An anti-challenge-response Xmas linkfest

As all right-thinking people know by now, Challenge-response spam filtering is broken and abusive, since it simply shifts the work of filtering spam out of your email, onto innocent third-parties — either your legitimate correspondents, people on mailing lists you read, or even random people you have never heard of (due to spam blowback).

I’ve ranted about this in the past, but I’m not alone in this opinion — and frequently find myself explaining it. To avoid repeating myself, here’s a canonical collection of postings from around the web on this topic.

Description: This “selfish” method of spam filtering replies to all email with a “challenge” – a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

  1. Does not scale: If everyone used this method, nobody would ever get any mail.
  2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.
  3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
  4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.

C-R systems in practice achieve an unacceptably high false-positive rate (non-spam treated as spam), and may in fact be highly susceptible to false-negatives (spam treated as non-spam) via spoofing.

Effective spam management tools should place the burden either on the spammer, or, at the very least, on the person receiving the benefits of the filtering (the mail recipient). Instead, challenge-response puts the burden on, at best, a person not directly benefitting, and quite likely (read on) a completely innocent party. The one party who should be inconvenienced by spam consequences ¿ the spammer ¿ isn’t affected at all.

Worse: C-R may place the burden on third parties either inadvertantly (via spoofed sender spam or virus mail), or deliberately (see Joe Job, below). Such intrusions may even result in subversion of the C-R system out of annoyance. Many recent e-mail viruses spoof the e-mail sender, including Klez, Sobig variants, and others.

The collateral damage from widely used C/R systems, even with implementations that avoid the stupid bugs, will destroy usable e-mail. [jm: in fairness, this was written in 2003.]

Challenge systems have effects a lot like spam. In both cases, if only a few people use them they’re annoying because they unfairly offload the perpetrator’s costs on other people, but in small quantities it’s not a big hassle to deal with. As the amount of each goes up, the hassle factor rapidly escalates and it becomes harder and harder for everyone else to use e-mail at all.

I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it¿s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

If these systems are so brain-dead as to not bother adding my address to the whitelist when the user sends me e-mail, I have serious trouble understanding why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there’s another 5 minutes I’ll never get back. It’s too bad there’s no mail header to warn me that “this message is from a TDMA user”, because then I’d be able to procmail ‘em right to /dev/null where they belong.

Ugh.

This bullshit is not going to “solve” the spam problem, people. If that’s your solution, please let me opt out. Forever.

C/R slows down and impedes communication by placing unwanted barriers between you and your clients/suppliers.

If you must insist on using some form of C/R please make sure that you whitelist my address before you contact me as I will not reply to challenges.

We will not answer any challenges generated in response to our mailing list postings. Thus, if you’re using a challenge-response system and not receiving TidBITS, you’ll need to figure that out on your own. Also, if you send us a personal note and we receive a challenge to our reply, we may or may not respond to it, depending on our workload at the time.

uol.com.br uses a very broken method of anti-spam. Everytime someone sends an email message to one of their members, they send back a verification message, asking the original sender to click a link before they will allow the message through. These messages are themselves a form of spam, and the resulting back-scatter of these messages is altogether bad for the Internet, the UOL member, and all of the UOL member’s contacts. UOL is aware of the complaints against them, and they refuse to correct the issue, claiming that their members love the service.

I hate C/R systems. With a passion. I absolutely will not respond to them. They go in the trash. I don’t get them very often but I get them more and more. I think they have the potential to seriously damage email communication as we know it. And I’m not alone in this opinion.

Phew.

This entry was posted in Uncategorized and tagged , , , , , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

32 Comments

  1. Chase Venters
    Posted December 14, 2006 at 18:20 | Permalink

    I wrote a C/R system specifically for my address at work. Why? I really didn’t have a choice. We have a hosted mail solution (which is really stupid but not for me to decide). We also used to have a prankster co-worker who took it upon himself to sign my work address up for all kinds of spam. Suddenly there was a great flood… and the spam filtering was doing nothing to stop it.

    I hardly ever receive legitimate mail from people outside the company, and the company itself is whitelisted (of course), so I consider it a perfectly valid use of the technology, especially considering that it took me from 50 spam messages every morning to maybe 1 a month (when the unwanted mail is sent from a semi-legitimate advertiser that doesn’t forge its headers and also employs an auto-responder).

