Helping people with computers... one answer at a time.

An error caused my newsletter to come "From" the wrong address. Flooded with challenge/response mails I wonder: what other messages are you missing?

Due to an error on my end, my newsletter came "From:" the wrong email address.

As a result, in addition to the usual annoying flood of "I'm not in the office right now, but I'll get back to you..." messages (nearly 100 by now), I also continue to receive an equal number of challenge/response email messages.

You know the messages I mean - message that often begin with: "I'm protecting myself from receiving junk mail. Please click the link below to complete the verification process."

Uh ... no. I can't. I'm afraid I just don't have the resources to click through or jump through additional hoops for 100+ messages like this.

But, honestly, it's not really about me - I'm very concerned about you...

... and what else you might be missing.

My Mistake

First, let's clear up what happened to my newsletter.

Normally the newsletter comes "From:" leo<at>ask-leo.com (*), but this newsletter accidentally came from leo<at>pugetsoundsoftware.com.

So, check your address books, spam filters, challenge response tools and add leo<at>pugetsoundsoftware.com to white list that email address. (Typically a good thing to whitelist anyway, since if I ever respond to a question you submit, it'll be from that address.)

How Challenge/Response Could Hurt You

Not getting an issue of my newsletter is not a huge deal. I'll fix the "From:" address for the next email newsletter and all should be as it once was.

At least with respect to Ask Leo!.

Here's my concern for you: I'm not alone in ignoring challenge response.

What other emails are you missing?

What other more important emails are you missing?

Your bank probably doesn't respond to challenge/response. Your credit card company probably won't. Neither will the online store you just purchased something from.

What messages are you missing from them?

Yes, I know, you can proactively whitelist the email address you expect email to come from; heck, it's what I ask you to do when you sign up for my newsletter.

But do you? Do you even know what email address you should expect email to arrive from? There are even mailers that (legitimately, though admittedly annoyingly) use any of several "From:" addresses, such that whitelisting one won't guarantee that you'll get the next.

Yes, I also know that messages not responded to are often quarantined for your review.

Do you?

Do you do so quickly enough, or do you find yourself missing time sensitive emails because challenge/response delayed them?

It Can Work

As you can guess by now I'm not a fan of challenge/response at all. It puts the burden of spam on everyone else who tries to send you legitimate email.

That being said, it can work. If,

  • IF you always proactively add email addresses to the tools whitelist.

  • IF those addresses never change without warning.

  • IF your challenge/response service quarantines un-verified emails and you check that quarantine frequently enough.

  • IF you don't mind pushing the cost of protecting your inbox onto all the people who want to send you legitimate email.

If all those "if's" are OK with you, then absolutely - challenge/response systems can stem the tide of email.

Both good and bad.

So What To Do Instead?

Use a good spam filter. (I'm quite happy with Google's, and route all my email through it.)

Learn to use the spam filter in your own email program or service.

Finally, and I know this annoys many people when I say it, for the spam that still makes it through stop stressing and just use the delete key liberally. The amount of time that people put into stressing about spam and dealing with lost email due to challenge/response is way more, I'm sure, than if they'd simply hit the delete key on spam and gone on with their life.

Obviously, do what you feel you need to, but at least do so with full awareness of the annoyances, risks and hidden costs.

Article C4714 - January 18, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Mike
January 19, 2011 10:46 AM

Have you considered using a web-based email marketing website? We use mailchimp at our office, and we love it. It ensures CAN-SPAM compliance, handles abuse complaints, unsubscriptions, and has a really nice interface. Plus it has a great XML-RPC API wrapper which (depending on your needs) can come in really handy.

I use and am a big fan of Aweber, which handles all the same issues. However I don't see how this would impact challenge/response - if people's emails throw challenges back to the sender how the email was sent has no impact.
Leo
20-Jan-2011

Ken B
January 21, 2011 7:27 AM

You forgot another "hidden cost" of C/R... What happens to all those challenges that go to the forged "from" addresses of the spam they're trying to block? Yes, you are "pushing the cost of protecting your inbox onto all the people who want to send you legitimate email", but you are also pushing it to all those innocent bystanders.

You'd be amazed (okay, not "you" Leo, but many of your readers) how many times I get a "challenge" to a spam I never sent. And, when my e-mail is used as the "from" for a large spam run, I can get dozens at a time. On more than a few occasions, I've taken the time to respond to some of them, letting the original "victim" receive the e-mail. Who am I to say you didn't want it? :-) (Though, admittedly, they usually just go to the big bit bucket in the sky.)

realist
January 25, 2011 9:13 AM

What really annoys me is email that gets sent from addresses that either don't exist at all or trigger autoresponders saying visit some website and fill in a webform.

What IS the point of sending email that cannot be replied to?

Steven
January 25, 2011 11:31 AM

Two really important points to remember considering challenge/response "spam control".

1. It's used heavily by spammers on Craigslist in personals, as in, "Gee, I can't believe how many people are responding to my ad! Before I can get back to you though you have to sign up for this site I joined"...it's basically the same thing done in the name of E-vil.

2. The company that started all this, ran a big TV ad campaign about it...I rarely if ever see their domain in my emails anymore.

I didn't block it. Their service was lacking to those people I know who did use it and the C/R email didn't help them nor make them a lot of friends.

Okay, some cranky old guy in a usenet group seemed to love it but then again he was a TROLL and combatant in several other groups.

So much for this poorly thought out idea.

Fred Nerd
January 25, 2011 5:26 PM

And what about the rule of NEVER CLICK A LINK IN AN EMAIL THAT YOU'RE NOT 100% SURE OF? Just because it seems to come from someone I know, I still don't want to click on/reply to it. Hijacked accounts etc.

Brian Monte
January 26, 2011 3:53 PM

I agree with Leo and use a similar system to deal with it.

I set up Thunderbird with filters (I only have about 20 for each account). The first few are my whitelists including addresses and some domains to sort into the "whitelist" folder.

Then I have another whitelist filter for keywords that would only apply to me (parts of my name not in my e-mail address, terms related to my life and interests that are unlikely for anyone but a friend or business associate to to use.)

Next a filter to delete any mail with a "To" address that is in a list collected from the many CC addresses in the unwanted mail.

Then a large selection of keywords that sort mail into a JUNK folder for review - i.e. viagra, As Seen on Oprah, modalities, rolex, trunk box, saw your profile on facebook, widow of general, home based business, become a millionaire, Acai, Eliminate Your debt, Someone has sent you, etc.

---

Newsletters and other mailing lists go to a free throwaway account with filters to send the expected mail to a folder - I only look at the inbox when I sign up for something new. (although sometimes the From address on a newsletter changes, so once in a while I look through the inbox.)

I have another throwaway account for one time use when I expect only one round of correspondence with a company or person - I clear the box when I send the e-mail and then watch for the response. The rest of the time I only log in once a week or two to empty the inbox and keep the account active.

Mark J
November 1, 2012 1:19 AM

You mention that you use "<at>" instead of "@" and many also use rather than "." Some people use () in place of angle brackets. But I would imagine that the spammers are wise to that by now and have their software convert "(at)" to "a" and strip out spaces etc. I've seen forums automatically reject emails in that format, so I'm sure sophisticated spammers might also be doing that. Perhaps it would be safer now to use "-the at sign-" and "full stop" or something less common like that.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.