Manage Learn to apply best practices and optimize your operations.

Are challenge-response technologies the best way to stop spam?

Challenge-response spam technology intercepts incoming emails and sends a challenge to the sender, asking him or her to confirm the message's validity. Though the antispam mechanism has gained popularity, there may be more secure alternatives, says expert Michael Cobb.

Challenge-response spam technologies seem to be very popular. Do they provide the best antispam protection?
Spam is hard to define; what one person considers spam could be an important message to someone else. Also, electronic message protocols do not require any prior contact between the sender and the recipient. Consequently, it's not possible to rely on automated authentication. Preventing spam, therefore, requires a multi-layered approach that includes technology, policy, practice and education.

Challenge-response spam technology intercepts incoming emails and sends a challenge to the sender, such as a request to click on a link or answer a simple question. If the sender correctly responds to the challenge message, then the original email is forwarded on; otherwise it is discarded. The process authenticates the sender by confirming that he or she sent the message.

Requiring human verification may seem like quite an effective approach to stopping spam, but there are various drawbacks that you need to consider. The challenge-response process effectively shifts the work of filtering email from the recipient to the sender, legitimate or otherwise. Publishers, however, may not complete the challenge-response when they have thousands of messages to send. Many people don't reply to challenge emails either because they don't know what they are, don't trust them or simply refuse. There are, therefore, many false positives. Other less knowledgeable users often complete the response even when they didn't actually send the original email, producing a false negative.

There is another problem, too. What if the challenge message doesn't reach the sender? The challenge itself could be blocked by the sender's antispam filter! If antispam filters are set to always allow challenges through, then spammers will create spam that looks like a challenge message. Also if the challenges become too predictable, then the spammers will be able to develop computer programs that spot the challenges and auto-send the required responses.

My personal preference is to deploy antispam tools that use a variety of filtering techniques. Bayesian filtering techniques, for example, compare the contents of incoming messages to those of previous legitimate mail. Heuristic filters look for patterns in the content of an email and match them against a database of known spam characteristics. Whitelists and blacklists are time-consuming to keep up to date, but they do provide flexibility so that users can decide which messages should be treated as spam.

Thankfully, server authentication initiatives can control spam at the mail server. Two of the most popular tools are the Sender Policy Framework (SPF) and Sender ID. These authentication mechanisms can verify whether a mail server is authorized to send on behalf of a given domain. Records are published in the domain name system (DNS), which lists the authorized email servers for a domain. If we are ever going to beat spam, it is this type of control that will help in its defeat -- not challenge and response.

More information:

  • Is Sender ID effective? Michael Cobb examines the authentication mechanism.
  • Challenge-response tools received high marks, according to a recent independent survey. Find out which antispam technologies didn't make the grade.
  • This was last published in November 2007

    Dig Deeper on Email and Messaging Threats-Information Security Threats