    The last thing I’d say is that the war on /autoresponders/ is worse than than C/R systems. Some parties like SpamCop are insane enough to imply that anyone who implements any kind of autoresponder is subject to being branded a spammer… and then they propose breaking Internet mail queues just so they can avoid bounce messages… and they never seem to say what to do about majordomo…

  2. Posted December 14, 2006 at 18:33 | Permalink

    Chase — if you wanted to be on the bleeding edge, you could modify the autoresponder to only respond to mails that had passed SPF/DK/DKIM sender verification. That takes care of the “auto-response to spammer forgery” issue, and would avoid you being listed by Spamcop…

  3. Posted December 14, 2006 at 22:06 | Permalink

    Chase “hardly ever receives legitimate mail from people outside the company”, but I’m betting he receives a load of non-legitimate mail “from” people who are now innocent victims of his home-grown C/R system.

    Nothing “perfectly valid” about that. Of course, now we see the usual clarion call of the C/R user: “It took me from 50 spam messages every morning to maybe 1 a month” (i.e. “It works great for me, so stop moaning about having to filter my vomitus.”)

    As for “the war on autoresponders” — PUT A SPAM FILTER IN FRONT OF THEM! (Sorry for shouting, but I’m fed up of saying it to admins who object to polite backscatter reports.)

    As for “breaking mail queues” — that’s just specious. It’s quite simple: 1. 5xx reject at your boundary MTA, don’t accept-then-bounce. 2. If you can’t handle the message temporarily, 451 it.

    And if you can’t understand all this, you don’t deserve to be an email admin. Give the job to someone competent.

  4. Posted December 14, 2006 at 22:09 | Permalink

    Oh, and may I abuse my position while I’m here with a sad report about another C/R startup?

    In case you’ve not heard, it’s called Boxbe. It’s a service that promises to forward unsolicited email only from those willing to pay a fee for your attention. In other words, an economic “solution” to spam. More details at m’blog.

  5. Chase Venters
    Posted December 15, 2006 at 00:40 | Permalink

    Richi:

    For the record, my C/R system e-mails me a log file every night that lists the sender and subject of every message as well as its disposition. So if legitimate senders are getting caught up in my C/R system, I notice it.

    The vast majority of challenges I send end up bouncing. After a host bounces a few challenges, they are automatically blacklisted for 6 months.

    I also love the fact that opponents of C/R systems are quick to call us (the users) out for how much we are supposedly victimizing other people due to misdirected backscatter. What makes your opinion less relevant than mine (other than the fact that this is my e-mail account we are talking about) is that I monitor real, live data from my system. As I said before, most of my challenges bounce. This means that the envelope on the original mail was not only forged, but forged to come from a host that either does not exist or does not itself take mail. In fact, I don’t think I’ve ever seen a valid individual’s e-mail address in my reporting.

    Backscatter could happen, in theory, but opponents of C/R would rather blame those that use C/R than the spammer that sent the forged spam in the first place. Why must you further make assumptions about the volume of backscatter my system generates? I am telling you that it is close to nil.

    I wouldn’t use C/R on most of my addresses. I use it at work because of the special circumstances I described in my original post.

  6. miles
    Posted December 15, 2006 at 01:56 | Permalink

    Wonder if the captcha test frequently used by C/R have ever been used a la porn monkeys (show free porn in exchange for answering a captcha that signs up a yahoo/hotmail/whatever account).

    One of the issues subtlely or not mentioned is the dictionary attack. The blowback problem can look like a server dictionary attacking a domain. I’ve seen issues where large ISPs have been auto blocked (and rightly so) by other large ISPs because the blowbacks were going to so many invalid recipients.

    From the user perspective, I’m definitely in the ‘why do you think my time is less valuable than your time’ camp — if you don’t want to read my email, don’t, abut you better not complain about it!

  7. Posted December 15, 2006 at 14:49 | Permalink

    Chase –

    ‘The vast majority of challenges I send end up bouncing. After a host bounces a few challenges, they are automatically blacklisted for 6 months.’

