On Why We Don't Use Challenge-Response

I was recently sent an email from one of our users, evidently impressed by a challenge/response mechanism set up by one of our clients on their mail server (even more impressed by the client’s claim that he received “no spam, ever”). He asked us why we didn’t implement something like this.

Hi Luke,

We’ve been keeping an eye on the challenge/response (C-R) debate for quite some time now. I remember we spent a good while debating over whether we should include it in our anti-spam arsenal. After a lot of consideration, I think we’re going to leave it alone for now, and treat it as a “last line of defense”.

A few of the reasons we are choosing not to roll out a C-R solution:

  1. Increases the amount of non-legitimate mail traffic. This is actually contrary to the goals of an anti-spam solution.
  2. Doesn’t provide as much protection as you’d think. I doubt Eric’s claim of “no junk mail ever”, especially since we regularly get spam emails that are ‘spoofed’ to be from @ourdomain.com addresses.
  3. Trivial to work around. Spammers, for all their misdeeds, are inventive, creative little sods. For example, there was a story recently about spammers getting around Yahoo’s automated-account-creation-prevention tool. When you try to create a Yahoo account, you’re given an image with a word on it, which is hard for machines to easily guess. So what the Spammers redirected this image onto their pornography sites. People joining these sites would type in the word they saw, and this would be fed directly into Yahoo. Sneaky, but impressively so.
  4. Any kind of automated response will just lead to the auto-responding address being added to the spammer’s list of “active” emails. This results in more spam hitting the address.
  5. This, in turn, results in heavier burden on the system.
  6. Speaking of which, most spam comes from non-working or false email addresses. A C-R response to each of these could easily result in a DOS attack on our system.

I could go on, but I think you should see by now that there’s a lot to be said AGAINST C-R systems.

However, one of the things we’re keeping a very close eye on for our anti-spam toolkit is the idea of ‘greylisting’ (www.greylisting.org). A brief rundown on the greylisting method:

  • Unknown person (john.doe@unknowndomain.com) sends an email to myaddress@ourdomain.com
  • ourdomain’s mail server responds with “oops, temporarily unavailable, try again in a minute”
  • ourdomain’s mail server notes that it’s got unknowndomain.com’s mail server in its queue of mails
  • if unknowndomain.com is a proper mail server, it will wait a couple of minutes and try again
  • if unkowndomain.com is using spam software, it will just barf
  • unknowndomain.com’s mail server tries sending the mail again, ourdomain.com’s mail server notes that it passed verification, and “whitelists” @unknowndomain.com

It’s like C-R, but without any of the nasty downsides I listed above. One thing I particularly like about this system is that it doesn’t involve any human interaction. My Grandmother could email me and not get confused by the Challenge-Response mechanism.

We’ll probably be testing out greylisting on our secondary mail server soon, and if all goes well, we’ll roll it out onto our primary mail server.