Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why I (Still) Don’t Like Challenge/Response Spam Blockers

Some time ago, due to an error on my end, The Ask Leo! Newsletter came “From:” the wrong email address.

As a result, in addition to the usual flood of “I’m not in the office right now, but I’ll get back to you…” messages, I also received a number of what are called “challenge/response” messages. These are messages that often begin with: “I’m protecting myself from receiving junk mail. Please click the link below to complete the verification process.”

Uh … no. I can’t. I’m afraid I just don’t have the resources to click through or jump through additional hoops for hundreds of messages like this.

But, honestly, this isn’t about me; I’m concerned about you and what you may be missing.

Become a Patron of Ask Leo! and go ad-free!

Challenge/Response

Challenge/response is a spam fighting technique. You sign up for it through any of several services (or your ISP provides it, or your workplace implements it). It works like this:

  • The first time someone sends you an email, the email is not delivered to you immediately.
  • The service sends an email back to the sender — called the challenge — with a message similar to “I’m protecting myself from receiving junk mail. Please click the link below to complete the verification process.”.
  • If they click the link — the response — the service then:
    • adds them to a whitelist so they don’t have to see the challenge again in email they send to you
    • delivers that original email to you.
  • If they don’t click the link their email to you is never delivered. It may be held in a quarantine you can check manually if you remember to.

You never get spam, because spammers don’t see the challenge, and click the link. But you run the risk of friends or other legitimate correspondents also never clicking the link, and never being able to email you. (Though you can typically add email addresses to the whitelist yourself, manually, if you think of it.)

My mistake

First, let’s clear up what happened to my newsletter.

Normally, the newsletter comes “From: leo@askleo.com”, but this one accidentally came “From: leo@pugetsoundsoftware.com”, my company email address. Nothing had changed other than it appeared to come from someone else because of the different email address.

Like I said, my mistake. It happens.1

Email / SpamSince it looked like someone else, everyone using challenge/response needed to respond with that challenge in order to validate this “new” (or at least different) source of email. (And as I said, I just don’t have the resources to respond.)

How challenge/response hurts you

Not getting an issue of my newsletter is not a huge deal. I fixed the “From:” address for the next newsletter and all was back to normal, at least with respect to Ask Leo! distribution. (And you can always access the archive of every issue at newsletter.askleo.com.)

The problem is this: I’m not alone in ignoring challenge/response. As a result, those who use it miss emails — quite possibly important ones.

Your bank probably doesn’t respond to challenge/response. Your credit card company probably won’t. Neither will the online store you just purchased something from. Many of these emails, if not most, are sent from “no reply” email addresses that explicitly ignore anything sent to them, including any challenge your filter issues.

What messages are you missing from them?

Whitelisting helps, but not enough

You can proactively whitelist the email address you expect email to come from; heck, it’s what I ask you to do when you sign up for my newsletter. (Whitelist leo@askleo.com, leosanswers@aweber.com, and you might as well whitelist leo@pugetsoundsoftware.com while you’re at it. :-) ).

But do you?

Do you even know what email address you should expect email to arrive from? There are mailers that (for a variety of reasons) use any of several “From:” addresses. That means whitelisting one won’t guarantee that you’ll get the next.

I know messages not responded to are often quarantined for your review. Do you review messages quickly enough, or do you find yourself missing time-sensitive emails because challenge/response delayed them? And how is reviewing those held messages any different than, say, reviewing a spam folder periodically when using a more traditional spam filter?

It can work

As you can see, I’m not a fan of challenge/response at all. It puts the burden of spam on anyone who sends you legitimate email. It punishes the good guys.

That being said, it can work, but only:

  • if you always proactively add email addresses to a whitelist
  • if those addresses never change without warning
  • if your challenge/response service quarantines un-verified emails and you check that quarantine frequently enough
  • and if you don’t mind pushing the cost of protecting your inbox onto the people who want to send you legitimate email.

If all those “if’s” are OK with you, then absolutely, challenge/response systems can stem the tide of email.

Both good and bad.

Instead

Honestly, just use a good spam filter instead. For example, I’m quite happy with Google’s, and route all my email through it.

Learn to use the spam filter in your own email program or online email service.

Finally — and I know this annoys many people when I say it — for the spam that still makes it through to your inbox, stop stressing, mark it as spam, and move on.

