August 17, 2003  ·  Lessig

So the legislative fight against spam is going no where. There will probably be a bill, but it has been designed simply to make sure that large traditional companies are still free to send unsolicited commercial email. Senator McCain has added a nice innovation that will make it easier to hold people responsible for UCE. But the concerted effort to avoid labeling will mean in the end, the legislation does not work.

Which has led me to a bit of code which I had intended to resist: challenge-response. My mail now goes through Mailblocks.com (which annoyingly has a pop-up to warn people away from any browser except Microsoft’s, and which even more annoyingly is enforcing patent protection against other challenge response systems) but so far, it has worked.

“Worked.” “Worked” means I don’t have literally hundreds of emails in my inbox each morning that are junk. “Worked” means I don’t therefore have to delete 95% of the emails in my inbox because they are junk. “Worked” means I therefore don’t erase emails which were not junk but which one inevitably will when so much is junk.

But “worked” also means that the first time you (humans out there, not bots) send me email, you’ve got to go through a web-based ritual to authenticate that you’re human. Of all the mandated authentication our society requires these days, this seems about the most harmless. Indeed, it might even help.

  • Karl

    Professor,

    What is your opinion of the charges of spamming that are being levied at the Dean campaign?

    /. coverage

    -kd

  • http://www.jwz.org/ Jamie Zawinski

    Email challenge-response systems like this are a very, very bad idea. For one thing, they only work if almost nobody is using them. Declan wrote a pretty good article about this.

    I only get about 10 spams/day, and I’ve been using the same widely-publicized email address for about 8 years. I get so little spam because the ISP I use (meer.net) makes use of various spam-blocking services like MAPS RBL.

    If you’re not interested in switching to an ISP that provides good spamblocking services (and there are many), then the next best thing, and far better than a challenge-response system, would be to set up a whitelist: send all your mail to the spam folder unless it is on a list of people you explicitly allow. Scan through your spam folder once a week. The effect of this is that people who haven’t sent you mail before have to wait for a response, but at least you’re not wasting theirtime by making them jump through hoops before deigning to allow them to contact you.

  • Nick

    Not that I have ever emailed you, Professor, but allow me to point out that there are people such as myself who will take one look at that pop-up and walk away. You have the right, of course, to pick whatever solution works for you, and I’m very much sympathetic to the problem of spam. I despise it and have worked out my own solutions through the use of obscurity, solutions that could never work for you as such a public person. So I do not know the answer for you. But just be aware that some correspondants will refuse to use challenge response systems, and thus you will never hear from those persons.

  • gizmo_mathboy

    I don’t think much of challenge-response systems. I would rather use tools like SpamAssassin and Mozilla’s spam filters instead.

    However, there does seem to be a better idea out there SPF. I’m still thinking it over to determine if it is something I would use.

    It seems to be a fix that doesn’t break existing systems and doesn’t seem to penalize people that use it.

  • http://insipid.com Dave

    That should have been “posted by Dave” sorry about that.

  • http://fallenearth.org/blogs/caiuschen/ caiuschen

    Have you considered Bayesian filtering and its variants? Paul Graham has a nice article describing his filter. It needs to be trained; but on the plus side, that personalizes the filter rules to you. Challenge/Response is not too bad, except for the inaccessibility to the blind. Good luck with whatever choice you make.

  • Me

    Bayesian filters and whitelists don’t get along well… I tried that with Popfile, whitelisted a ton of people I know, and let the spam filter do the rest.

    Turns out, so much junk mail went in, Popfool decided that EVERYTHING not whiteliested was junk… there was no way to tone down the scope.

    SpamBayes seems better, since I can tune it better… but at the end of the day we need to take these idiots ruining the medium, and do something positive to stop them. Then all we have to do is firewall off Asia and we’re good.

  • Alex

    For a quick practical overview of spam solutions currently available, you might want to look at The best anti-spam solutions for Windows. It was written by a hardware enthusiast site, Ars Technica.

  • http://www.worldbeyondborders.org Jane

    Nice trick for avoiding spam: when scripting a page that has your email on it, replace the @ sign with @ so address hunters can’t see it. You can also put any number of zeros in front of the 64 to confuse them.

    Webmasters, take note!

  • http://ie.suberic.net/~kevin/cgi-bin/blog/ kevin lyda

    see http://tmda.net/ for a challenge response system you can run yourself.

  • http://insipid.com Dave

    Regarding Me’s reply about Bayesian filters and Whitelists not getting along well. I’d suggest that this may have been a flaw with the software you were using.

    SpamAssassin performs Bayesian analysis and also has a whitelist. I use both and have not had the problems you describe.

    SpamAssassin is working so well, I don’t worry about protecting my email address anymore.

    dphull@insipid.com

  • http://www.unbendable.org Matthew Smillie

    Re: spam filters and Bayes. It definitely does sound like a software flaw, and if I were to pull my Magnificent Carnac routine, I would guess that it was considering the whitelist as a feature in the Bayesian analysis. Given that the whitelist is guaranteed to be “ham”, it’s not surprising at all that the filter got skewed so drastically.

    Brief rationalisation: the probability of a whitelisted address being spam is 0. The probability of a message being spam based on almost any other possible feature of the message is non-0. Obviously, the whitelist is the single best feature to determine spam/ham with, and gets a correspondingly large weight in the Bayes filter. A large amount of whitelist messages vs. non-whitelist, non-spam messages could quite conceivably mis-train the system to effectively check only whitelist/non-whitelist.

