A great summary of the issues surrounding challenge-response anti-spam systems, from Kee Hinckley on the ASRG list. Summary: they’ll work fine for one-person-to-one-person email, but anything beyond that — and there is lots beyond that, in current email use — gets hairier and hairier. Read on for the message.
Date: Tue, 25 Mar 2003 09:13:46 -0500
From: Kee Hinckley (spam-protected)
To: Brad Templeton (spam-protected)
cc: Steve Schear (spam-protected) (spam-protected)
Subject: Re: FC: Will new “spam reduction” service result in… more spam?
At 5:32 PM -0800 3/24/03, Brad Templeton wrote:
> I wrote a challenge/response system six years ago that simply asks for any
> reply at all — it doesn’t put any burden on the other party, and would be
> easy to defeat with something as simple as an autoresponder. Yet it works,
> the spammers have not attempted to use this simple defeat. Once they start,
If a challenge response system puts messages in the “look at me later” queue if you don’t respond, then I don’t think spammers will care. (And it’s not clear that you’ll be that much happier as a user of the system. You will have to scan the queue.)
Why is not clear to me is a) how anyone expects your typical user to whitelist commercial addresses and mailing lists in advance and b) how a challenge response system (which had *better* respond to envelope from) avoids getting them removed from said list, or not receiving notification about their purchase or what not.
Just consider the following.
(jm note: I’ve replaced at signs with (AT) in the text below, as otherwise this blog software’s anti-spam features will hide the addresses.)
1 User sends email to asrg-request (AT) ietf.org?subject=subscribe
2 Think quick. What address should you whitelist? asrg (AT) ietf.org? asrg-request (AT) ietf.org? Nope. asrg-admin (AT) ietf.org. And you knew that because…?
3 asrg sends back a confirmation request. Now as it happens, it does this from asrg-admin (AT) ietf.org (envelope) and asrg-request (from). But some mailers use a custom address for this. But let’s assume we’re dealing with the average user here. They either didn’t do anything at all (forgot they had to) or their software whitelisted based on the To: address (asrg-request).
4.1 A challenge gets sent back to the asrg list. The result depends on a combination of how the list software works and how the challenge software constructed its reply.
4.1.1 It’s treated as a bounce and the user is not added
4.1.2 It’s treated as a confirmation and the user is added
4.1.3 It goes to the admin, who says something I can’t repeat and throws it in the trash.
4.2 It makes it through because we whitelisted the right thing.
5 The first list message comes through. If you had whitelisted asrg-admin, you’re fine. If you whitelisted asrg-request, we challenge it. If the list software uses a different envelope from each time, you got problems.
Now, let’s take amazon.com.
I’ve received automated email from payments-messages (AT) amazon.com, orders (AT) amazon.com, auto-confirm (AT) amazon.com, eyes (AT) amazon.com, amazon-news-sender (AT) amazon.com, editer-sender (AT) amazon.com, science-fiction-editor (AT) amazon.com… and they actually send mail from their domain–never mind what happens if they higher m0.net or someone to deliver it.
And if you start sending challenges to those–Amazon’s going to see them as bounces and dump me.
Of course we could just whitelist all of amazon.com. But I rather suspect the spammers might figure that one out.
If you want challenge/response to work, the first thing you should do has nothing to do with challenge/response. The first thing is to come up with an RFC for a standard format for challenges so that automated mail systems can recognize that they aren’t the same as bounces. And come up with a protocol whereby they can reply and say “Yo! I’m an automated system you idiot.” Where you go from there I don’t know.
However, see my next message on “Protocols”.
I’m not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else’s.
Asrg mailing list (spam-protected) https://www1.ietf.org/mailman/listinfo/asrg