Ask Amir #3: Is challenge/response the ultimate anti-spam technique?

This week in Security Levity, I want to respond to a request to talk about a particular anti-spam technique. A technique that claims "100% spam detection."

Throughout the history of spam filtering, we've seen countless ways of identifying spam. Many of them fell by the wayside: either because spammers adapted to them, or because they never worked very well.

But there's one particular technique -- still hanging on with us -- that really needs to be put out of its misery. It was relevant many years ago, but that time is long-gone. I'm talking of course about challenge/response spam filtering (or "C/R").

Basically, it doesn't work. In summary, here's why not:

1. If you use it, it will often lose email you wanted to receive;
2. It can even cause email sent by you to go missing;
3. As if that wasn't bad enough, it actually pollutes the internet with even more spam!

The way C/R works is deceptively simple: it replies to messages from senders it doesn't recognize. It essentially says to the senders, "Are you a spammer? If not, please type in these squiggly letters to prove you're a real person." (i.e., it queues the email until the sender completes a CAPTCHA). The idea being that spammers send in bulk, so can't be wasting their time responding to challenges.

Simple, eh?

 
But wait just a minute. If you've been reading this blog over the past few months, you'll already have spotted a flaw in this idea. C/R tries to reply to spam, but you can't reply to spam, because spammers forge the sender address of their email.

Challenges are often misdirected to spamtraps, because spammers forge the sender of their messages using entries from their spammy lists of email addresses. This causes spam filters and reputation services to learn that challenges are spam, so filters often don't deliver challenges to their intended users.

Challenges also get misdirected to innocent users, because their addresses were misused by spammers. Those users receive a challenge that has nothing to do with them, and often click the This Is Spam button. This also causes spam filters to learn that challenges are spam, so this is another reason for legitimate challenges to go missing.

And because users of C/R are effectively sending spam, it can mean that they get branded as spammers. This will mean that their regular outgoing email is also treated as spam!

As if all this wasn't enough, many normal users can't be bothered responding to your challenge. All else being equal, this too means that their email won't reach you.

 
In other words, C/R causes a large amount of false positives: both in terms of losing legitimate email sent to a C/R user, but also losing email sent by a C/R user.

Finally, let's play reductio ad absurdum. Imagine what might happen if everyone used C/R: email would become unusable, because the C/R systems would spend all their time talking to each other in a loop.

 
UPDATE... don't be confused: this post is talking about C/R techniques, not specifically about products that use C/R. See my followup comment.

 
Now, I fully expect to hear howls of rage from the C/R vendor community in reply to this post. I am of course open to a full and frank dialog; feel free to add comments and ask Amir!

When he's not criticizing challenge/response techniques, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...