Challenge-Response Spam Blocking Challenges Patience

By Larry Seltzer  |  Posted 2003-05-08

Challenge-Response Spam Blocking Challenges Patience

Spam filtering is an exercise in trade-offs. There are many different technological approaches to the problem, and some are implemented better than others. But the different approaches also have their own inherent problems, and your tolerance of those problems is part of the equation in deciding whether the approach is a good one.

One of the more interesting approaches to spam filtering is challenge-response. The idea is that other people need permission to send you email and the product maintains a whitelist of such people. When someone not on the list sends you mail, the mail is held (at least for a while) and the sender is sent a message asking them to fill out a form, answer a question, and so on. In some cases, the user need only fill out the form, thereby proving they are not a bot sending out a zillion solicitations for increasing the size of certain body parts. In other cases, the email recipient may actually approve or decline specific lists of users.

When I reviewed a bunch of personal antispam tools for PC Magazine many months ago we only ended up reviewing one challenge-response product, Matador from MailFrontier Inc. Its a cute implementation and theres a lot to like technically about it, but too many challenges were sent out blindly to mailing lists and other bots and to people with whom we wished not to communicate.

And once again, just the other day, challenge-response got a shot in the arm when the Washington Post reported that Earthlink will offer it to their subscribers. Earthlink is already a leader in blocking spam. We had a high opinion of their filters, based on BrightMail. But as the Earthlink VP quoted in the story says, its really hard to write a good filter and hard to keep it working well.

The Post story also quotes other vendors in the challenge-response field, including an executive of MailBlocks, Inc., about the concept. That same day, MailBlocks put up a press release annoucing that they were suing Earthlink for patent infringement. No news is good news I guess.

Continued on Next Page

More on challenge


Challenge-response also got a lot of publicity last year when Walt Mossberg of the Wall Street Journal gushed all over ChoiceMail from DigiPortal Software. I do have to sympathize with Mossberg; I get a lot of email and a lot of spam, but he must really get pounded and he needs to do something about it.

But, typical of challenge-response (also known as "permission-based") mail advocates, he overstates the benefits and ignores the major problem. The biggest problem is that automated emails will not get through unless you manually add them to the whitelist. This alone will be confusing for a lot of users, if not for Mossberg or myself. But if you miss one and it sends you mail you wont know that it didnt get through. The permission form sent to the sender will be ignored so the user, as per design, wont know that an email was ever sent. Im also reasonably sure that some users will look at the permission form and either not know what to make of it (no matter how well its written) or suspect that its some sort of scam.

I dont want to excuse people behaving irrationally, but people do get irrational about their email. The end result of these problems is that you wont get some of the email for you that you wanted to receive, but you wont know it got stopped dead by your filtering software. True, with most products you can check the "pending" folder, or whatever the vendor calls it, but right there you lose the value of the product. If you have to check your spam for real mail, you may as well check it in the inbox.

When we tested Matador we ended up wishing it let us sign off on all the challenges, because a couple users sent confused and/or annoyed responses to them. Ironically, of course, having to check every message is the problems you want to solve with spam-blocking software, so thats no solution at all.

And theres one problem that challenge response, and whitelisting in general, has: Ive received a lot of spam where the from: address was the same as the to: address, in other words my own address. Surely one has to whitelist oneself so that one can cc: oneself, and for other special cases (like emailing this story to yourself from the web page). In this case, ChoiceMail special-cases your own address, allowing mail from your own address if it was sent through the same server. This works great if youre ccing yourself, but not necessarily if youre sending an article to yourself or logging in through your ISPs web-based mail system.

Ive had users of almost every spam-blocking product email me to say how it works great for them, asking how could I have had all these problems. Im definitely not a typical user, but I am adamant that I get all the legitimate mail intended for me.

Rocket Fuel