by Mike Masnick

Challenging Challenge Response Anti-Spam Systems

from the false-positives-galore dept

I've been pretty vocal in explaining why I don't like challenge-response email systems for spam prevention. It seems that the problems with such plans are starting to get a lot more attention. Some are even saying that if challenge-response systems are put in place widely, it could render email useless. I wouldn't go that far, but there clearly are problems with challenge-response systems. This article mostly focuses on problems involving mailing lists, but I don't think that's the worst issue for challenge-response systems. The biggest problem, in my mind, is the "false positive" issue. Anyone who legitimately emails you, but doesn't follow through on the challenge-response can be classified as a false-positive - a legitimate email that was "blocked" by your spam filter. A good anti-spam system should look at ways to minimize both false positives and false negatives (though, there are always tradeoffs). Meanwhile, challenge-response systems can also be seen as increasing spam, for anyone who sends a legitimate email and has to deal with all the incoming challenges.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    James H Thompson, Jun 5th, 2003 @ 3:18pm

    Combining spam detection and challenge/response

    I set up challenge response in combination with spamassassin. The only emails that get challenged are ones that spamassassin thinks look like spam. This has resulted in almost none of the 'good' emails getting challenged.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, Jun 6th, 2003 @ 6:53am

    No Subject Given

    Despite Earthlink being sued, they still launched their spam challenge setup over the weekend. I implemented it on my accounts and have not received a spam through them yet. One nice things is that I can go in and view all the pending messages, so that if I see a message or 2 in the pending area from legit sources, I can immediately approve them without having them follow through.

    reply to this | link to this | view in thread ]

  3. identicon
    todd, Jun 6th, 2003 @ 7:03am

    No Subject Given

    I opened a Mailblocks account to try it out and I haven't used it much, but:
    - when you set it up in Outlook, you see both your inbox (good, verified email), and your pending email, so you can pull someone out of "jail" even if they haven't responded to the challenge.

    On the other hand, I sent a friend an email the other day and he was using "ChoiceMail" -- a client-based challenge/response tool (being sued by Mailblocks), and I found it pretty annoying to have to fill out the form to send him an email.

    Mailblocks hasn't yet gotten their whitelisting procedures down -- you can't import your address books from Outlook, though it is their number 1 request in the FAQ. Once they do that, AND allow domain wildcard whitelisting, they'll be a pretty good option, I think.

    Until then, I'm sticking to spamassassin and the delete key.

    reply to this | link to this | view in thread ]

  4. identicon
    Junk 'n Stuff, Sep 15th, 2003 @ 3:45pm

    My option

    Challenge & Response is the best method, period. NO program can make decisions as accurately as I can, though they can make more decisions more quickly. That's where SpamAssassin let me down -- its assumptions as to what is spam were just too narrow.

    Some say C&R is a pain for those wishing to send me email. Well, understand, sending me an email is a privilege. You should have to earn my attention, not simply get it by screaming or slamming my email box. To send me a letter, you earn this privilege by putting a stamp on it. To earn my attention on the telephone, you must pass call screening and caller ID.

    Anyone who has anything important to tell me in an email will go through the trouble of responding to my challenge. If not, I'm simply not interested. No stranger has EVER sent me an email that was important. On the otherhand, myself and my time are the most important things in my life, and if you want a piece of it, you've got to earn it.

    That's how I see it!

    reply to this | link to this | view in thread ]

  5. identicon
    James moomey, Apr 7th, 2005 @ 10:46pm

    I agree

    Not that I get that much junk because I try to be carefull online but it does add up and once you make a mistake....they must pass it around: Hey, we got a good address here! Most 'good' email is to and from people we know.

    We have caller ID also. If the President calls and has no ID, by golly, he will just have to leave a message.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.