Challenges

From ASRG
Revision as of 09:11, 15 June 2009 by Johnl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Anti-spam technique: Challenges
Date of first use: 1990s
Effectiveness: Medium
Popularity: Low
Difficulty of implementation: Medium
Where implemented: MTA or MUA
Harm: High

Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replying to their mail with a challenge message. If the sender responds to the challenge in a way the C/R system approves of, the mail is delivered and the sender is whitelisted. The expected responses may be any return e-mail (typically to a coded address in the Reply-To: header), a return message with a particular key phrase, a clickthrough to a web page, or a clickthrough followed by solving a Captcha problem.

C/R systems are widely considered to be abusive and ineffective. Problems include:

  • They generate backscatter harming innocents - most spam has forged sender addresses, so most challenges are sent to people who had nothing to do with the message being challenged.
  • They don't work with messages sent by anything other than an individual human sender: newsletters, receipts and other transactional messages, and so forth.
  • Recipients of challenges to forged mail often confirm them, since that's the easiest way to make the challenge spam go away.
  • It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
  • Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason.
  • Access control is often managed by senders, not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
  • Message loss - many senders do not respond to challenges.

C/R systems invariably include the ability to whitelist correspondents manually, as a partial solution to message loss problems.