    How does that help avoid creating C/R blowback for real recipients?

    ‘As I said before, most of my challenges bounce. This means that the envelope on the original mail was not only forged, but forged to come from a host that either does not exist or does not itself take mail.’

    Here’s a maths lesson.

    • Let’s say you get 1000 spams per day; of that, most — let’s say 99% — of the spam uses forged env-sender addresses instead of some (real) third party’s address.

    • Now let’s say there are 100 other people using C/R filters, with a similar mail load.

    • If that third party’s address is used for a spam run that hits all those 100 people, he’ll now get (1000 * (1/100)) * 100 = 1000 C/R bounces.

    in other words, even though real-address forgeries are insignificant from your point of view, from the addressee’s POV, it’s a major problem — due to the scale of spam!

    ‘Backscatter could happen, in theory, but opponents of C/R would rather blame those that use C/R than the spammer that sent the forged spam in the first place. Why must you further make assumptions about the volume of backscatter my system generates? I am telling you that it is close to nil.’

    Adding to the problem does not help.

  8. Posted December 15, 2006 at 15:08 | Permalink

    Chase says:

    my C/R system e-mails me a log file every night that lists the sender and subject of every message as well as its disposition. So if legitimate senders are getting caught up in my C/R system, I notice it … I don’t think I’ve ever seen a valid individual’s e-mail address in my reporting

    Huh? How on Earth is that going to tell you whether an innocent 3rd party has received a challenge from you? I’m not really sure you quite understand the issue.

    I don’t see any “special circumstances” in your post that would forgive this kind of email abuse. If you’re receiving spam, use a spam filter like the rest of us do.

    And it’s not a question of “victimization”. You’re just unfortunately misguided. These are my email accounts we’re talking about (not just my spamtraps). Accounts that are receiving abusive challenges from people like you.

  9. Chase Venters
    Posted December 15, 2006 at 16:56 | Permalink

    Justin -

    ‘How does that help avoid creating C/R blowback for real recipients?How does that help avoid creating C/R blowback for real recipients?’

    It is a measurement, not a mechanism — it doesn’t do anything except illustrate that the alleged blowback problem is very small, if it is a problem at all.

    Addressing both Justin and Richi -

    I agree that backscatter is a problem. But I’m telling you that you are misdirecting your rage. There are simply too many legitimate cases for auto-responders to enact blanket prohibitions on them:

    1. Majordomo, or mailing list managers. How do you propose we replace them? What if someone sends an incorrectly formatted message, or sends a message to post to the list and an authentication problem occurs? What if someone sends mail to a subscribe address — is it okay to challenge them then, or would you prefer the mailing list simply accept the subscription as real and begin transmitting messages immediately?

    2. Sites where mail does not arrive at the final destination in one hop cannot refuse mail to the original sender’s server at the door in all failure cases. If mail finds its way to a queue on your local site and then later can’t be delivered, users expect a bounce message. It’s not just an expectation – it’s a well-practiced standard.

    3. Ticket systems for customer service groups often respond to a message and assign a case number. Are you also a victim of these services?

    I will agree that if you are going to enable some kind of a service that automatically generates a response to any incoming e-mail, you should take the necessary steps to prevent mail loops and also to put some kind of filtering in front of the service.

    But it boils down to this – if you are not willing to step up and say that Majordomo (and its kind) must die, then you are being a total hypocrite because its response messages could be just as misdirected as any other form of automailer, and because it is actually a mailing list (often made up of multiple e-mail addresses), then chances are it is also more widely published (and hence surely the target of far more spam).

    And if you want to kill Majordomo in your quest to end Internet spam, then I’d say you’re fighting in a holy war that has simply gone too far…

  10. Posted December 15, 2006 at 17:29 | Permalink

    Much of what Chase says I actually agree with. The point is, our ire isn’t directed at auto-responders, it’s directed at those auto-responders that blindly reply to forged email. That’s why I “suggested” that putting a spam filter in front of them should be job#1.

    Amongst the 25,000 backscatter messages I received over Thanksgiving were many misdirected list manager replies, acknowledgments from helpdesk ticketing systems, and the like.

