Challenging Challenge Response Anti-Spam Systems
from the false-positives-galore dept
I’ve been pretty vocal in explaining why I don’t like challenge-response email systems for spam prevention. It seems that the problems with such plans are starting to get a lot more attention. Some are even saying that if challenge-response systems are put in place widely, it could render email useless. I wouldn’t go that far, but there clearly are problems with challenge-response systems. This article mostly focuses on problems involving mailing lists, but I don’t think that’s the worst issue for challenge-response systems. The biggest problem, in my mind, is the “false positive” issue. Anyone who legitimately emails you, but doesn’t follow through on the challenge-response can be classified as a false-positive – a legitimate email that was “blocked” by your spam filter. A good anti-spam system should look at ways to minimize both false positives and false negatives (though, there are always tradeoffs). Meanwhile, challenge-response systems can also be seen as increasing spam, for anyone who sends a legitimate email and has to deal with all the incoming challenges.
Comments on “Challenging Challenge Response Anti-Spam Systems”
Combining spam detection and challenge/response
I set up challenge response in combination with spamassassin. The only emails that get challenged are ones that spamassassin thinks look like spam. This has resulted in almost none of the ‘good’ emails getting challenged.
No Subject Given
Despite Earthlink being sued, they still launched their spam challenge setup over the weekend. I implemented it on my accounts and have not received a spam through them yet. One nice things is that I can go in and view all the pending messages, so that if I see a message or 2 in the pending area from legit sources, I can immediately approve them without having them follow through.
No Subject Given
I opened a Mailblocks account to try it out and I haven’t used it much, but:
– when you set it up in Outlook, you see both your inbox (good, verified email), and your pending email, so you can pull someone out of “jail” even if they haven’t responded to the challenge.
On the other hand, I sent a friend an email the other day and he was using “ChoiceMail” — a client-based challenge/response tool (being sued by Mailblocks), and I found it pretty annoying to have to fill out the form to send him an email.
Mailblocks hasn’t yet gotten their whitelisting procedures down — you can’t import your address books from Outlook, though it is their number 1 request in the FAQ. Once they do that, AND allow domain wildcard whitelisting, they’ll be a pretty good option, I think.
Until then, I’m sticking to spamassassin and the delete key.
My option
Challenge & Response is the best method, period. NO program can make decisions as accurately as I can, though they can make more decisions more quickly. That’s where SpamAssassin let me down — its assumptions as to what is spam were just too narrow.
Some say C&R is a pain for those wishing to send me email. Well, understand, sending me an email is a privilege. You should have to earn my attention, not simply get it by screaming or slamming my email box. To send me a letter, you earn this privilege by putting a stamp on it. To earn my attention on the telephone, you must pass call screening and caller ID.
Anyone who has anything important to tell me in an email will go through the trouble of responding to my challenge. If not, I’m simply not interested. No stranger has EVER sent me an email that was important. On the otherhand, myself and my time are the most important things in my life, and if you want a piece of it, you’ve got to earn it.
That’s how I see it!
Re: I agree
Not that I get that much junk because I try to be carefull online but it does add up and once you make a mistake….they must pass it around: Hey, we got a good address here! Most ‘good’ email is to and from people we know.
We have caller ID also. If the President calls and has no ID, by golly, he will just have to leave a message.