How Spammers Will Beat Challenge-Response Systems, And Other Conversations About

from the spam-spam-spam-spam dept

Lots and lots of spam stories today. For all my complaints about challenge-response anti-spam systems, I've always assumed that they would at least work to the level they promise. Mitch Wagner over at Internet Week is explaining how spammers will get around challenge response systems. He suggests that, first, spammers will start sending out fake challenges, getting people to respond (indicating their email address is real). Then, he points out that all challenge-response systems have some sort of "override" that will let messages through - and it won't take long for spammers to figure out how to forge that and break through any challenge-response system. So, then you'll still be getting spam and you'll be annoying anyone who wants to email you legitimately. Sounds like a lose-lose situation. Meanwhile, on the corporate side, too many executives don't realize how big a threat spam is and many office places don't have an official policy for how to deal with spam. The fear in both cases is that employees will help bring an avalanche more spam into the corporate network and that the company could face some legal liability for pornographic spam received. Finally, here's a study saying that spam is costing companies billions. Like studies about software and entertainment theft, I question how they come up with these figures, but it looks like the majority portion is in extra IT resources to deal with the spam problem - which is a legitimate cost (unlike "lost productivity" which is very difficult to measure).