Challenge-response systems have been around long enough now that pretty much everybody has an opinion on them.
The end users who use challenge response systems love them, at least for the most part, because they really do stop spam from getting in. In fact, many think that challenge response will solve – indeed has solved – their spam problem for them.
I say “for the most part” because they also really do stop wanted email from getting in. And that’s because many email senders do not – or will not – respond to the challenges.
Let’s look at why this is.
First, challenges often end up being eaten by spam filters, so that the email sender never receives the challenge, and thus can’t respond to it. This is for a few reasons, not the least of which is that many spammers have sent spam which emulates – that is the spam is made to look like – a challenge to email that the spam target has supposedly sent.
Another reason that challenges are eaten by spam filters is because, let’s face it, they are unsolicited mail. Some consider this abuse. And because one’s challenges all look the same as they are sent out, they appear to spam filters as unsolicited bulk mail. It’s no wonder that spam filters eat them.
And while we’re talking about email abuse in the challenge response context, if someone forges your email address as the sending “From” address in a spam run, guess where all the challenges from the challenge response systems triggered by that spam run will go? That’s right – to you.
Still another reason that senders don’t respond to challenges though – and really that is what we are here to talk about today – is because challenges are the bane of the legitimate commercial email senders’ existence – especially if the sender is sending out bulk email.
Higher volume email senders may send thousands – indeed hundreds of thousands – of emails a day. There is simply no way that they are going to manually respond to the dozens of challenges per day that such a sending volume could generate.
And, many feel, nor should they have to. If you have asked to receive someone’s mailings, then you should not transfer the burden of your receiving that mailing to the sender.
This is such a burden, and hassle, in fact, that many commercial email senders have a policy (unstated or otherwise) that they simply will not respond to challenge response challenges.
Unfortunately, people in the “challenge response is awesome” camp and those in the “challenge response is abuse” camp seem firmly entrenched where they are. And so challenge response is probably both here to stay, and being completely ignored.
Let us help YOU get to the inbox like we've helped these others!
3 Responses
A complete no-brainer, Anne. C/R creates more unsolicited mail, not less; much of it in the form of backscatter to forged sender addresses. Only the blinkered, selfish and deluded could consider that this is a good thing.
Challenge Response Authorization Protocol == CRAP.
What really bugs me is when somebody sends me an email to which I reply and they have the temetry to request that I verify who I am. In some instances, I am compelled to do because I am answering an important question, but it sure is irritating.