TapSpam challenged

There are a number of systems around which try to verify the sender’s email address before passing the incoming mail onto you. One of the popular ones is Challenge-Response. What it does is work with a whitelist of known email addresses. If the mail comes from one of these it passes it into your inbox. Fine. If it comes from an unknown address then it doesn’t just delete it, which is good, but it sends back an automated reply to the sender asking them to verify that they really did send the email in the first place. This sounds good; what happens is the person who wrote to you has to reply in a particular way or visit a web site to verify their address and then the original email is passed into your inbox. However if the email came from a spammer then they won’t reply and you will never see the original mail.

What is wrong with this; I am getting the mail I want and not getting the spam?

There are a number of answers to this. Firstly, you are making your correspondents jump through hoops just to write to you. Of course you will have put all your known correspondents into your whitelist already but that unexpected enquiry from someone who has read your blog, or auntie Jean who has just got an AOL account or a friend who has had to change providers will have to perform unnatural acts. Auntie Jean may never figure it out. Do you mind if you never receive the receipt from that widget you bought online.

Secondly, if you are a member of any mailing list, what happens if someone new joins. Their first mail goes to the list which is passed on to you. Your system replies asking for validation—but he has never heard of you. Worse still, your challenge may go to the list for everyone to see.

Third, what if the sender is using a similar system, what happens to your response (exercise for the reader).

Finally, and most importantly, it makes YOU a spammer. All those challenge replies you send, an equal number to the spam you receive, contribute to the network load. And where do you think they are going? Not to the spammer because he was careful not to put his own address on it; the return addresses are all forged, and a good percentage of them will belong to real users who not only get their normal ration of spam but are now also getting yours as well. And don’t think your ISP won’t notice either. They are used to large volumes of incoming mail because they know about spam but suddenly you are generating large volumes of outgoing mail as well; and they know about spam so are liable to cut you off.

4 Responses to “Spam challenged”

^ Top