Welcome to spam wars. Today’s episode: “Revenge of the spammed”.
What you’re probably seeing is something called challenge/response. It’s a popular way for folks to control the amount of spam they get.
A lot of people love it. But a lot of people — people like you and me, who aren’t spammers — absolutely hate it.
Become a Patron of Ask Leo! and go ad-free!
Challenge/Response
When you sign up for a challenge/response (C/R) service, all your incoming email is filtered by that service. If the email is from someone the service recognizes as a legitimate, real person, or an otherwise valid sender, you get the email. But if the email is from someone the service has never heard of before, things get interesting.
The process works by asking unrecognized senders to confirm they’re legitimate.
When email is received from a sender the C/R service doesn’t recognize, the following happens:
- The C/R service quarantines the email. You do not get it right away. (This is unrelated to your anti-malware tool’s quarantine.)
- The service sends that confirmation mail you mentioned back to the sender. That’s called the “challenge”.
- When the sender follows the instructions, which usually involves clicking a link and possibly filling in a CAPTCHA, they are validated as a “legitimate” sender. That’s the “response”.
- Once validated, the original email they sent to you is delivered.
- Once validated, they are validated for good. They are assumed to be legitimate, and their email to you is delivered without additional delay.
If the sender never fills out that form — never responds to the validation request — their mail is never delivered, and you never see it.
The theory is that spammers will not respond to the challenge, and their mail will never be delivered. People who are legitimate will complete the challenge, get validated, and have their email delivered as expected.
There are so many problems with this technique, it’s hard to know where to begin.
Problems with Challenge/Response
Who pays?
Many people are vehemently opposed to challenge/response, because it shifts the burden of spam prevention to the legitimate correspondents. The innocent pay the price, as it were. In fact, I know several folks who simply will not respond to a challenge/response system, ever.
If they try to send a legitimate email to someone using challenge/response, the mail will never arrive, since they won’t play the challenge/response game.
Online stores and automation
Say you purchase something at an online store. That store sends you an email confirmation. The C/R system quarantines the confirmation, sending a challenge back to the sender. Most online merchants (and most all other online services) are simply not able to respond to the challenge. There is no person to do so.
So the legitimate email will never be delivered.
Fakers
By now you’ve heard of email “spoofing“: sending email as if it came from one person, although that person had nothing to do with it. If that spoofed sender has been validated by the C/R system, spam that appears to be coming from their address will get through.
On the other hand, if they’re not validated, the use of a C/R system can cause the spoofed sender to get challenge emails that they had nothing to do with.
Is this phishing?
How many times have we heard, “Don’t click on links in email you aren’t sure of”?
The fact is, most challenges look a lot like many of the phishing attempts we see these days. If someone doesn’t quickly and easily understand what they’re looking at, they should (rightly, in my opinion) delete it and move on. That could mean their legitimate email to you may not get through.
Whitelisting is far from perfect
One of the positions that most challenge/response service providers take is that you, the customer and email recipient, can proactively “whitelist” email addresses.
That is, you can tell the service that email coming from addresses you provide beforehand does not need to be verified. Some will even automatically whitelist addresses that you send email to, so people replying, or emailing you in the future, need not face the C/R barrier. Both very nice features.
The reality is that C/R service users don’t take the time to whitelist all the email addresses that they should, and there’s no way to predict ahead of time all possible legitimate senders.
A good idea, with fatal flaws
Challenge/response is a nice idea in concept.
However, in my opinion (and that of many others), it fails the test of practicality. In the real world, it has too many flaws, and has the potential to prevent too much legitimate email from being delivered.
Spam is definitely a huge problem. Challenge/response is a seriously flawed solution.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
A comment on the “Not all senders are who they say they are” bit.
If a spammer spoofs YOUR e-mail, to send out hundreds of thousands of e-mails, YOU get all of their challenge/response e-mails. Not them. And usually, most e-mail services let you receive e-mails from yourself…
You now know another person who will never complete the challenge/response. In fact I avoid captchas wherever possible. If a merchant asks me to complete one, unless they’re the ONLY place that sells the item, they lose the sale.
There’s something about me that makes me unlikely to get the things right, not sure what it is, but I know many similar people who basically see a captcha as ‘you’re not getting any further’ :(