Monday, 2 May 2005

Why Challenge/Response is bad

Challenge/response (C/R) is disliked by users and legitimate bulk mailers alike. Unfortunately, anti-spam technologists who should know better keep re-inventing it.

The most recent example that I've come across is SquareAnswer. Whenever I hear about a new anti-spam vendor with "secret," "revolutionary," "patent-pending" technology, that suffer "zero false positives," I roll my eyes and prepare for yet another C/R product.

What is it? Briefly, if a C/R recipient is sent email "from" a sender that it's never heard of before, it auto-replies with a challenge. Until the sender has satisfactorily responded to the challenge, their mail doesn't get through to the recipient's inbox.

Although possibly useful in some environments, it's basically a terrible idea. It's generally worse than today's state of the art spam filters, which use techniques such as Bayesian filtering, heuristics, and "out of band" connection data analysis. Here's why...

  1. Users hate receiving challenges; especially if their email address has been forged by a spammer and they've never even heard of the person it came from, let alone emailed them. A significant number of people just don't respond to challenges, which means that the false positive problem is worse than with conventional filtering.
  2. Legitimate mailers hate it because they can't deal with the flood of challenges when they send out newsletters. Again, the false positive (or "deliverability") problem is worse. Much worse, in this case.
  3. C/R shifts the cost of spam from recipients to the senders of legitimate mail. How dare you make me prove that I am who I say I am? I've already published an unambiguous SPF record that says that my IP address is permitted to send email from my domain; what more do you want? We won't win the war against spam until the costs are shifted to the spammers.
  4. Users who employ C/R are seen by some as spammers in their own right. It's part of the phenomenon known as "backscatter." Imagine if your email address was used by spammers to forge the "sender" of their pill-pushing messages. You would expect to receive many non-delivery reports from mailboxes that no longer exist, "we don't want your spam" bounces from badly-configures spam filters, and challenges from people running C/R systems. How is this better than the spam we're trying to kill?
  5. If you run a C/R system, you are likely to be blacklisted for spamming, and your ISP will receive abuse complaints about you. You may even lose your connectivity as a penalty for violating your ISP's Terms Of Service or Acceptable Use Policy.
Vendors: enough with the C/R reinvention already!

Users and IT managers: don't buy it. There are much better ways to filter spam without the problems that C/R will cause you.

Categories: , , .