Finally! The Argument Against Challenge-Response


Link: John Levine: Challenge-response systems are as harmful as spam

A new--and rather evil--wave is sweeping the net. More people are using challenge-response (C-R) systems to protect their email inboxes against spam. If you send email to somebody protected by C-R, your email is intercepted. Their C-R 'bot will send back an email that demands you complete some challenge (click a link, answer a question, quack like a duck). If you respond correctly, then it assumes you aren't a spammer. Your email is passed along and you are whitelisted against future challenges.

That is, providing you aren't protected yourself by C-R. In which case your C-R 'bot challenges back, and the little tango runs ad infinitum, until the net suffers heat death.

That's just one of the problems with C-R. Many people have been watching the growth of these systems with some consternation. Finally, John Levine has taken a stab at documenting some of the deficiencies of C-R. Kudos to John!


Comments have been closed for this entry.

re: Finally! The Argument Against Challenge-Response

First, let me admit I'm one of those damned C-R authors.

My system is called SPOILSPORT ( Simple Proof Of Intelligent Life Stops Potentially Offensive Robotic Transmisions ). It uses a blacklist, a whitelist and a graylist, just as described, and suffers many of the problems that you and J Levine describe.

Perhaps digitial signatures or more widespread use of PGP would help. The challenge would ask for the sender's public key in addition to the standard proof-of-life question.

Perhaps, even better -- proof-of-life gets you on my whitelist for a short period of time. Donations to my paypal account fund SPOILSPORT development and get you on the persistent whitelist.

Either way, sender authentication remains, I think, the biggest stumbling block for any mechanism trying to manage spam.