Will Challenge/Response Save Us from Spam?

Mailblocks reloads, taking better aim at spam. Can version 2.0 vanquish the reviled intruder?

Spam is everywhere—I mean everywhere.

Hormel Spam

The other day, UPS delivered a small package to my office. The box, which was festooned with labels indicating it had traveled through a number of countries, was filled with shredded crepe paper that covered—lucky me—a can of Hormel Spam. The box had actually come from a PR firm hawking yet another expert solution for canning spam. Like I said, spam is everywhere. But so are possible solutions—from the legislative ones weve been watching percolate through the federal government to the technological ones weve seen from Microsoft and other companies.

One of the more intriguing approaches Ive seen lately is not necessarily new, but it holds incredible promise, especially if it can be perfected. Its called challenge/response (C/R). I like this strategy because it takes the difficulty computers have in interpreting images and answering unstructured questions and turns it against them.

Pending Box

Spammers use computers to generate random e-mail addresses and then to mass-mail spam out to the list. A C/R system scans incoming mail for items from unfamiliar addresses—those you havent received mail from before or that are not in your address book. The system temporarily blocks such mail and e-mails the sender a simple question or a link to a Web page where the sender must go and type in the numbers shown in an image. A computer cannot do either of these things (at least not without some heavy computational power), so it will fail the challenge. Thus the original message, if computer-generated, is deleted or placed in some sort of electronic holding pen by the C/R system.

A couple of months ago we reviewed a Challenge/Response mail system called Mailblocks. We were impressed with the low yearly fee of $10, generous mail storage space (12 MB), lean interface, and large 6MB attachment limit. We also liked the services ability to manage external IMAP and POP3 mail accounts and the intelligent way it handled the spam coming into these accounts. You could even create disposable e-mail addresses. Our main concern in the review was the C/R method. At the time, Mailblocks made you type in the numbers you would see in a graphic (they called it a puzzle). That was just a bit more labor intensive than the solution we saw in Hushmail in which you just clicked a certain spot in a picture.

C/R, in general, faces other issues. For example, most such systems see every address as that of an individual, which can be incredibly annoying if you work with a few big corporations (or are in one yourself). All the people in such a company will have to complete a C/R check to communicate with you. Once they do, theyll never get challenged again, but who has time for all that nonsense? On the other hand, there are some products—ChoiceMail for one—that will let you accept a domain, en masse. Thinking about what would happen if you were to accept all of the e-mail address associated with, say, hotmail.com, though, I wonder how wise this is.

I recently had the opportunity to test drive a beta of the newest version of Mailblocks (the final version launches today). With a nod—but no apologies—to The Matrix, this version is called Mailblocks Reloaded. It fixes what I saw as the biggest problem with the C/R system—being forced to fill out the C/R form for every single Mailblocks user with whom you correspond. Reloadeds Challenge/Response 2.0 lets you complete the form for one Mailblocks user and then be accepted automatically by all others.

Mailblocks C/R Form

Reloaded puts all spam in a Pending box. This mail then gets the challenge message (which you can customize). If theres no response, the mail is eventually deleted. I set Mailblocks to manage all of my external, free mail accounts. I could have used Reloaded to manage POP3 and MAPI accounts, as well, but my home broadband account (managed in Outlook Express) doesnt get nearly as much spam as my free mail accounts—yet.

Mailblocks will even delete mail from the external accounts it manages. I let it do so for my Hotmail account, since I need only forget to look at that account for a few days before I max out the paltry 2MB of storage space. I found that as soon as I began sucking mail out of my external mailboxes, Mailblocks Pending box began to fill up rather quickly. Fortunately, the Pending mailbox will empty itself at periodic intervals. In version 1.1 this occurred every 14 days, but Reloaded lets you specify intervals of 4, 8 or 14 days (I chose every 4 days). If you manage custom e-mail (for example, lance@lance.com) or forwarded ISP e-mail accounts through Mailblocks, you can use those addresses within the service to send outgoing mail.

ChoiceMail C/R Form

Reloadeds C/R form is virtually unchanged from version 1.1. The number graphic still resembles a color-blindness test (see the numbers among these colored spots) and can be a bit hard on the eyes. Still, its far less onerous than ChoiceMails.

But even Mailblocks, and I would have to assume other C/R systems, can be fooled. I was stunned to see that Mailblocks had missed a message about bizarre sex acts (the subject line was fairly innocuous—"Animal Lovers are Waiting for You"—but the content was not) that came through one of my external accounts. The name on the e-mail was definitely not familiar to me: "Daibhid Chiennedelh". The e-mail address, though, was one of my own. Someone managed to spoof it, and because I had tested my own address with my Mailblocks account and completed the challenge puzzle, Mailblocks identified the address as an accepted one. The software whitelisted the address instead of blacklisting it. I spoke with the people at Mailblocks about the message. Mailblocks, explained a tech rep, actually doesnt recommend that users put their Yahoo and Hotmail e-mail addresses in the whitelist, because those are regular spoof targets. That seems a little counterintuitive, since I know I sometimes mail little test reminders between various accounts, but I got the point.

Ive also seen other C/R systems in action, though mostly from the perspective of mail sender. For instance, I recently replied to an e-mail from one of our readers, James C. Mitchell, an associate professor of journalism at Arizona University. When I attempted to respond, I discovered that he was using ChoiceMail, which made me fill out a form with my name and reason for contacting him. And, as with Mailblocks C/R system, the form asked me to enter the code sequence depicted in a small graphic on the page. I then received an automated response: "Thanks for jumping through this hoop. My e-mail program should let you in from now on."

All in all, ChoiceMails C/R process was a little more annoying and time-consuming than Id prefer. Still, I did it and my message made it to Mitchells mailbox. Later, I asked him how other people were responding to the C/R system. "I dont get many complaints, perhaps because everybody is so frustrated by spam." Mitchell, who recently authored a crime novel set in Tucson called Lovers Crossing, says that the private Web site he created to promote his book has an e-mail account that does not use any kind of C/R system, "I dont use the challenge, since I want—indeed, hope for—mail from strangers. So I just have to deal with spam there."

Mitchell raises a valid point. While C/R may represent a near foolproof method for blocking spam, the very thing that makes it so successful—human intervention—could hinder its success in the marketplace. When Mitchell wanted to open his doors to feedback for his novel, he chose to forgo the filter. He cant risk not getting comments from fans, critics, and maybe even other media outlets interested in his work.

In the end, Mailblocks is better than before and challenge/response is as good a method for blocking spam as Ive seen—but not perfect. Of course, in the world of spam prevention, what is?

Discuss this article in the forums.

More articles from Lance Ulanoff: