Chris's Wiki :: blog/spam/CRTemptation

A temptation with challenge/response anti-spam systems

February 10, 2007

Every time I see a mail from a C/R system, I get more and more tempted to teach our mail filtering infrastructure about the most common ones, so that it can automatically acknowledge the challenges, discard the messages, and not bother the users with them at all.

Will this acknowledge a lot of spam, and thus dump it on the people operating those C/R systems? Sure, but that's not our problem. And I'd clearly be doing our users a service, especially if C/R systems get widespread.

(This is another example of how C/R systems try to work by offloading your spam problem on precisely the wrong people. The only way they can 'work' at all is if most of the mail addresses you challenge don't even exist; otherwise you are reaching either spammers or pissed off people, neither of which have your interests in mind.)

As a special bonus prize, I could even hack our system to do this even for local addresses that don't actually exist, since it's perfectly possible to automatically acknowledge the challenge and 5xx the DATA command at the end of the SMTP conversation. I'd have to make sure that this only happened for single-recipient email, but that describes all of the C/R email I'd want to do this to.

(Ob-attribution-darnit: I've had this thought for a while, but the impetus to actually write this entry was provided by reading about a related temptation with C/R systems here.)

Comments on this page:

By Dan.Astoorian at 2007-02-12 11:08:49:

I get more and more tempted to teach our mail filtering infrastructure about the most common ones, so that it can automatically acknowledge the challenges, discard the messages, and not bother the users with them at all[...] And I'd clearly be doing our users a service, especially if C/R systems get widespread.

As a user, I don't agree that you'd "clearly" be doing me a service by forging an acknowledgement in my name.

Firstly, it's not obvious that the legal threats in the challenge are necessarily as toothless as you seem to be assuming. If you send a confirmation in my name without my consent or knowledge, and the challenge contained an attempt to enter me into a contract (e.g. this one attempting to collect $2000 for each piece of spam from anyone who answers the challenge), it may end up wasting much more of my time than I would have spent answering (or ignoring) challenges--regardless of whether or not the contract could actually be enforced.

Secondly, I do not want it to be transparent to me that the user I am corresponding with is using a C/R system. I should have the opportunity to decline to correspond with the sort of people who put "keep out" signs on their mailboxes.

In any case, tempting though it may be, messing with the perceptions of the parties involved (of the C/R user, who will assume that his challenge was seen and deliberately acted on, and of the correspondent, who will not know that a C/R system is in use) is to flirt flagrantly with the Law of Unintended Consequences.

--Dan

By cks at 2007-02-12 11:38:39:

I admit that I hadn't thought of those aspects, which do make auto-acks somewhat less attractive.

(C/R systems that use URLs in email are apparently already in trouble, because allegedly at least some anti-spam systems fetch URLs in mail bodies to check the target page out. This strikes me as rather dangerous, and is apparently causing problems for things like mailman.)

Written on 10 February 2007.

«	Link: Why the ease of installing Java matters

Weekly spam summary on February 10th, 2007