Challenge-Response More Effective

rbpickup · 20 Jul 2007, 07:57 AM

http://www.linux-mag.com/id/3760/

Personally, I believe C/R is best combined with other anti-spam methods (including email authentication) to provide a tiered approach and to limit the amount of challenges being sent. It should NOT be the only system used. An intelligent C/R system should require challenging a very small percentage of inbound email.

Robert

David · 20 Jul 2007, 08:30 AM

Challenge response works at the expense of other email users who receive backscatter spam because of it. Even if challenges are reduced, they will likely still continue to be sent to what looks like genuine spam (which is the cause of backscatter) so please explain how reducing challenges will help?

note: if I receive a challenge from anyone I know, I will usually delete it and not respond. If I have another address for that contact, I will email the person who sent the challenge, and let them know to not email me from that address again.

rbpickup · 20 Jul 2007, 09:53 AM

Quote:

Originally Posted by David

Challenge response works at the expense of other email users who receive backscatter spam because of it.

Hi David,

I can always count on you to respond.

How many false challenges have you received (meaning that someone has spoofed your email address and you received backscatter in the form of a challenge) in the past 12 months? Is this still a real issue or do you think MOST C/R providers have systems in place to reduce this occurring?

Robert

rbpickup · 20 Jul 2007, 10:10 AM

Quote:

Originally Posted by David

note: if I receive a challenge from anyone I know, I will usually delete it and not respond. If I have another address for that contact, I will email the person who sent the challenge, and let them know to not email me from that address again.

Wouldn't it be much easier just to click on the link and have your address added to their allowed list and have your email delivered to their inbox? You only need to do this once and would take less than a couple of seconds.

Robert

David · 20 Jul 2007, 10:18 AM

Quote:

Originally Posted by rbpickup

Hi David,
How many false challenges have you received (meaning that someone has spoofed your email address and you received backscatter in the form of a challenge) in the past 12 months? Is this still a real issue or do you think MOST C/R providers have systems in place to reduce this occurring?

I have not received much backscatter myself Robert, but a few who have posted here have had to disable their domain catchall because of backscatter problems.

I also think that C/R companies are trying to become legitimate, by posting to forums (like you are doing here)

I know that you are into 'reputation systems' Robert, from reading posts you have made in the past. Likely these will prevent genuine challenges being sent out..... although I do consider these to be spam as well (they are certainly unsolicited) and are mostly an inconvenience, to the recipients who dutifully receive and respond to them, not realising that by doing so they are becoming part of the problem.

rbpickup · 20 Jul 2007, 10:35 AM

Quote:

Originally Posted by David

I have not received much backscatter myself Robert, but a few who have posted here have had to disable their domain catchall because of backscatter problems.

I also think that C/R companies are trying to become legitimate, by posting to forums (like you are doing here)

I know that you are into 'reputation systems' Robert, from reading posts you have made in the past. Likely these will prevent genuine challenges being sent out..... although I do consider these to be spam as well (they are certainly unsolicited) and are mostly an inconvenience, to the recipients who dutifully receive and respond to them, not realising that by doing so they are becoming part of the problem.

You're right, I did post because I have an interest in antispam, although I did not mention any business or service in my post.

David · 20 Jul 2007, 11:10 AM

Quote:

Originally Posted by rbpickup

You're right, I did post because I have an interested in antispam, although I did not mention any business or service in my post.

You have some new ideas Robert

rbpickup · 20 Jul 2007, 11:16 AM

Quote:

Originally Posted by David

You have some new ideas Robert

Was that a question? Is so, no, I am not working on any new antispam ideas or concepts.

Robert

David · 20 Jul 2007, 11:42 AM

Quote:

Originally Posted by rbpickup

Was that a question? Is so, no, I am not working on any new antispam ideas or concepts.

It was more of a query, that did not require an answer. I was wondering if you were thinking of introducing some kind of a new email system that would extend iNumbers. I hope iNumbers is doing well; it seemed like a good idea when you introduced it. I notice a few similar type systems around these days.

rbpickup · 20 Jul 2007, 11:53 AM

Yes, still working on Inumbers. The service is due to be further developed to add new features now that we have taken onboard feedback from our beta testers. I am also working on a small project called On Sale Today (www.onsaletoday.com.au), which is in the planning stage.

Thanks for your interest David.

Robert

David · 20 Jul 2007, 12:52 PM

Quote:

Originally Posted by rbpickup

I am also working on a small project called On Sale Today (www.onsaletoday.com.au), which is in the planning stage.

I use a similar local directory, when I am looking for a good deal. The local directory I use is literally throbbing, and survives solely by selling advertising. Buyers and sellers pay nothing and they visit in droves. The best of luck Robert.

DrStrabismus · 20 Jul 2007, 11:44 PM

Personally I find backscatter CR responses an order of magnitude more irritating than spam. As a matter of principle I alway complete the response to let the spam through.

Chipper · 21 Jul 2007, 04:37 AM

Just to share something from a few years ago, here is a thread regarding C/R. There were various opinions regarding if people should do it or not.

hadaso · 21 Jul 2007, 07:33 AM

I think the logic of the article quoted by the OP is flawed: they measure the effectiveness of anti-spam techniques by measuring the amount of extra time spent on dealing with spam, but they fail to count the time spent by those who receive the challenges from C/R systems (regardless of whether they are the real senders or not). No wonder the C/R systems win in this comparison.

