Wednesday, 13 December 2006

Boxbe: Another C/R Spamhaus

Some buzz today about Boxbe -- a service that promises to forward unsolicited email only from those willing to pay a fee for your attention. I signed up to take a look, and was frankly horrified by what I found.

Boxbe is a front for another of these awful challenge/response setups. Look at the reply I got to a test message:

Subject: Held: testing

The message you sent to richi@boxbe.com regarding "testing" is being held undelivered because he or she has not pre-approved your email address [redacted] for access.

To deliver your message, you can:

* Take a short test (a simple test by following the link below
[link redacted]

* Pay a small fee (USD $0.15) which
Boxbe will share with the richi@boxbe.com. This is intended
for advertisers. To pay, click on the link below:
[link redacted]
Sigh. In case you've not heard the mantra already:
  1. Challenge/response causes spam (because spammers forge the sender)
  2. So if you use C/R, you're a spammer
  3. Filtering your spam is not my job
  4. If everyone used it, email wouldn't work!

Prediction: if Boxbe gets popular, spammers will start sending to it, which will cause backscatter complaints, which will cause blacklisting of Boxbe's servers.

Here's why backscatter is bad, and here's more about the stupid idea that is challenge/response. But don't just take my word for it.

Other Boxbe coverage at Wired, GigaOM, Download Squad.

9 comments:

James Miller said...

I agree totally with what you say. Challenge/Response is a complete waste of time. A much better aproach is to use POPFile or even Outlook 2003+ to filter out the spam.

I get 6,000 plus messages a day and it takes me perhaps a few minutes to cope with them.

Anonymous said...

I agree with you too Richi, when I found Boxbe, I was just kind of surprised that a company was attempting to use challenge/response within a business model.

Anonymous said...

Hey, Richie,

I take your point on bad Challenge/Response, but having looked at Boxbe's system, I don't think it fails your tests.

1. It's scalable. You just have to whitelist people you want to talk to and ignore those you don't.

2. Banning an entire domain is rare for internal spam filters. Yahoo, Hotmail, Gmail and AOL as domains haven't been banned, no matter how much they're used by spammers.

3. Any backspatter which happens to duplicate an existing user will just be sent to another user's quarantine, where it'll be added to their own unwanted spams.

My own issue is that it only works as one of those pay-per-click sites where people want to earn money by teasing advertisers, as a generic spam filter it doesn't take any work away from the user - they still have to look through their quarantined section and decide if there's anything they want to keep.

Richi Jennings said...

Jon, the point about C/R being bad isn't primarily about whether it works for you as a user, it's about whether it causes the rest of us to get misdirected challenges.

Anonymous said...

See, this is the bit I'm finding hard to understand.

I get that C/R basically alerts the spammers that this is a live address. I made the mistake in my early days of responding to one with a terse message, which opened the floodgates for a whole other tidal wave, forcing me to abandon that ship. I get the fact that if a lot of responses come through from a boxbe address, then the spam machines will think; "aha, these are live addresses, I will use the boxbe domain more often," and thus boxbe addresses will be hijacked.

The rest of us in this case would be other people on the same domain, right? Other people who've signed up to the service? AFAIK, your issue is that the spammers generate random name lists; Ulysses.Periwinkle, David.Sniffnugget, and occasionally they hit a real one, Bob.Smith.

As far as I understand it, boxbe is a one way street, though; so you don't have the capacity to send emails through that address. Ergo, there's no possibility of Bob.Smith@boxbe.com receiving a flood of 'undeliverables' because the Boxbe Protocol doesn't allow for delivery in the first place. If anything is being cluttered, it's Boxbe's own server space, before it even gets to your door; be it ads for C1al1s, or 'undeliverable' messages. And, of course, if you're really not interested in being paid for ads and are just using boxbe as a spam filter, then you can stop any automated messages coming through.

If I've missed the point, please let me know, because I'm interested in this space, and you seem quite evangelical about it.

Richi Jennings said...

Jon, here's what you're missing: these days, you can't "reply" to spammers. That's because they forge the return address. Often the forged address belongs to a real person (like me).

So, if a spammer uses my address to forge the return address and sends spam to your Boxbe account, Boxbe will reply to... me!

In a nutshell, that's the definition of backscatter -- it's as bad as spam. In many ways, it is spam. C/R products like Boxbe are abusive -- plain and simple.

That's why I said my objection isn't about whether it works for you as a user of C/R products, it's about whether it causes the rest of us to get misdirected challenges.

jonnyargles said...

Okay, that's cleared up now. Thanks for that. I can see how the Boxbe thing is more problematic, as the legitimacy of the message isn't even taken into account, unlike conventional spam filters.

Kompendium said...

To unsubscribe from getting boxbe mails go to: https://www.boxbe.com/unsubscribe
I found this on a blog with similar issue: http://www.ventrino.com/blog/309/2009/06/boxbecom-spam-scam/
- Enrique Gonzalez

Anonymous said...

y the hell to use boxbe its big hell..
please dont use it

Post a Comment