As an anti-spam technology, challenge-response (c-r) systems enjoy a mixed reputation among network managers. An announcement this week from Florida-based DigiPortal argued that with the use of c-r, enterprises could end spam with just one minute of effort per month by each user. The chair of an anti-spam research group says it’s not that simple.
C-r systems work on a simple premise: Upon receiving mail from an unknown user, the c-r software sends a challenge requiring some sort of reply before it will allow the message to go through. Once the sender successfully responds to the challenge, he or she is typically added to a “whitelist” of known senders, though in some cases the c-r software includes instructions on a password the sender must add to all further communications.
The effectiveness of c-r systems is based, in part, on the fact that most spammers use forged addresses in conjunction with heavily automated mass-mailing software and will likely never see the challenge or bother to authenticate with the recipient.
DigiPortal produces a c-r system called ChoiceMail. One perceived drawback of c-r systems, according to DigiPortal, is that they place a large burden on senders by requiring them to authenticate mail. The company says that a study of its own customer base reveals that this perception is “a fallacy.”
The company says its studies show “that the average ChoiceMail user receives only two such responses per month. This is because the overwhelming majority of email comes from senders who are already on the user’s list of approved correspondents and are therefore not asked to verify their identity.”
The company goes on to say that responding to a ChoiceMail challenge “takes 10 to 15 seconds.”
“If every mailbox in the world were protected by a system like ChoiceMail,” concluded the company, “that would translate into just 30 seconds of reply time per month for the average email user. The result is that spam would simply disappear.”
Anti-Spam Researcher: More to C-R Than Meets the Eye
John Levine, chair of the Internet Research Task Force’s Anti-Spam Research Group, says that while he isn’t sure about the accuracy of DigiPortal’s figures, he’s certain c-r systems have problems, and that wider adoption of the systems “would be an extremely unfortunate escalation in the spam war.”
“The basic problem with any C/R system,” says Levine, “is that it suffers from the same fundamental mindset that spammers have, that they have a problem and they want to force someone else to solve it.”
Levine notes two key technical problems with c-r systems:
First, he says they produce a burden for mail users with widely spoofed e-mail addresses. Since spammers typically use fake return addresses for their mailings, mail users with widely spoofed return addresses face a large number of c-r challenges replying to messages they’ve never sent. Levine said he personally gets “blizzards of challenges,” numbering upwards of 100 per day.
David Ernst, an administrator with Bloomington, Indiana-based ISP HoosierNet, says that among the problems he confronts with spam, wayward c-r responses don’t rank very high. “It just doesn’t register on my list of things I need to keep up on,” he said. Though he did note that spoofed return addresses have, in the past, resulted in deluges of undeliverable mail.
In fact, said Ernst, one such use of a customer’s address in a widespread spam campaign resulted in such a massive backlog of bounced and undeliverable mail that he “really had a hard time keeping … systems running” for several days as admins struggled to clear out the backlog. And it’s not uncommon for users to return to their computers on Monday morning to discover several thousand bounce messages as a result of a spammer’s use of their address.
Second, Levine argues, since c-r systems effectively establish e-mail addresses as a sort of password, they offer little protection from the fairly sophisticated and automated “spam bots” spammers use to harvest addresses. One example Levine has offered in the past is the use of automated address harvesters that gain access to public mailing lists, harvest the addresses, then use the list they gather to circumvent whitelists, since any mailing list member has, ostensibly, been whitelisted by any member using a c-r system.
“You can think of a bunch of places [c-r systems] work,” he says, but in the cases where they don’t work, “they fail in unpleasant ways.”
Solving the Introduction Problem
According to Levine, c-r systems don’t so much address the spam problem as what he calls “the introduction problem”: Deciding whether a sender is legitimate or not. He says other technologies are more promising.
One he notes is DomainKeys, a fairly recent approach introduced by Yahoo that adds a cryptographic signature to outgoing messages in order to help the recipient verify that a message was sent from the domain its headers indicate. DomainKeys has enjoyed some support from major ISP Earthlink as well as Sendmail, which produces a commercial version of one of the Internet’s oldest and most widely used MTA’s (define).
Levine says one of the appeals of DomainKeys is its automated nature: It doesn’t require human interaction, sparing senders the annoyance of dealing with challenges.
Levine is less sanguine about SPF (define) , part of the Microsoft-backed Sender ID for E-Mail protocol, which he notes has a hard time dealing with common use cases, such as professional organizations and universities that offer life-time alumni and member addresses through a remailer service.