the challenge.

    On the other hand, I sent a friend an email the other day and he was using "ChoiceMail" -- a client-based challenge/response tool (being sued by Mailblocks), and I found it pretty annoying to have to fill out the form to send him an email.

    Mailblocks hasn't yet gotten their whitelisting procedures down -- you can't import your address books from Outlook, though it is their number 1 request in the FAQ. Once they do that, AND allow domain wildcard whitelisting, they'll be a pretty good option, I think.

    Until then, I'm sticking to spamassassin and the delete key.

    link to this | view in chronology ]

  • identicon
    Junk 'n Stuff, 15 Sep 2003 @ 3:45pm

    My option

    Challenge & Response is the best method, period. NO program can make decisions as accurately as I can, though they can make more decisions more quickly. That's where SpamAssassin let me down -- its assumptions as to what is spam were just too narrow.

    Some say C&R is a pain for those wishing to send me email. Well, understand, sending me an email is a privilege. You should have to earn my attention, not simply get it by screaming or slamming my email box. To send me a letter, you earn this privilege by putting a stamp on it. To earn my attention on the telephone, you must pass call screening and caller ID.

    Anyone who has anything important to tell me in an email will go through the trouble of responding to my challenge. If not, I'm simply not interested. No stranger has EVER sent me an email that was important. On the otherhand, myself and my time are the most important things in my life, and if you want a piece of it, you've got to earn it.

    That's how I see it!

    link to this | view in chronology ]

    • identicon
      James moomey, 7 Apr 2005 @ 10:46pm

      I agree

      Not that I get that much junk because I try to be carefull online but it does add up and once you make a mistake....they must pass it around: Hey, we got a good address here! Most 'good' email is to and from people we know.

      We have caller ID also. If the President calls and has no ID, by golly, he will just have to leave a message.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.