Another comment: the real problem with C/R is it's creating backscatter. But this results from the way it is implemented: sending an email message to the purported sender, that is often forged. The backscatter problem would be avoided if the challege request would be sent back as a (transient) SMTP error message ("450 please do this or that to let you email get through"). I never use sieve to bounce spam since it would mnostly create backscatter to innocent bystanders. This week I lost several good addresses to spammers (seems like someone that has several of my addresses in her addressbook got some spyware), and theoretically I could just block them and inform anyone who got them that I've changed address. However I don't know everyone who has them, and in addition there are people i know have one of these addresses that I don't want to contact right now but I still want them to be able to contact me (like when they have a job for me). So the best thing would be to block the addresses with a custom SMTP error message that says how to contact me, instead of just saying the address does not exist. It's sort of a C/R system. A friend of mine changes address whenever his address starts getting spam and sends an email to everyone in his addressbook to update his address. It's more work for whoever sends to him than a C/R system would require (but no backscatter to 3rd parties).

theog · 21 Jul 2007, 10:47 AM

Quote:

Originally Posted by rbpickup

http://www.linux-mag.com/id/3760/

Personally, I believe C/R is best combined with other anti-spam methods (including email authentication) to provide a tiered approach and to limit the amount of challenges being sent. It should NOT be the only system used. An intelligent C/R system should require challenging a very small percentage of inbound email.

Robert

I could not agree more. After my recent spat with spam, I'm putting all options on the table with my personal email accounts. For personal email, it could work if you have strong anti-spam methods to start and smart email filters. For example, I don’t need to send a C/R to an email that has “Big **insert something nasty**” in the subject since no one with any sense would send that to me anyway. I can delete those. For business email, C/R is not a smart option though.

I can't remember ever receiving a C/R response I did not initiate. C/R is irritating when I send out my newsletters since people do not authenticate the address when they join.

20 Jul 2007, 07:57 AM	#1
rbpickup Master of the @ Join Date: Feb 2004 Location: Melbourne, Australia Posts: 1,957 Representative of: Truedomain.net	Challenge-Response More Effective http://www.linux-mag.com/id/3760/ Personally, I believe C/R is best combined with other anti-spam methods (including email authentication) to provide a tiered approach and to limit the amount of challenges being sent. It should NOT be the only system used. An intelligent C/R system should require challenging a very small percentage of inbound email. Robert

20 Jul 2007, 08:30 AM	#2
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	Challenge response works at the expense of other email users who receive backscatter spam because of it. Even if challenges are reduced, they will likely still continue to be sent to what looks like genuine spam (which is the cause of backscatter) so please explain how reducing challenges will help? note: if I receive a challenge from anyone I know, I will usually delete it and not respond. If I have another address for that contact, I will email the person who sent the challenge, and let them know to not email me from that address again.

20 Jul 2007, 11:53 AM	#10
rbpickup Master of the @ Join Date: Feb 2004 Location: Melbourne, Australia Posts: 1,957 Representative of: Truedomain.net	Yes, still working on Inumbers. The service is due to be further developed to add new features now that we have taken onboard feedback from our beta testers. I am also working on a small project called On Sale Today (www.onsaletoday.com.au), which is in the planning stage. Thanks for your interest David. Robert

20 Jul 2007, 11:44 PM	#12
DrStrabismus The "e" in e-mail Join Date: May 2002 Posts: 2,804	Personally I find backscatter CR responses an order of magnitude more irritating than spam. As a matter of principle I alway complete the response to let the spam through.

21 Jul 2007, 04:37 AM	#13
Chipper Master of the @ Join Date: Oct 2003 Location: Greenbelt, MD (USA) Posts: 1,278	Just to share something from a few years ago, here is a thread regarding C/R. There were various opinions regarding if people should do it or not.

21 Jul 2007, 07:33 AM	#14
hadaso Intergalactic Postmaster Join Date: Oct 2002 Location: Holon, Israel. Posts: 5,117	I think the logic of the article quoted by the OP is flawed: they measure the effectiveness of anti-spam techniques by measuring the amount of extra time spent on dealing with spam, but they fail to count the time spent by those who receive the challenges from C/R systems (regardless of whether they are the real senders or not). No wonder the C/R systems win in this comparison. Another comment: the real problem with C/R is it's creating backscatter. But this results from the way it is implemented: sending an email message to the purported sender, that is often forged. The backscatter problem would be avoided if the challege request would be sent back as a (transient) SMTP error message ("450 please do this or that to let you email get through"). I never use sieve to bounce spam since it would mnostly create backscatter to innocent bystanders. This week I lost several good addresses to spammers (seems like someone that has several of my addresses in her addressbook got some spyware), and theoretically I could just block them and inform anyone who got them that I've changed address. However I don't know everyone who has them, and in addition there are people i know have one of these addresses that I don't want to contact right now but I still want them to be able to contact me (like when they have a job for me). So the best thing would be to block the addresses with a custom SMTP error message that says how to contact me, instead of just saying the address does not exist. It's sort of a C/R system. A friend of mine changes address whenever his address starts getting spam and sends an email to everyone in his addressbook to update his address. It's more work for whoever sends to him than a C/R system would require (but no backscatter to 3rd parties).