  11. Chase Venters
    Posted December 15, 2006 at 18:02 | Permalink

    Richi:

    For the record, the C/R system I employ does not even look at mail that has not passed through the site’s fairly thorough spam filtering. The only reason I went to the trouble to write one is because of the prankster co-worker that had fed my e-mail address intentionally into as many surveys and as much junk as he could find, causing pages full of spam to make it through the spam filter each day. The C/R system was written to stop the crap the regular spam filter didn’t.

  12. miles
    Posted December 15, 2006 at 19:17 | Permalink

    @Chase:

    ‘After a host bounces a few challenges, they are automatically blacklisted for 6 months.’

    What’s a ‘host’ in this case (domain or connecting IP)? If its the domain, hopefully you have some exceptions — like if the domain has ever sent you real mail or someone in your address book has the domain, to prevent the $random@yahoo/hotmail/gmail that doesn’t exist forgery from getting the real domain blacklisted. IP would be another story…

  13. Chase Venters
    Posted December 15, 2006 at 19:20 | Permalink

    Miles:

    I made an error… I meant to say “After a user bounces a few challenges…”

  14. Posted December 15, 2006 at 19:23 | Permalink

    I used to be involved with a popular c/r service, and while it was far from perfect, I think the majority of complaints people have about c/r are related to bad implementations rather than the principal concept of the system.

    Brad Templeton posted an essay once about best practices of c/r. He addresses most of the issues shown above, and how to deal with them appropriately. For example, we didn’t challenge email that failed any of the following tests: SPF, A/V, basic filtering, obvious mailing list mail, system/role messages, other c/r systems, and a bunch of other heuristics. We automatically added to your whitelist anyone to whom you sent email. We allowed many different ways for users to control their white/black lists, from email addresses (both to and from), to domains and tlds, to subject keywords, and other headers. Basically, we looked at every complaint that came in, and every step in our process, and tried to determine the best way to handle each situation.

    Our goal was to build the system in such a way that even if the users didn’t do any setup or management of their whitelist, it would still be both effective and non-intrusive to their contacts.

    Did we succeed? Well, not entirely, but the system has been running for 4 1/2 years, with a good number of happy users, and is constantly being refined.

    Is C/R the best solution? For most people, I think not. Filters are good enough for the majority of users out there, but some people need a little more (or can’t risk the false positives of filtering). For them, I think a good c/r system, on top of an effective but not overly strict filter system, is a very viable solution.

  15. Posted December 15, 2006 at 19:36 | Permalink

    Chase’s C/R comes after a good spam filter? Well that puts a very different complexion on things. The likelihood of abusing an innocent 3rd party should be far less. (I strongly suspect that this was the point I was trying to make yesterday, but perhaps my stream of capital letters was too subtle. ;-)

  16. Posted December 15, 2006 at 19:51 | Permalink

    I’ll shut up in a minute, I really will. I just wanted to comment on Daryn’s point about how “Some people … can’t risk the false positives of filtering.”

    The thing is, C/R is causing more and more FPs (yes, even SpamArrest and TMDA). Not only because people can’t be bothered with responding to challenges, or are confused by them (see Steve Bass’s case for a classic example), but also because more and more server-based spam filters are filtering them as spam.

    Practical upshot: fewer legitimate messages get delivered to these users, as a direct result of their use of C/R. Those are false positives by any measure I can think of.

  17. Posted December 15, 2006 at 20:11 | Permalink

    Richi – good point!

    That is, for sure, a problem, and unfortunately, for users of those systems, there really isn’t any solution around that except to stop using the system.

    I do, however prefer this happening, to the old way, where people would blacklist our entire netblock; blocking not just the c/r messages, but also messages sent from our users to their users!

  18. Posted December 18, 2006 at 22:26 | Permalink

    Just another data point. I will delete any C/R to an email I know I sent. I’m not filtering someone elses mail for them, thanks. However, if I receive a C/R from something I didn’t send… I don’t believe I have the right to decide for them that they shouldn’t see it. So as quickly as I can, I will respond to those challenges.

    I would encourage others to do the same. If you don’t, how long will it be before someone sues you for not allowing through their daily news/porn/medication alerts?

