A fundamental problem with challenge/response anti-spam systems

November 9, 2006

A fundamental problem with CR is that it implicitly assumes that your correspondent wants you to read their email more than you do. Just look at who's doing the work: your correspondents are doing work so that you don't have to.

(Of course, observe that the people for whom this is the most true are the spammers.)

When this is not true, when you want to read the mail more than the sender wants you to, is exactly where CR systems break down. You might think that this is rare, but it's actually quite common; mailing lists are the obvious example. (Trust me; most mailing list managers are completely indifferent about whether the mail reaches you.)

CR proponents like to claim that whitelisting will solve this problem. It doesn't. The fundamental problem of whitelisting is that what you want to whitelist is abstract identities, like 'my friend' or 'my bank', but the only thing available is crude proxies like the email's origin address. And the relationship between the proxies and the real thing changes all the time.

This leads to an important rule:

People who use challenge/response systems should not expect anyone else to expend effort to get their email to them.

Or, the short version: your CR system dropping email is your problem, not mine.

(Disclaimer: and of course CR systems have fundamental problems on the real Internet. There's no way to avoid spamming random bystanders with challenge messages, since almost all spam has forged origin addresses.)

Written on 09 November 2006.
« The importance of printable objects
Link: On Bots »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Nov 9 23:26:26 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.