Will Challenge/Response Save Us from Spam?

By Lance Ulanoff  |  Posted 2003-07-28 Print this article Print

Mailblocks reloads, taking better aim at spam. Can version 2.0 vanquish the reviled intruder?

Spam is everywhere—I mean everywhere.Hormel Spam

The other day, UPS delivered a small package to my office. The box, which was festooned with labels indicating it had traveled through a number of countries, was filled with shredded crepe paper that covered—lucky me—a can of Hormel Spam. The box had actually come from a PR firm hawking yet another expert solution for canning spam. Like I said, spam is everywhere. But so are possible solutions—from the legislative ones weve been watching percolate through the federal government to the technological ones weve seen from Microsoft and other companies.

One of the more intriguing approaches Ive seen lately is not necessarily new, but it holds incredible promise, especially if it can be perfected. Its called challenge/response (C/R). I like this strategy because it takes the difficulty computers have in interpreting images and answering unstructured questions and turns it against them.Pending Box

Spammers use computers to generate random e-mail addresses and then to mass-mail spam out to the list. A C/R system scans incoming mail for items from unfamiliar addresses—those you havent received mail from before or that are not in your address book. The system temporarily blocks such mail and e-mails the sender a simple question or a link to a Web page where the sender must go and type in the numbers shown in an image. A computer cannot do either of these things (at least not without some heavy computational power), so it will fail the challenge. Thus the original message, if computer-generated, is deleted or placed in some sort of electronic holding pen by the C/R system.

A couple of months ago we reviewed a Challenge/Response mail system called Mailblocks. We were impressed with the low yearly fee of $10, generous mail storage space (12 MB), lean interface, and large 6MB attachment limit. We also liked the services ability to manage external IMAP and POP3 mail accounts and the intelligent way it handled the spam coming into these accounts. You could even create disposable e-mail addresses. Our main concern in the review was the C/R method. At the time, Mailblocks made you type in the numbers you would see in a graphic (they called it a puzzle). That was just a bit more labor intensive than the solution we saw in Hushmail in which you just clicked a certain spot in a picture.

C/R, in general, faces other issues. For example, most such systems see every address as that of an individual, which can be incredibly annoying if you work with a few big corporations (or are in one yourself). All the people in such a company will have to complete a C/R check to communicate with you. Once they do, theyll never get challenged again, but who has time for all that nonsense? On the other hand, there are some products—ChoiceMail for one—that will let you accept a domain, en masse. Thinking about what would happen if you were to accept all of the e-mail address associated with, say, hotmail.com, though, I wonder how wise this is.

I recently had the opportunity to test drive a beta of the newest version of Mailblocks (the final version launches today). With a nod—but no apologies—to The Matrix, this version is called Mailblocks Reloaded. It fixes what I saw as the biggest problem with the C/R system—being forced to fill out the C/R form for every single Mailblocks user with whom you correspond. Reloadeds Challenge/Response 2.0 lets you complete the form for one Mailblocks user and then be accepted automatically by all others.Mailblocks C/R Form

Reloaded puts all spam in a Pending box. This mail then gets the challenge message (which you can customize). If theres no response, the mail is eventually deleted. I set Mailblocks to manage all of my external, free mail accounts. I could have used Reloaded to manage POP3 and MAPI accounts, as well, but my home broadband account (managed in Outlook Express) doesnt get nearly as much spam as my free mail accounts—yet.

Mailblocks will even delete mail from the external accounts it manages. I let it do so for my Hotmail account, since I need only forget to look at that account for a few days before I max out the paltry 2MB of storage space. I found that as soon as I began sucking mail out of my external mailboxes, Mailblocks Pending box began to fill up rather quickly. Fortunately, the Pending mailbox will empty itself at periodic intervals. In version 1.1 this occurred every 14 days, but Reloaded lets you specify intervals of 4, 8 or 14 days (I chose every 4 days). If you manage custom e-mail (for example, lance@lance.com) or forwarded ISP e-mail accounts through Mailblocks, you can use those addresses within the service to send outgoing mail.ChoiceMail C/R Form

Reloadeds C/R form is virtually unchanged from version 1.1. The number graphic still resembles a color-blindness test (see the numbers among these colored spots) and can be a bit hard on the eyes. Still, its far less onerous than ChoiceMails.

