Skip to content


The Perils of Challenge-Response hits PoliTechBot

As I’ve said before, C-R is not an acceptable way, alone, to deal with spam. You’re just pushing the work away from yourself, and onto your legitimate correspondents — and you won’t make any friends as a result. Things get worse when anything more complex than simple person-to-person mail intrudes, like internet mailing lists. (And come on folks — that particular innovation is only 24 years old ;)

Case in point this week: Declan McCullagh gets bitten:

My reluctant conclusion is that C-R systems with flawed implementations have the potential to end legitimate mailing lists as we know them today.

and Dave Farber says:

If I start getting a flood of challenges from earthlink ipers that require my response I will most likely declare them SPAM and you will stop receiving IP mail.

John Levine’s follow-up is well worth a read, as he predicts massive (and trivial) whitelist exploitation by spammers to avoid C-R — and then we’ll be worse off than we were when we started.

Finally, there’s quite a funny quote in John’s mail:

A relatively easy to solve problem with challenge systems is that most of them are written by dimwits who don’t understand the way that e-mail really works. In 1983 the 4.3BSD Berkeley Unix ‘vacation’ program correctly dealt with mail from lists and other mechanical sources, yet 20 years later I still see out-of-office replies from Lotus Notes and MS Exchange to list mail every day. (Is there really nobody at IBM or Microsoft who used 4.3BSD or knows the rules of thumb to recognize non-personal but legit mail?)

I have often wondered that myself ;)