  19. Posted December 18, 2006 at 22:55 | Permalink

    My spam filters usually do the first action automagically. As to the second, it’s tempting.

  20. Posted December 20, 2006 at 12:21 | Permalink

    Hi, I read your post comment on “http://joedrumgoole.com/blog/2006/05/16/bebo-vs-myspace-the-world-and-ireland/” about Bebo and MySpace – what you have described is heavily accurate! (and has happened at my school) – most people in my year have Bebo (I’m 16) – I have Bebo (coz some of my friends are on it) – but I do prefer MySpace because of the music and the more cool people on it! Plus you can do more with your MySpace than on Bebo!!

    Please reply!

    Thanks,

    George – London, UK

  21. Morrisy
    Posted April 3, 2007 at 22:38 | Permalink

    As a developer, let me comment on the below:

       1. Does not scale: If everyone used this method, nobody would ever get any mail. NOT TRUE - WE ALL WOULD GET THE MAIL WE WANT.  REMEMBER, A CHALLENGE SENT OUT TO THE INTERNET DIES ON THE VINE IF IT IS BACK AT THE SPAMMER. SPAMMERS HAVE NO WAY TO REPLY AS THEIR DOMAIN LIVES FOR 45 MINUTES.
       2. Annoying: Many users refuse to reply to the challenge emails, don’t know what they are or don’t trust them.  SOLVED IN TODAYS TECHNOLOGY BY A SNIPPET THAT IDENTIFIES WHO YOU JUST SENT AN EMAIL TO
       3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered. NOT SURE WHAT YOU SEE HERE - THE INTENDED RECIPIENT SEES THE EMAIL - NOBODY ELSE.  JUST LIKE NORMAL EMAIL.
       4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient. NO AGAIN - ARE YOU KIDDING?  UNSELFISH BECAUSE YOU ARE LETTING PROSPECTS, FRIENDS AND CLIENTS KNOW "YOUR EMAIL WILL ALWAYS BE IN MY IN BOX"  - IMAGINE IF THE POST OFFICE COULD SAY THAT!
    

    Reading this blog, I see a lot of far fetched protection type statements steering toward filters. I like filters, but they just do not work. The comment that CR produces SPAM is insane. The same internet is crowded with 300X the traffic for every VoIP call asking “did you get the email I sent?”

    Sending a verification back to a spammer hurts nothing. The message dies on the vine. A good CR is what we all need and that is what I see coming down the pipe.

    Who would say no to a SPAM free in-box and who would not hit “reply” once to get their resume, proposal, etc in somebody’s in-box guaranteed?

    I find your site dated and see a lot of filter guys protecting the revenue stream. SMB will be mostly CR in 2 years. Learn to live with it. It is easy and appreciated. You don’t answer the phone if the caller is blank, why would you accept an email?

  22. Posted May 30, 2007 at 16:22 | Permalink

    ‘Sending a verification back to a spammer hurts nothing. The message dies on the vine.’

    Morrisy — that’s exactly where you’re wrong. That’s the problem. See this comment again — those “messages dying on the vine” are in fact bombarding innocent third parties.

  23. Posted May 30, 2007 at 20:11 | Permalink

    I think ultimately it’s up to the person to decide if the benefit of a spam free inbox is worth the annoyance to their correspondents, and possible negative effect on their reputation, loss of deals/relationships, etc..

    Propertly managed and configured, a good C/R system shouldn’t generate much back-scatter, certainly no more than an auto-responder or vacation system.

  24. Posted May 30, 2007 at 20:32 | Permalink

    Where can I get one of these “Properly managed and configured” C/R systems of which you speak? I’ve certainly never come across one.

    I’ve come across plenty of vendors who claim that their C/R system doesn’t generate backscatter, but guess what? I’ve received backscatter from every one of them in my spamtraps.

  25. D. Stussy
    Posted October 1, 2007 at 19:35 | Permalink

    There is one point that I mentioned on Usenet (comp.mail.misc?) a couple of years ago that has been missed here:

    Challenge/Response systems themselves are SPAM RELAYS.

