Challenges: Difference between revisions
From ASRG
Jump to navigationJump to search
(New page: {{ast |date=1990s |difficult=Medium |popular=Medium |effective=Medium |where=MTA or MUA |harm=High }} Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replyin...) |
No edit summary |
||
| Line 2: | Line 2: | ||
|date=1990s | |date=1990s | ||
|difficult=Medium | |difficult=Medium | ||
|popular= | |popular=Low | ||
|effective=Medium | |effective=Medium | ||
|where=MTA or MUA | |where=MTA or MUA | ||
|harm=High | |harm=High | ||
}} | }} | ||
Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replying to their mail with a challenge message. If the sender responds to the challenge in a way the C/R system approves of, the mail is delivered and the sender is whitelisted. | Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replying to their mail with a challenge message. If the sender responds to the challenge in a way the C/R system approves of, the mail is delivered and the sender is whitelisted. The expected responses may be any return e-mail (typically to a coded address in the Reply-To: header), a return message with a particular key phrase, a clickthrough to a web page, or a clickthrough followed by solving a [[Captchas|Captcha]] problem. | ||
C/R systems are widely considered to be abusive and ineffective. Problems include: | C/R systems are widely considered to be abusive and ineffective. Problems include: | ||
* They generate backscatter harming innocents - most spam has forged sender addresses, so most challenges are sent to people who had nothing to do with the message being challenged. | |||
* They don't work with messages sent by anything other than an individual human sender: newsletters, receipts and other transactional messages, and so forth. | |||
* Recipients of challenges to forged mail often confirm them, since that's the easiest way to make the challenge spam go away. | |||
* It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result. | |||
* Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason. | |||
* Access control is often managed by senders, not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha. | |||
* Message loss - many senders do not respond to challenges. | |||
Revision as of 08:09, 15 June 2009
| Anti-spam technique: Challenges | |
|---|---|
| Date of first use: | 1990s |
| Effectiveness: | Medium |
| Popularity: | Low |
| Difficulty of implementation: | Medium |
| Where implemented: | MTA or MUA |
| Harm: | High |
Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replying to their mail with a challenge message. If the sender responds to the challenge in a way the C/R system approves of, the mail is delivered and the sender is whitelisted. The expected responses may be any return e-mail (typically to a coded address in the Reply-To: header), a return message with a particular key phrase, a clickthrough to a web page, or a clickthrough followed by solving a Captcha problem.
C/R systems are widely considered to be abusive and ineffective. Problems include:
- They generate backscatter harming innocents - most spam has forged sender addresses, so most challenges are sent to people who had nothing to do with the message being challenged.
- They don't work with messages sent by anything other than an individual human sender: newsletters, receipts and other transactional messages, and so forth.
- Recipients of challenges to forged mail often confirm them, since that's the easiest way to make the challenge spam go away.
- It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
- Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason.
- Access control is often managed by senders, not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
- Message loss - many senders do not respond to challenges.
