Some time ago, due to an error on my end, The Ask Leo! Newsletter came “From:” the wrong email address.
As a result, in addition to the usual flood of “I’m not in the office right now, but I’ll get back to you…” messages, I also received a number of what are called “challenge/response” messages. These are messages that often begin with: “I’m protecting myself from receiving junk mail. Please click the link below to complete the verification process.”
Uh … no. I can’t. I’m afraid I just don’t have the resources to click through or jump through additional hoops for hundreds of messages like this.
But, honestly, this isn’t about me; I’m concerned about you and what you may be missing.
Become a Patron of Ask Leo! and go ad-free!
Challenge/response is a spam fighting technique. You sign up for it through any of several services (or your ISP provides it, or your workplace implements it). It works like this:
- The first time someone sends you an email, the email is not delivered to you immediately.
- The service sends an email back to the sender — called the challenge — with a message similar to “I’m protecting myself from receiving junk mail. Please click the link below to complete the verification process.”.
- If they click the link — the response — the service then:
- adds them to a whitelist so they don’t have to see the challenge again in email they send to you
- delivers that original email to you.
- If they don’t click the link their email to you is never delivered. It may be held in a quarantine you can check manually if you remember to.
You never get spam, because spammers don’t see the challenge, and click the link. But you run the risk of friends or other legitimate correspondents also never clicking the link, and never being able to email you. (Though you can typically add email addresses to the whitelist yourself, manually, if you think of it.)
First, let’s clear up what happened to my newsletter.
Normally, the newsletter comes “From: firstname.lastname@example.org”, but this one accidentally came “From: email@example.com”, my company email address. Nothing had changed other than it appeared to come from someone else because of the different email address.
Like I said, my mistake. It happens.1
Since it looked like someone else, everyone using challenge/response needed to respond with that challenge in order to validate this “new” (or at least different) source of email. (And as I said, I just don’t have the resources to respond.)
How challenge/response hurts you
Not getting an issue of my newsletter is not a huge deal. I fixed the “From:” address for the next newsletter and all was back to normal, at least with respect to Ask Leo! distribution. (And you can always access the archive of every issue at newsletter.askleo.com.)
The problem is this: I’m not alone in ignoring challenge/response. As a result, those who use it miss emails — quite possibly important ones.
Your bank probably doesn’t respond to challenge/response. Your credit card company probably won’t. Neither will the online store you just purchased something from. Many of these emails, if not most, are sent from “no reply” email addresses that explicitly ignore anything sent to them, including any challenge your filter issues.
What messages are you missing from them?
Whitelisting helps, but not enough
You can proactively whitelist the email address you expect email to come from; heck, it’s what I ask you to do when you sign up for my newsletter. (Whitelist firstname.lastname@example.org, email@example.com, and you might as well whitelist firstname.lastname@example.org while you’re at it. :-) ).
But do you?
Do you even know what email address you should expect email to arrive from? There are mailers that (for a variety of reasons) use any of several “From:” addresses. That means whitelisting one won’t guarantee that you’ll get the next.
I know messages not responded to are often quarantined for your review. Do you review messages quickly enough, or do you find yourself missing time-sensitive emails because challenge/response delayed them? And how is reviewing those held messages any different than, say, reviewing a spam folder periodically when using a more traditional spam filter?
It can work
As you can see, I’m not a fan of challenge/response at all. It puts the burden of spam on anyone who sends you legitimate email. It punishes the good guys.
That being said, it can work, but only:
- if you always proactively add email addresses to a whitelist
- if those addresses never change without warning
- if your challenge/response service quarantines un-verified emails and you check that quarantine frequently enough
- and if you don’t mind pushing the cost of protecting your inbox onto the people who want to send you legitimate email.
If all those “if’s” are OK with you, then absolutely, challenge/response systems can stem the tide of email.
Both good and bad.
Honestly, just use a good spam filter instead. For example, I’m quite happy with Google’s, and route all my email through it.
Learn to use the spam filter in your own email program or online email service.
Finally — and I know this annoys many people when I say it — for the spam that still makes it through to your inbox, stop stressing, mark it as spam, and move on.
The amount of time people put into stressing about spam and dealing with email lost due to challenge/response is much more, I’m sure, than if they’d simply hit the spam button and gone on with their life.
Do what you feel you need to, but do so with full awareness of the annoyances you’re spreading to others, and the risks and hidden costs to yourself.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!