    In order for a challenge message to be useful, it needs to contain some sort of information about the message it is challenging. However, this inclusion of information becomes the “spam payload” that a careful spammer can use to direct his garbage to third parties. He sends his spam, forging the sender address, which is really the destination of his spam, and when the C/R system issues the challenge, the spoofed party gets spammed.

    Challenge messages that don’t include any part of the message under challenge don’t become spam delivery systems. However, they also contain insufficient information for the original sender to associate the challenge with the original message and thus will be ignored (or identified as spam,etc…). This means that the original message will be discarded by the C/R system when no response comes in. Eliminating 100% of all inbound e-mail does also eliminate 100% of all spam, but the idea is to minimize collateral damage (i.e. false positives) to permit legitimate mail to pass.

  26. Posted October 31, 2007 at 17:33 | Permalink

    Thanks for the useful links!

  27. GB
    Posted December 20, 2007 at 03:41 | Permalink

    Set up a tmda to challenge without sending back the entire message and you’ve shot D Stussy’s argument to hell. Spam filter with spamassasin first and you’ve shot most of the other arguments down as well. Either way, it’s my mailbox and I’ll do with it as I damn well please. You can filter it if you want, right?

  28. Posted December 20, 2007 at 10:27 | Permalink

    ‘Spam filter with spamassasin first’

    I’ll be the first to admit that SA doesn’t have a 100% accuracy rate, so you’re going to send challenges to innocent third parties even if you do that.

    If you have a spam filter that does have 100% accuracy, you don’t need C/R. ;)

    ‘Either way, it’s my mailbox and I’ll do with it as I damn well please.’

    Fine. You’re welcome to do that, as long as you don’t emit mail to innocent third parties. To reiterate once again, that’s the problem.

  29. A human being
    Posted July 16, 2008 at 15:57 | Permalink

    I get a lot of these challenge spams too, usually complete with pharmacy sales pitches. Not being a bot, I always reply or visit the captcha site and what not. It’s a pleasure to frustrate the spammers.

  30. SplinterFL
    Posted August 14, 2008 at 20:52 | Permalink

    C/R is not the answer and just wastes my time. I work for a small regional ISP and have to field the question of why didn’t an email get from A to B… we check the logs and see that it did get to B, then B sent an email back to the user who’s personal spam filter killed the challenge. C/R’s delay email.

    In a perfect would every email sender would be registered and have a biometric, etc, etc. to ensure they can send an email from a specific address. Till then we have a hodge-podge of Filters, RBL lists, and spam traps. One area that SPF fails is eCard sites that send email using your address to another.. most are finally changing.

    We do have a few legit business users that send about 100k message a month to their clients/suppliers of specials, etc, about 1% of them bounce from C/R.

    Here is a question…. if EVERYONE had C/R… Jane sends an email to Bob… bob’s ISP sends a C/R back to Jane. Janes ISP sends a C/R to Bob (broken whitelist or bob uses email forwarding to a different address). At this point, we have one valid message sitting in a que and to C/Rs that can’t be answered, result is a no delivery.

    I know someone is going to say that Janes ISP should not have sent a C/R since she already sent an email bob… which work on ONE server, but when you have 50 or more systems world-wide, it’s hard to keep them all in sync to the minute… how do all 50 incoming ISP servers know that Jane just sent an email and to whitelist Bob instead of prompting a C/R.

    I believe that email should be like the Postal system, In a way Internet STAMPS might be the solution. At least then there is centralized authentication and tracking, but it will take a new version of SMTP to replace the old unsecure system.

  31. aseq
    Posted February 24, 2011 at 23:24 | Permalink

    By the way, there are still companies out there using or offering it, such as “sendio.com”. I would subsequently advice anyone against using their services.

    http://www.sendio.com/authentication-about

  32. Posted February 24, 2011 at 23:51 | Permalink

    @aseq: Yes, there are, but Sendio’s not a good example any more. The company all-but replaced its C/R-ap with Commtouch’s engine a while back. The company spokespeople say they only challenge about 0.3% of messages, and these are messages they’re damn sure don’t have forged senders.

    A better example of a recent C/R vendor might be Boxbe. Another example of a naive developer trying to re-invent the “Pay me if you want to email me” FUSSP.