1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Discuss in my forum

What You Need to Know About Challenge - Response Spam Filters

The Problems of Challenge/Response Filtering


Challenge/response spam filtering systems that let through only mail from known good senders and challenge the unknown to authorize themselves work reasonably well, but they are not without problems.

Newsletters are Shut Out

Like spam, email newsletters are sent to thousands of recipients. The difference, of course, is that newsletters are never sent unsolicited. Recipients have signed up and do want to receive their copy.

Unfortunately, this may be difficult with challenge/response spam filtering. Senders of newsletters are hit almost as hard by them as spammers are: it's not possible or at least a huge waste of time to authorize as a sender for hundreds of recipients every week.

That's why it is important that users of challenge/response spam filters put newsletter senders on their white list as soon as they sign up.

Alternatively, some challenge/response spam filtering services let set up disposable email addresses. Mail sent to such an address always gets trough the challenge/response filter — until you disable it.

Challenging People Using Challenge/Response

What if you mail somebody who, like you, uses a challenge/response spam filter? Without precautions, the recipient's filter will challenge you, and your filter will challenge the sender of the challenge again. It's a beautiful loop, though neither of you ever sees a message.

Fortunately, solving this problem is pretty straight forward. If all recipients of outgoing email are automatically put on the white list, the recipient's challenging message gets through to you just fine and you can authorize yourself with the recipient's challenge/response filter.

As an additional bonus, the recipient of your message can reply unhampered by your filter.

The Majority of Challenges are Useless, Maybe Abuse

Since the vast majority of mail from unknown senders is spam (as challenge/response filters readily assume), most of the challenges will be nothing but unnecessary email traffic. If widely deployed, this (not-quite, but almost) duplication of spam means a further burden on the email infrastructure.

Fortunately, many challenge/response filters are sane and smart enough to filter out many of the addresses whose challenges would be pointless.

Still, the automatic replies of challenge/response spam filters can be easily abused. In a concerted action (it need not even be an attack), spam can be sent "from" a certain address to thousands of challenge/response-enabled email addresses. The victim address will be bombarded by thousands of challenging messages immediately and have at least their mailbox clogged.

Spammers Using Whitelisted Addresses Get Through

If challenge/response spam filters with extensive white lists are in widespread use, spammers will probably start taking advantage of this.

Since mail from senders or domains on the white list is always allowed through, all they have to do is use a commonly whitelisted email address (the address used to send to send newsletters from the New York Times or USA Today, for example).

A potential solution to this problem is to require a secret code or, better even, a digital signature in each message to verify the sender.

The Challenge is Annoying

Not only is the challenge annoying and can be perceived as rude, a lot of people will also not be sure what to do. The impression they get is that the recipient's email system is broken in some way and that they can't send mail.

If you rely on unknown people to contact you, using a challenge/response spam filter is out of the question.

©2014 About.com. All rights reserved.