Challenges

From ASRG
Jump to: navigation, search
Anti-spam technique: Challenges
Date of first use: 1990s
Effectiveness: Medium
Popularity: Low
Difficulty of implementation: Medium
Where implemented: MTA or MUA
Harm: High

Challenges or Challenge/Response (C/R) attempts to validate unknown senders by replying to their mail with a challenge message. If the sender responds to the challenge in a way the C/R system approves of, the mail is delivered and the sender is whitelisted. The expected responses may be any return e-mail (typically to a coded address in the Reply-To: header), a return message with a particular key phrase, a clickthrough to a web page, or a clickthrough followed by solving a Captcha problem.

C/R systems are widely considered to be abusive and ineffective. Problems include:

  • They generate backscatter harming innocents - most spam has forged sender addresses, so most challenges are sent to people who had nothing to do with the message being challenged.
  • They don't work with messages sent by anything other than an individual human sender: newsletters, receipts and other transactional messages, and so forth.
  • Recipients of challenges to forged mail often confirm them, since that's the easiest way to make the challenge spam go away.
  • It can generate loops - if two poorly configured systems challenge each other's mail, an indefinite mail loop can result.
  • Delays are introduced, which may be larger if the sender doesn't immediately receive the confirmation request or simply doesn't have access to network for some reason.
  • Access control is often managed by senders, not by the mailbox owner. One of consequences is that if a spammer wants to send messages to someone it's enough to send a first message from some email address under his control, in order to confirm the captcha.
  • Message loss - many senders do not respond to challenges.

C/R systems invariably include the ability to whitelist correspondents manually, as a partial solution to message loss problems.