Do challenge/response spam-filtering systems create more problems than they solve? One analyst argues against them.

Thomas Claburn, Editor at Large, Enterprise Mobility

December 4, 2006

3 Min Read

Two weeks ago, Ferris Research messaging analyst Richi Jennings awoke to find his e-mail in-box filling with spam at a rate of about a message per second. Over the course of two days, a spammer using a botnet -- a collection of PCs that have been subverted through security exploits to send spam -- sent an estimated 10 million messages that purported to come from several of Jennings's e-mail addresses.

That resulted in more than 25,000 bounce messages, from ISPs that return spam to the supposed sender (rather than deleting it) and from challenge/response filters that reply to spam with a note asking the listed sender to answer a challenge question before the initial message gets delivered.

"It's kind of like a denial-of-service attack," says Jennings, who notes that while his coverage of anti-spam issues makes him a likely target for spammer retaliation, he has no evidence to prove that. This sort of attack also is referred to as a "joe job."

Despite the fact the Symantec's Brightmail service did "an impressively good job" in blocking "about half a gigabyte of unwanted, 'backscatter' e-mail," Jennings nonetheless had to deal with hundreds of unwanted messages that made it to his in-box.

For Jennings, the episode reveals a fundamental flaw in challenge/response spam filters. "Challenge/response filters have more Achilles' heels than they have feet," he says.

"Over the last year or two, I've spoken to countless challenge/response filter vendors and they all have their own excuse about why their solution is completely different, and really, yes, they agree this is a problem with badly written challenge/response spam filters, but their spam filter would never do anything so stupid and broken," says Jennings. "And of course I'm looking at an example from just about every one of those vendors that I got two weeks ago."

Jennings argues that because challenge/response spam filters essentially create more spam, they end up harming the user's reputation. "The fact challenge/response causes backscatter means that the users of challenge/response filters are actually, perversely, more likely to have their messages blocked, because their reputation -- the reputation of their IP or domain -- will go down simply because people like me are receiving these things and class them as spam," he explains.

In addition, Jennings suggests that users of challenge/response systems are foisting their spam problem on others, as if one were to respond to litter thrown in one's yard by shoveling it onto the street for someone else to deal with. "What the users of challenge/response spam filters are effectively doing is saying it's my job to filter their spam for them," he says.

Tal Golan, CTO, president, and founder of Sendio, maker of a challenge/response e-mail appliance used by more than 150 enterprise consumers, disagrees strongly with Jennings's assertion that challenge-based filtering has problems. "Without question, the benefit to the whole community at large drastically outweighs that FUD [fear, uncertainty, and doubt] that's out there in the marketplace that somehow challenge/response makes the problem worse," he says. "The real issue is that filters don't work. From our perspective, challenge/response is the only solution. This whole concept of backscatter is just not true. Very, very rarely do spammers forge the e-mail addresses of legitimate companies anymore."

Golan also dismisses the idea that challenge-response systems burden senders with filtering spam for recipients. Says Golan, "Most people out there today are very, very happy to make the world a safer place."

Editor's note: This story was modified to restore the last two paragraphs, which were accidently deleted.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights