Bogus Challenge-Response Bounces: I’ve Had Enough

I get quite a lot of spam. For one random day last month (Aug 21st), I got 48 low-scoring spam mails (between 5 and 10 points according to SpamAssassin), and 955 high-scorers (anything over 10). I don’t know how much malware I get, since my virus filter blocks them outright, instead of delivering to a folder.

That’s all well and good, because spam and viruses are now relatively easy to filter — and if I recall correctly, they were all correctly filed, no FPs or FNs (well, I’m not sure about the malware, but fingers crossed ;).

The hard part is now ‘bogus bounces’ — the bounces from ‘good’ mail systems, responding to the forged use of my addresses as the sender of malware/spam mails. There were 306 of those, that day.

Bogus bounces are hard to filter as spam, because they’re not spam — they’re ‘bad’ traffic originating from ‘good’, but misguided, email systems. They’re not malware, either. They’re a whole new category of abusive mail traffic.

I say ‘misguided’, because a well-designed mail system shouldn’t produce these. By only performing bounce rejection with a 4xx or 5xx response as part of the SMTP transaction, when the TCP/IP connection is open between the originator and the receiving MX MTA, you avoid most of the danger of ‘spamming’ a forged sender address. However, many mail systems were designed before spammers and malware writers started forging on a massive scale, and therefore haven’t fixed this yet.

I’ve been filtering these for a while using this SpamAssassin ruleset; it works reasonably well at filtering bounces in general, catching almost all of the bounces. (There is a downside, though, which is that it catches more than just bogus bounces — it also catches real bounces, those in response to mails I sent. At this stage, though, I consider that to be functionality I’m willing to lose.)

The big remaining problem is challenge-response messages.

C-R is initially attractive. If you install it, your spam load will dwindle to zero (or virtually zero) immediately — it’ll appear to be working great. What you won’t see, however, is what’s happening behind the scenes:

  • your legitimate correspondents are getting challenges, will become annoyed (or confused), and may be unwilling or unable to get themselves whitelisted;

  • spam that fakes other, innocent third party addresses as the sender, will be causing C-R challenges to be sent to innocent, uninvolved parties.

The latter is the killer. In effect, you’re creating spam, as part of your attempts to reduce your own spam load. C-R shifts the cost of spam-filtering from the recipient and their systems, to pretty much everyone else, and generates spam in the process. I’m not alone in this opinion.

That’s all just background — just establishing that we already know that C-R is abusive. But now, it’s time for the next step for me — I’ve had enough.

I initially didn’t mind the bogus-bounce C-R challenges too much, but the levels have increased. Each day, I’m now getting a good 10 or so C-R challenges in response to mails I didn’t send. Worse, these are the ones that get past the SpamAssassin ruleset I’ve written to block them, since they don’t include an easy-to-filter signature signifying that they’re C-R messages, such as Earthlink’s ‘spamblocker-challenge’ SMTP sender address or UOL‘s ‘AntiSpam UOL’ From address. There seems to be hundreds of half-assed homegrown C-R filters out there!

So now, when I get challenge-response messages in response to spam which forges one of my addresses as the ‘From’ address, and it doesn’t get blocked by the ruleset, I’m going to jump through their hoops so the spam is delivered to the C-R-protected recipient. Consider it a form of protest; creating spam, in order to keep youself spam-free, is simply not acceptable, and I’ve had enough.

And if you’re using one of these C-R filters — get a real spam filter. Sure they cost a bit of CPU time — but they work, without pestering innocent third parties in the process.

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Posted September 15, 2005 at 20:50 | Permalink

    Update: jgc’s spam and anti-spam newsletter, issue 19 contains an interesting note from Richard Jowsey, who runs Death2Spam, a large-scale hosted Bayesian filtering service:

    “The signal-to-noise ratio of typical challenge messages is steadily diminishing. I’m seeing marker features such as fromchallenge up at pSpam=0.9952, from*[email protected] pSpam = 0.9848, subjectconfirm pSpam = 0.9697 … people are definitely biffing these in the spam bucket!” [….]

    “Over the past few months, we’ve observed that a significantly higher fraction of our low-confidence classifications (aka “unsures”) are those stupid “challenge-response” demands, i.e. you must prove yourself human by clicking on some link and filling in a form. Some kind of Turing Test? Many users are simply hitting the “classify as spam” button when they get one of those CR-bot handouts, apparently disgusted. Moral of the story: if your business uses CR anti-spam technology, you could be losing a lot of new business!”

  2. Posted October 12, 2005 at 20:26 | Permalink

    I think you’re slow to the game….

    Jeremy’s been ranting about this for a while:

    And I decided that I would only click on TMDA messages that I did NOT originate:

    … you’re such a follower, dude…. :-P

  3. Posted October 12, 2005 at 21:48 | Permalink

    doh! totally beat me to it.

    Can we form a union?

  4. Freemo
    Posted March 9, 2007 at 02:44 | Permalink

    Your missing one important point. If all systems had a C/R filter up. And appropriate measures were taken to eliminate unwanted challenges (only receiving challenges from users youve sent an e-mail too, and marking chalenges with some sort of ID) then all spam would be eliminated, including any noise. No one would receive unsolicited challenges, and no one would ever receive spam again. While it is true a C/R system does cause more problems with unprotected servers (or servers that use inferior anti-spam apps to filter it) I view that more like an exploit. If you run a system that can get spam, even a little, it has an exploit. C/R properly designed can fix this exploit. If everyone uses C/R there is no more spam, and no abuse caused from the C/R. Simple fix, make C/R part of the smtp standard.

  5. Posted March 9, 2007 at 11:39 | Permalink

    Freemo: sure, if we could ensure that only mail that was unforged received a challenge, that’d be great and C/R would be a lot less trouble. Unfortunately, that’s not the case with any of the C/R products, so right now they’re still broken…

  6. Freemo
    Posted March 9, 2007 at 20:12 | Permalink

    Actually I wrote a C/R tht does just that. The challenges have a special ID in them to mark them as a challenge e-mail. All SMTP server have to do now is reject challenges if they didnt send an e-mail to the receipient first. If the SMTP server uses my C/R it does this as well. So essntially, if everyone started using my C/R, or a system that does somesthing similar. It would eliminate abuse, and spam 100%.

  7. C-R Sucks
    Posted June 6, 2009 at 08:56 | Permalink

    Freemo: and while you’re asking (from a couple of years ago), would you also like a pony?

    Congratulations, you’ve invented another Final Ultimate Solution to the Spam Problem! Now Google for ‘FUSSP’ to find out why it won’t work.

    (Protip from the FUSSP responses: no system that requires everyone to change to follow it will work, because “everyone” is so fragmented.)

One Trackback

  • […] JMason says “Automated CR systems considered suckful“. My spam situation is about the same as his: all my actual spam is controlled; the crap I have to deal with now is wading through CR responses and “you seem to have sent us a virus” crap. Grr. […]