The amount of time people put into stressing about spam and dealing with email lost due to challenge/response is much more, I’m sure, than if they’d simply hit the spam button and gone on with their life.

Do what you feel you need to, but do so with full awareness of the annoyances you’re spreading to others, and the risks and hidden costs to yourself.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

Footnotes & references

1: I have so many different email addresses for different purposes, I’m surprised it doesn’t happen more often.

7 comments on “Why I (Still) Don’t Like Challenge/Response Spam Blockers”

  1. Have you considered using a web-based email marketing website? We use mailchimp at our office, and we love it. It ensures CAN-SPAM compliance, handles abuse complaints, unsubscriptions, and has a really nice interface. Plus it has a great XML-RPC API wrapper which (depending on your needs) can come in really handy.

    I use and am a big fan of Aweber, which handles all the same issues. However I don’t see how this would impact challenge/response – if people’s emails throw challenges back to the sender how the email was sent has no impact.

    Leo
    20-Jan-2011

  2. You forgot another “hidden cost” of C/R… What happens to all those challenges that go to the forged “from” addresses of the spam they’re trying to block? Yes, you are “pushing the cost of protecting your inbox onto all the people who want to send you legitimate email”, but you are also pushing it to all those innocent bystanders.

    You’d be amazed (okay, not “you” Leo, but many of your readers) how many times I get a “challenge” to a spam I never sent. And, when my e-mail is used as the “from” for a large spam run, I can get dozens at a time. On more than a few occasions, I’ve taken the time to respond to some of them, letting the original “victim” receive the e-mail. Who am I to say you didn’t want it? :-) (Though, admittedly, they usually just go to the big bit bucket in the sky.)

  3. What really annoys me is email that gets sent from addresses that either don’t exist at all or trigger autoresponders saying visit some website and fill in a webform.

    What IS the point of sending email that cannot be replied to?

  4. Two really important points to remember considering challenge/response “spam control”.

    1. It’s used heavily by spammers on Craigslist in personals, as in, “Gee, I can’t believe how many people are responding to my ad! Before I can get back to you though you have to sign up for this site I joined”…it’s basically the same thing done in the name of E-vil.

    2. The company that started all this, ran a big TV ad campaign about it…I rarely if ever see their domain in my emails anymore.

    I didn’t block it. Their service was lacking to those people I know who did use it and the C/R email didn’t help them nor make them a lot of friends.

    Okay, some cranky old guy in a usenet group seemed to love it but then again he was a TROLL and combatant in several other groups.

    So much for this poorly thought out idea.

  5. And what about the rule of NEVER CLICK A LINK IN AN EMAIL THAT YOU’RE NOT 100% SURE OF? Just because it seems to come from someone I know, I still don’t want to click on/reply to it. Hijacked accounts etc.

  6. I agree with Leo and use a similar system to deal with it.

    I set up Thunderbird with filters (I only have about 20 for each account). The first few are my whitelists including addresses and some domains to sort into the “whitelist” folder.

    Then I have another whitelist filter for keywords that would only apply to me (parts of my name not in my e-mail address, terms related to my life and interests that are unlikely for anyone but a friend or business associate to to use.)

    Next a filter to delete any mail with a “To” address that is in a list collected from the many CC addresses in the unwanted mail.

    Then a large selection of keywords that sort mail into a JUNK folder for review – i.e. viagra, As Seen on Oprah, modalities, rolex, trunk box, saw your profile on facebook, widow of general, home based business, become a millionaire, Acai, Eliminate Your debt, Someone has sent you, etc.

    Newsletters and other mailing lists go to a free throwaway account with filters to send the expected mail to a folder – I only look at the inbox when I sign up for something new. (although sometimes the From address on a newsletter changes, so once in a while I look through the inbox.)

    I have another throwaway account for one time use when I expect only one round of correspondence with a company or person – I clear the box when I send the e-mail and then watch for the response. The rest of the time I only log in once a week or two to empty the inbox and keep the account active.

  7. You mention that you use “<at>” instead of “@” and many also use rather than “.” Some people use () in place of angle brackets. But I would imagine that the spammers are wise to that by now and have their software convert “(at)” to “a” and strip out spaces etc. I’ve seen forums automatically reject emails in that format, so I’m sure sophisticated spammers might also be doing that. Perhaps it would be safer now to use “-the at sign-” and “full stop” or something less common like that.

Comments are closed.