This is what TidBITS will do (it makes sense): >Closer to home, be warned that we will not answer any challenges generated >in response to our mailing list postings. Thus, if you're using a >challenge-response system and not receiving TidBITS, you'll need to figure >that out on your own. Also, if you send us a personal note and we receive >a challenge to our reply, we may or may not respond to it, depending on >our workload at the time. Previous Politech message: http://www.politechbot.com/p-04745.html -Declan --- Date: Tue, 13 May 2003 10:20:53 -0700 To: declanat_private From: TidBITS <editorsat_private> Subject: TidBITS Article: "TidBITS Policy on Challenge-Response" Greetings! Tom Collins <tomat_private> has sent you a TidBITS article with this personal message: TidBITS is a Mac newsletter that has been around for over 10 years. This article of theirs on challenge-response is very clear and will hopefully educate users on some of the problems of CR systems. TidBITS Policy on Challenge-Response by Adam C. Engst An anti-spam technique called challenge-response is becoming increasingly popular these days. Simply described, challenge-response compares the sender of each incoming message against the contents of your email address book (or a similar list generated in another way, such as by extracting the senders of every piece of your stored mail). If the sender of the incoming message appears in your address book, the message comes through as you'd expect. However, if that incoming message is from an unknown address - either someone from whom you've never received email or an acquaintance using a new address - the challenge-response system sends an email reply to the sender, asking her to click a link, reply to the message, or in some way indicate that her original message came from a real person. Once verification has happened, the message is delivered appropriately, as are all subsequent messages from that sender. Challenges to Challenge-Response -- Challenge-response systems are fairly effective, since most people receive mail from roughly the same subset of senders, and the effort to any individual sender is relatively low. These systems suffer from a number of important problems, though. Spammers often forge headers so the spam you receive appears to come from other email addresses at the same domain, or even from your own email address. It's not uncommon for me to receive spam "from" myself, or "from" another member of the TidBITS staff. In smaller organizations, it's likely that most people with email addresses at that domain would be in each other's address books, so spam "from" those addresses would bypass a challenge-response system. Challenge-response puts an additional burden on senders, which is why it's effective against spam. However, it also tends to engender ill will among normal people who feel as though you're asking them to jump through hoops (which you are). It's in your interest to make the process as easy as possible for legitimate senders. There are many legitimate reasons why you might receive email that's sent automatically, such as an order receipt from an online vendor or a mailing list subscription confirmation request. You're unlikely to have such email addresses in your address book, so those sorts of messages can be stopped erroneously. Most of the time, no person would even see the challenge since those systems run on auto-pilot. Ironically, this could even create mail loops between systems as your challenge is answered not with a response, but with a competing challenge. As a special case to the above, consider mailing lists to which you subscribe. Depending on how the challenge-response system is set up, you could end up sending challenges to everyone who posts a note to a discussion list (this happened on TidBITS Talk recently, annoying a number of people). Or, in the more generic case of TidBITS, we could end up receiving hundreds or even thousands of challenges from subscribers who turned on a challenge-response system but didn't have <editorsat_private> in their address books. Ever More Challenges -- There are certainly technical solutions that could ameliorate each of these problems (such as a quarantine area that users can check for legitimate mail that's been held but hasn't been verified by the sender, and special cases for mail from lists), but with different systems appearing from a variety of companies, such as SpamArrest and Mailblocks, there's no telling which features will be commonly available, or how they will require senders to respond. <http://www.spamarrest.com/> <http://www.mailblocks.com/> Challenge-response technology is about to become significantly more widespread, though, with EarthLink about to test such a system for its 5 million customers. EarthLink is currently the third-largest ISP in the United States, and it serves over 2,000 TidBITS subscribers (second only to AOL, and well ahead of Mac.com). <http://www.washingtonpost.com/wp-dyn/articles/A22390-2003May6.html> <http://www.earthlink.net/spamblocker/> Our Challenge -- Although we're always in favor of individuals and ISPs working to control the pestilence that is spam (by the time you read this, I'll have received more than 21,000 spam messages so far in 2003), we've also spoken out in the past against approaches like arbitrary content filtering that actually increase the damage spam causes to the global email system. <http://db.tidbits.com/getbits.acgi?tbser=1221> We don't view challenge-response as being nearly as concerning as arbitrary content filters, but it does raise problems for us. We send email to nearly 50,000 people each week by the time you take all of our versions and translations into account, and dealing with hundreds of individual challenges each week would utterly overwhelm us. We don't have the staff resources to do that and keep everything else running. We're not unusual in this regard; most mailing lists on the Internet will run into similar problems. So consider this article a heads-up to anyone who is thinking about using a challenge-response system. Please be a good Internet citizen and make sure you add mailing list distribution addresses to your address book and work to avoid situations that will cause irritation for others in your particular parts of the Internet. Closer to home, be warned that we will not answer any challenges generated in response to our mailing list postings. Thus, if you're using a challenge-response system and not receiving TidBITS, you'll need to figure that out on your own. Also, if you send us a personal note and we receive a challenge to our reply, we may or may not respond to it, depending on our workload at the time. In short, do what you feel is necessary to control your spam problem, but remember that it's your responsibility to make it possible for people to send you email that you request. This article refers back to: Filtering Gone Bad, a series of 2 articles. Find this article on the Web at <http://db.tidbits.com/getbits.acgi?tbart=07181>. Unless otherwise noted, this article is copyright 2003 Adam C. Engst, published in TidBITS 680, copyright 2003 TidBITS Electronic Publishing, all rights reserved. Send questions or comments to <editorsat_private>. Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017. TidBITS is a free weekly Internet technology newsletter providing timely news, insightful analysis, and in-depth reviews to the Macintosh and Internet communities. To subscribe to TidBITS HTML issues: <tidbits-html-onat_private> To subscribe to TidBITS text issues: <tidbits-onat_private> To subscribe to HTML announcements: <tidbits-html-announce-onat_private> To subscribe to text announcements: <tidbits-text-announce-onat_private> To search all TidBITS articles: <http://www.tidbits.com/search/> TidBITS is sponsored in part by Small Dog: SMALL DOG ELECTRONICS: PowerBooks On Sale! PowerBook G4/667 Only $1845! PB G4/800/AirPort Only $2049! PowerBook G4/867 256/40/Combo/32 MB VRAM Only $1995! Visit: <http://www.smalldog.com/tb/> 802-496-7171 Help support TidBITS by supporting our sponsors! ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 13 2003 - 10:43:20 PDT