But even Mailblocks, and I would have to assume other C/R systems, can be fooled. I was stunned to see that Mailblocks had missed a message about bizarre sex acts (the subject line was fairly innocuous—"Animal Lovers are Waiting for You"—but the content was not) that came through one of my external accounts. The name on the e-mail was definitely not familiar to me: "Daibhid Chiennedelh". The e-mail address, though, was one of my own. Someone managed to spoof it, and because I had tested my own address with my Mailblocks account and completed the challenge puzzle, Mailblocks identified the address as an accepted one. The software whitelisted the address instead of blacklisting it. I spoke with the people at Mailblocks about the message. Mailblocks, explained a tech rep, actually doesnt recommend that users put their Yahoo and Hotmail e-mail addresses in the whitelist, because those are regular spoof targets. That seems a little counterintuitive, since I know I sometimes mail little test reminders between various accounts, but I got the point.

Ive also seen other C/R systems in action, though mostly from the perspective of mail sender. For instance, I recently replied to an e-mail from one of our readers, James C. Mitchell, an associate professor of journalism at Arizona University. When I attempted to respond, I discovered that he was using ChoiceMail, which made me fill out a form with my name and reason for contacting him. And, as with Mailblocks C/R system, the form asked me to enter the code sequence depicted in a small graphic on the page. I then received an automated response: "Thanks for jumping through this hoop. My e-mail program should let you in from now on."

All in all, ChoiceMails C/R process was a little more annoying and time-consuming than Id prefer. Still, I did it and my message made it to Mitchells mailbox. Later, I asked him how other people were responding to the C/R system. "I dont get many complaints, perhaps because everybody is so frustrated by spam." Mitchell, who recently authored a crime novel set in Tucson called Lovers Crossing, says that the private Web site he created to promote his book has an e-mail account that does not use any kind of C/R system, "I dont use the challenge, since I want—indeed, hope for—mail from strangers. So I just have to deal with spam there."

Mitchell raises a valid point. While C/R may represent a near foolproof method for blocking spam, the very thing that makes it so successful—human intervention—could hinder its success in the marketplace. When Mitchell wanted to open his doors to feedback for his novel, he chose to forgo the filter. He cant risk not getting comments from fans, critics, and maybe even other media outlets interested in his work.

In the end, Mailblocks is better than before and challenge/response is as good a method for blocking spam as Ive seen—but not perfect. Of course, in the world of spam prevention, what is?

Discuss this article in the forums.

More articles from Lance Ulanoff:
Lance Ulanoff is Editor in Chief and VP of Content for PC Magazine Network, and brings with him over 20 years journalism experience, the last 16 of which he has spent in the computer technology publishing industry.

He began his career as a weekly newspaper reporter before joining a national trade publication, traveling the country covering product distribution and data processing issues. In 1991 he joined PC Magazine where he spent five years writing and managing feature stories and reviews, covering a wide range of topics, including books and diverse technologies such as graphics hardware and software, office applications, operating systems and, tech news. He left as a senior associate editor in 1996 to enter the online arena as online editor at HomePC magazine, a popular consumer computing publication. While there, Ulanoff launched AskDrPC.com, and KidRaves.com and wrote about Web sites and Web-site building.

In 1998 he joined Windows Magazine as the senior editor for online, spearheading the popular magazine's Web site, which drew some 6 million page views per month. He also wrote numerous product reviews and features covering all aspects of the computing world. During his tenure, Winmag.com won the Computer Press Association's prestigious runner-up prize for Best Overall Website.

In August 1999, Ulanoff briefly left publishing to join Deja.com as producer for the Computing and Consumer Electronics channels and then was promoted to the site's senior director for content. He returned to PC Magazine in November 2000 and relaunched PCMag.com in July 2001. The new PCMag.com was named runner-up for Best Web Sites at the American Business Media's Annual Neal Awards in March 2002 and won a Best Web Site Award from the ASBPE in 2004. Under his direction, PCMag.com regularly generated more than 25 million page views a month and reached nearly 5 million monthly unique visitors in 2005.

For the last year and a half, Ulanoff has served as Editor, Reviews, PC Magazine. In that role he has overseen all product and review coverage for PC Magazine and PCMag.com, as well as managed PC Labs. He also writes a popular weekly technology column for PCMag.com and his column also appears in PC Magazine.

Recognized as an expert in the technology arena, Lance makes frequent appearances on local, national and international news programs including New York's Eyewitness News, NewsChannel 4, CNN, CNN HN, CNBC, MSNBC, Good Morning America Weekend Edition, and BBC, as well as being a regular guest on FoxNews' Studio B with Shepard Smith. He has also offered commentary on National Public Radio and been interviewed by radio stations around the country. Lance has been an invited guest speaker at numerous technology conferences including Digital Life, RoboBusiness, RoboNexus, Business Foresight and Digital Media Wire's Games and Mobile Forum.

Lance also serves as co-host of PC Magazine's weekly podcast, PCMag Radio.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel