Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What's this spam-fighting technique called?

Question:

A few years ago I came in contact – but unfortunately lost the
contact – with a mail-application that blocked arriving mails and
returned them to the sender with a request to include a certain
“password” as the first word of the subject and resend the message. The
second time the mail sent with that word in the subject line it would
be delivered, as would all mails with that “password” as the first
subject word. (Naturally, any password could be chosen.)

I think this was the most genius spam eliminator I have met – if I
do not remember wrongly there was an option to keep a list of ALL
arriving mails, ‘legitimate’ as well as ‘unwanted’ ones.

Do you know the name of this product?

I do not know the name of the product that provided that
functionality.

However, I do know the terminology for that general class of spam
fighting technique.

You may find it “genius”, but I gotta say … I find it one of the
most annoying techniques on the market, and would never use it myself.
Among other things, you’ll end up missing a lot of email you really,
honestly, wanted – and probably pissing off a few of your friends.

Become a Patron of Ask Leo! and go ad-free!

This general class is referred to as “challenge/response”. In short,
when someone sends you an email for the first time, they are sent back
a “challenge”, which validates their return address and instructs them
to somehow prove that they are human and legitimate. They then return a
“response” that proves that, and their original email is delivered.
Thereafter, their email address is white listed, and they shouldn’t see
the challenge again.

“You just made your problem their
problem.”

What you describe is very similar: your challenge is to do something
specific to the email message, and once done that, and all other emails
that follow the same rule will be delivered without delay.

One commercial provider of this service is SpamArrest. Occasionally ISPs will provide this
functionality, so you might want to check with yours.

OK, so why do I react so negatively to this technique?

To begin with, there’s a philosophical argument. You’re moving the
“work” associated with your spam problem to anyone who emails
you. You just made your problem their problem. As tempting as it is,
that just feels very, very wrong.

The more practical matter are all the people, the legitimate
senders, who won’t respond to the challenge. And there are many reasons
that they might not:

  • They might not receive it. Delivery could fail, or the challenge
    itself could be filtered as spam.

  • They might not understand it, and simply delete it. Given the vast
    quantities of spam we all do get, most of the challenges I’ve seen
    could easily be seen as spam or a phishing attempt on a quick glance,
    even though they’re not.

  • The sender might feel as I do, and simply be unwilling to
    respond.

  • The sender might be a machine. This is the one that’s a real deal
    breaker for me: say you sign up for a new account on some web site,
    which then sends you a confirmation email you must respond to in order
    to activate your account. You never get it. Why? Because your C/R
    system blocks it and sends a challenge back to the originating system –
    which doesn’t know how to respond, or sends from a no-response email
    address.

Now, to be fair, there are counter arguments for every point I’ve
raised. The challenges are of course architected to be deliverable and
understandable. Senders such as myself are presumably in the minority.
And if you remember to do so, you can typically proactively whitelist
addresses that you know are going to be sending you email.

And yet, it all seems error prone to me. To me, getting a little
more spam is less painful than missing an email for whatever
reason.

But, obviously, you’ll have to make your own decision.

Search for “challenge response” and you’ll turn up a number of
providers, as well as a number of opinions, both agreeing and
disagreeing with me.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “What's this spam-fighting technique called?”

  1. You forgot one of the biggest (IMHO) problems with C/R — “backscatter”.

    Remember, every spam that you get from an “unknown” sender gets a challenge sent to the forged “from” address. And a good portion of those forged “from” addresses are valid, resulting in you generating unwanted, unsolicited e-mails (read: spam) to those innocent bystanders.

    Reply
  2. Backscatter indeed is the biggest problem with C/R, IMO. As someone whose email address is all over the Internet, I get dozens of bunk C/R messages every day. Once every couple months someone sends out a huge spam run with the “from” as my address and I’ll get thousands of bounces and C/R garbage a day for a couple days.

    Anything that creates backscatter is considered a poor practice by most people these days, and some spam blacklists will list you for doing it, which will cause problems with your ability to send email to some people.

    Reply
  3. Additionally, the specific example of C/R asked about in the question sounds very easy to program a bot to bypass. How difficult it is to create an email bot to put a word from an email into the subject – especially as these emails are probably quite standardised and it wouldn’t be that difficult to program a bot to “find” the password and stick it in the subject.

    Reply
  4. I use Digiportal’s Choice Mail–a challenge/response whitelist program. The simple truth is that NOTHING works except challenge/response in conjunction with whitelisting. Without c/r, all that happens is you are forced to constantly check the junk box. You’re back to sorting email. Without whitelisting, you’re at the mercy of rules-based spam programs that are either too inclusive (false positives) or too lax (too much spam gets through). Digiportal has had its issues over the years–including the addition of some rules to go with the whitelisting. (I just delete the rules since it is contrary to the fundamental concept of the program.) But unlike most other challenge/response programs, you can actually BUY the program without having to pay monthly fees.

    Reply
  5. My technique is to use my ISP’s mail filters to label (prefix) all suspected Spam with “***SPAM*** “, and to whitelist those people and services I use or communicate with regularly. I still have to scan my Inbox, but the labelling segregates the Spam (my Inbox is sorted) and makes verification (i.e., correction of any false positives) and deletion MUCH faster and easier. I’ll add that my ISP’s spam filters seem quite good — I get perhaps 80 Spam per day, and I’d say I get a false-positive no more often than once in 2,500 messages. I could probably get away with having my ISP auto-delete my Spam, but I check them instead, on general principles, as I’d FAR rather put up with minor the annoyance of giving the Spam a quick once-over before consigning them to oblivion to missing even one single E-Mail that I genuinely want to receive.

    The rare false-positive is usually some service I’ve just signed up for. I simply copy the sender’s address, paste it into the mail filters and set it to whitelist, and Bing! no more false positive (for that sender)! Now, it is true that my whitelist has grown to about 150 entries — and I must STILL scan my Inbox! — so I can see why some people will think me an idiot. :) But maintaining that whitelist still makes dealing with Spam much easier, and I am quite satisfied.

    Reply
  6. I have to say that implementing a C/R setup would not do me much good. I receive about 5 ‘spam’ e-mails a day – from MYSELF. Now, I know these are spoofed to look that way, but a C/R program won’t know that. It will either let them through (as they are from a ‘trusted’ address) or they will generate challenges (replacing one spam with another).

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.