Helping people with computers... one answer at a time.

Challenge/Response is a controversial spam fighting technique that forces senders to validate themselves before their email will be accepted.

A few years ago I came in contact - but unfortunately lost the contact - with a mail-application that blocked arriving mails and returned them to the sender with a request to include a certain "password" as the first word of the subject and resend the message. The second time the mail sent with that word in the subject line it would be delivered, as would all mails with that "password" as the first subject word. (Naturally, any password could be chosen.)

I think this was the most genius spam eliminator I have met - if I do not remember wrongly there was an option to keep a list of ALL arriving mails, 'legitimate' as well as 'unwanted' ones.

Do you know the name of this product?

I do not know the name of the product that provided that functionality.

However, I do know the terminology for that general class of spam fighting technique.

You may find it "genius", but I gotta say ... I find it one of the most annoying techniques on the market, and would never use it myself. Among other things, you'll end up missing a lot of email you really, honestly, wanted - and probably pissing off a few of your friends.

This general class is referred to as "challenge/response". In short, when someone sends you an email for the first time, they are sent back a "challenge", which validates their return address and instructs them to somehow prove that they are human and legitimate. They then return a "response" that proves that, and their original email is delivered. Thereafter, their email address is white listed, and they shouldn't see the challenge again.

"You just made your problem their problem."

What you describe is very similar: your challenge is to do something specific to the email message, and once done that, and all other emails that follow the same rule will be delivered without delay.

One commercial provider of this service is SpamArrest. Occasionally ISPs will provide this functionality, so you might want to check with yours.

OK, so why do I react so negatively to this technique?

To begin with, there's a philosophical argument. You're moving the "work" associated with your spam problem to anyone who emails you. You just made your problem their problem. As tempting as it is, that just feels very, very wrong.

The more practical matter are all the people, the legitimate senders, who won't respond to the challenge. And there are many reasons that they might not:

  • They might not receive it. Delivery could fail, or the challenge itself could be filtered as spam.

  • They might not understand it, and simply delete it. Given the vast quantities of spam we all do get, most of the challenges I've seen could easily be seen as spam or a phishing attempt on a quick glance, even though they're not.

  • The sender might feel as I do, and simply be unwilling to respond.

  • The sender might be a machine. This is the one that's a real deal breaker for me: say you sign up for a new account on some web site, which then sends you a confirmation email you must respond to in order to activate your account. You never get it. Why? Because your C/R system blocks it and sends a challenge back to the originating system - which doesn't know how to respond, or sends from a no-response email address.

Now, to be fair, there are counter arguments for every point I've raised. The challenges are of course architected to be deliverable and understandable. Senders such as myself are presumably in the minority. And if you remember to do so, you can typically proactively whitelist addresses that you know are going to be sending you email.

And yet, it all seems error prone to me. To me, getting a little more spam is less painful than missing an email for whatever reason.

But, obviously, you'll have to make your own decision.

Search for "challenge response" and you'll turn up a number of providers, as well as a number of opinions, both agreeing and disagreeing with me.

Article C3405 - June 4, 2008 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Ken B
June 4, 2008 12:11 PM

You forgot one of the biggest (IMHO) problems with C/R -- "backscatter".

Remember, every spam that you get from an "unknown" sender gets a challenge sent to the forged "from" address. And a good portion of those forged "from" addresses are valid, resulting in you generating unwanted, unsolicited e-mails (read: spam) to those innocent bystanders.

Chris Buechler
June 4, 2008 4:19 PM

Backscatter indeed is the biggest problem with C/R, IMO. As someone whose email address is all over the Internet, I get dozens of bunk C/R messages every day. Once every couple months someone sends out a huge spam run with the "from" as my address and I'll get thousands of bounces and C/R garbage a day for a couple days.

Anything that creates backscatter is considered a poor practice by most people these days, and some spam blacklists will list you for doing it, which will cause problems with your ability to send email to some people.

Eli Coten
June 7, 2008 3:37 PM

Additionally, the specific example of C/R asked about in the question sounds very easy to program a bot to bypass. How difficult it is to create an email bot to put a word from an email into the subject - especially as these emails are probably quite standardised and it wouldn't be that difficult to program a bot to "find" the password and stick it in the subject.

Mark S
June 8, 2008 7:52 AM

I use Digiportal's Choice Mail--a challenge/response whitelist program. The simple truth is that NOTHING works except challenge/response in conjunction with whitelisting. Without c/r, all that happens is you are forced to constantly check the junk box. You're back to sorting email. Without whitelisting, you're at the mercy of rules-based spam programs that are either too inclusive (false positives) or too lax (too much spam gets through). Digiportal has had its issues over the years--including the addition of some rules to go with the whitelisting. (I just delete the rules since it is contrary to the fundamental concept of the program.) But unlike most other challenge/response programs, you can actually BUY the program without having to pay monthly fees.

Glenn P.
June 10, 2008 11:43 AM

My technique is to use my ISP's mail filters to label (prefix) all suspected Spam with "***SPAM*** ", and to whitelist those people and services I use or communicate with regularly. I still have to scan my Inbox, but the labelling segregates the Spam (my Inbox is sorted) and makes verification (i.e., correction of any false positives) and deletion MUCH faster and easier. I'll add that my ISP's spam filters seem quite good -- I get perhaps 80 Spam per day, and I'd say I get a false-positive no more often than once in 2,500 messages. I could probably get away with having my ISP auto-delete my Spam, but I check them instead, on general principles, as I'd FAR rather put up with minor the annoyance of giving the Spam a quick once-over before consigning them to oblivion to missing even one single E-Mail that I genuinely want to receive.

The rare false-positive is usually some service I've just signed up for. I simply copy the sender's address, paste it into the mail filters and set it to whitelist, and Bing! no more false positive (for that sender)! Now, it is true that my whitelist has grown to about 150 entries -- and I must STILL scan my Inbox! -- so I can see why some people will think me an idiot. :) But maintaining that whitelist still makes dealing with Spam much easier, and I am quite satisfied.

March 3, 2010 12:58 AM

I have to say that implementing a C/R setup would not do me much good. I receive about 5 'spam' e-mails a day - from MYSELF. Now, I know these are spoofed to look that way, but a C/R program won't know that. It will either let them through (as they are from a 'trusted' address) or they will generate challenges (replacing one spam with another).

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.