challenge-response as a solution to spam

this article by anick jesdanun of the associated press (on msnbc) about criticisms of earthlink's challenge-response anti-spam system from list owners is pretty on-the-nose. challenge-response for individuals is pretty onerous. for mailing lists, though, my experience with the php and mysql lists is that it does a really fantastic job of thwarting spam, at the cost of some people with poorly configured mail systems having trouble posting to the list because they never see the challenge.

the form of personal challenge-response that i think is most useful is simply bouncing apparent spam. as i've said before, i am not a fan of filtering. if i send someone an email that happens to get classified as a false positive, i'd rather it be bounced back to me so i can try again instead of it being buried in some filtered folder that they check rarely and/or incautiously.

ed felten also covered another critical weakness in challenge-response systems—spammers could make their spams look like challenges to slip through the let-challenges-through loophole you'd need to add to the challenge-response system if this technique were widespread.

this is another big spam loophole in smtp generally: a good system will let rejection notices through, but there's no way to validate that a rejection notice is legitimate. this would be pretty easy to fix if you could get the cooperation of mta software authors..

hopefully these issues are being discussed in depth as part of the ietf asrg.

add a comment

sorry, comments on this post are closed.