As all right-thinking people know by now, Challenge-response spam
filtering is
broken and abusive, since it simply shifts the work of filtering spam out of
your email, onto innocent third-parties — either your legitimate
correspondents, people on mailing lists you read, or even random people you
have never heard of (due to spam
blowback).
I’ve ranted about this in the past,
but I’m not alone in this opinion — and frequently find myself explaining it.
To avoid repeating myself, here’s a canonical collection of postings from
around the web on this topic.
Description: This “selfish” method of spam filtering replies to all email with a “challenge” – a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.
- Does not scale: If everyone used this method, nobody would ever get any mail.
- Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
- Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
- Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.
C-R systems in practice achieve an unacceptably high false-positive rate
(non-spam treated as spam), and may in fact be highly susceptible to
false-negatives (spam treated as non-spam) via spoofing.
Effective spam management tools should place the burden either on the
spammer, or, at the very least, on the person receiving the benefits of the
filtering (the mail recipient). Instead, challenge-response puts the burden
on, at best, a person not directly benefitting, and quite likely (read on) a
completely innocent party. The one party who should be inconvenienced by spam
consequences ¿ the spammer ¿ isn’t affected at all.
Worse: C-R may place the burden on third parties either inadvertantly (via
spoofed sender spam or virus mail), or deliberately (see Joe Job, below).
Such intrusions may even result in subversion of the C-R system out of
annoyance. Many recent e-mail viruses spoof the e-mail sender, including
Klez, Sobig variants, and others.
The collateral damage from widely used C/R systems, even with implementations
that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness,
this was written in 2003.]
Challenge systems have effects a lot like spam. In both cases, if only a few
people use them they’re annoying because they unfairly offload the
perpetrator’s costs on other people, but in small quantities it’s not a big
hassle to deal with. As the amount of each goes up, the hassle factor
rapidly escalates and it becomes harder and harder for everyone else to use
e-mail at all.
I’m skeptical of CR as a response to email. If you’re the first on your block
to adopt CR, and if nobody else uses anti-spam technology, then CR might
provide you some modest benefit. But it¿s hard to see how CR can be widely
successful in a world where most people use some kind of spam defense.
If these systems are so brain-dead as to not bother adding my address to the
whitelist when the user sends me e-mail, I have serious trouble understanding
why anyone is using them.
Is it just me? Is this too hard to figure out?
Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s
no mail header to warn me that “this message is from a TDMA user”, because
then I’d be able to procmail ’em right to /dev/null where they belong.
Ugh.
This bullshit is not going to “solve” the spam problem, people. If that’s
your solution, please let me opt out. Forever.
C/R slows down and impedes communication by placing unwanted barriers between
you and your clients/suppliers.
If you must insist on using some form of C/R please make sure that you
whitelist my address before you contact me as I will not reply to challenges.
We will not answer any challenges generated in response to our mailing list
postings. Thus, if you’re using a challenge-response system and not receiving
TidBITS, you’ll need to figure that out on your own. Also, if you send us a
personal note and we receive a challenge to our reply, we may or may not
respond to it, depending on our workload at the time.
uol.com.br uses a very broken method of anti-spam. Everytime someone sends an
email message to one of their members, they send back a verification message,
asking the original sender to click a link before they will allow the message
through. These messages are themselves a form of spam, and the resulting
back-scatter of these messages is altogether bad for the Internet, the UOL
member, and all of the UOL member’s contacts. UOL is aware of the complaints
against them, and they refuse to correct the issue, claiming that their
members love the service.
I hate C/R systems. With a passion. I absolutely will not respond to them.
They go in the trash. I don’t get them very often but I get them more and
more. I think they have the potential to seriously damage email communication
as we know it. And I’m not alone in this opinion.
Phew.