  • http://www.unbendable.org Matthew Smillie

    Ah ha! an interesting side-effect of the Professor’s adoption of challenge-response. I think new comments are forwarded to the Professor’s email – my comment above generated a challenge/response request.

    I’m relatively pleased to note the site seems to function perfectly well with Safari, despite its protestations to the contrary, but I’m a little dismayed that it seems to favour marketing copy over actual and useful feedback to the user.

  • http://pobox.com/~joehall joe

    I’d be interested in Prof. Lessig’s comments on the Dean campaign and spam… and the prevalence of web-bugs in their spam to track where on the net their emails are being read.

    As well, the CDT has done a study where they set up a bunch of dummy email addresses and examined what behavior specifically increases spam (hint: obfuscate).

  • http://www.qualitykingdom.com Tom green

    Yea, me to. I agree with ya, I was working on that last week

  • http://www.kaax.org Kaa

    I’ll go with jwz and others in saying that a challenge-response model for email is a very bad idea. It’s a bad idea technically, and a bad idea philosophically. There are plenty of other ways of dealing with spam.

    Kaa

    P.S. I am also curious about your viewpoint on what seems to be Dean campaing spamming…

  • Nathan D.

    As if you needed yet another person saying this technology is horrible — but, it is.

    One small story: I run a small not-for-profit web service for teachers. It’s a free service run purely on a volunteer basis. We do our support via email. I can’t begin to describe how frustrating it is to get a request for support only to be spammed with a message asking for us to verify we are OK. Think about that transaction — they ask us for help and we end up having to do extra work just to have the privilege of getting back to them. And yes, I use the word “spam” in that context intentionally — I have never seen one of these services (and I’ve seen plenty of them) that doesn’t include advertising messages in the email that is sent back (advertising for the company sending the message in most cases). Some of them even expect you to click-through to a web site where they try to capture you as a customer.

    It’s even worse when you post to a listserv — I’ve had some posts to lists I am on cause several different people’s email accounts send me these confirmation messages — as an earlier commenter points out, these systems only work if very few people are using them. Imagine if every one of a 1,000 person list were using these services. The list would cease to exist.

    As others have suggested, various server-side and/or client-side filters will accomplish the same thing without annoying your friends and colleagues.

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    I’ve been using TMDA for about five months now, and I’d never go back. Challenge/response has made email useful for me again. I lost all interest in RBLs when my mail was blocked by one.

    Regarding the Declan article that Jamie linked, it seems to be mainly concerned with mailing lists and the fact that a lot of challenge/response systems don’t work right. (This seems to me like saying cars are a bad idea because some of them are poorly designed.) TMDA addresses all of that.

    The only down side I’ve seen is the rare occassion when a human needs to contact me and isn’t on my white list. In my mind, I’d gladly spend an extra minute confirming a message to someone if the act of doing so also all but eliminates their spam.

  • Anonymous

    So what you’re saying is that you now have installed a system with a 100% false positive rate? Super.

  • http://www.crossroads.net/a Adam Rice

    I am concerned that some spammers have already figured out how to undermine the challenge-response system: they are sending out spam using the legit e-mail addresses of other people as their return addresses–I’ve been getting some of the bounces resulting from this, which irks me to no end.

    If a spammer sends out a mailing with my address to someone using a C/R service, one of three things will happen:

    1. I will receive the challenge and will respond correctly. From that point on, spam can get through.
    2. But I probably won’t bother to respond–since I hadn’t actually tried to reach the party in question, I may regard the challenge as camouflaged spam. Meaning the spam can’t get through, but perhaps (depending on exactly how the system works) I may not be able to get through to anyone else using the service.
    3. I will already be whitelisted with the C/R system, in which case the spam is in the fast lane to your mailbox already. You may have some way to notify the C/R service that my address has gone bad–it hasn’t, but I won’t be able to correspond with you anymore.

  • Anonymous

    I checked out TMDA and while it doesn’t contain any ads in the challenge, or obnoxiously suggest I use IE, it’s still a no-go in my book. This is punishing the innocent in order to catch the guilty. No thanks. If I get one of these challenges I will just drop that person off my list and never correspond with them again. Live in a gated community if you want. I’ll stick to the Internet, with its openness and freedom.

    Spam is a real problem (although I get maybe one a month, if that, because I use methods that work and are transparent to people who email me), and needs a real solution. I understand the appeal of challenge/response systems. As I said, it’s like living in a gated community where things are great for you, but it sucks for everyone else. There has to be a better way.

    What is my method, btw? Quite simple, although it would NOT work for someone in the public eye such as Professor Lessig:

    a) Never leave your real email address on the Net anywhere.
    b) Pick an ISP big enough to give you great service, but small enough to be ignored by spammers. I use Speakeasy. You couldn’t pay me to use someone like an AOL which is a prime target for spammers using dictionary attacks.
    c) Use throwaway email addresses for web use. Do NOT use Hotmail and the like, or else you get inundated with spam. Instead pick less well known web emailers. I use ziplip.

    Result: No spam, or so few as to be insignificant. I get no spam on my web emailer address. I get maybe 1 or 2 a month in my prime Speakeasy account that I have had for over three years, and is easily accessible by dictionary attacks if they ever think to target Speakeasy.

    What can Lessig do? That I cannot say, which is why I am sympathetic to his choice of a challenge/response system. Just as long as he realizes there is a group of persons he will never, ever get to correspond with out of principle.

  • Atom Powers

    Challange-response is not only a bad idea technically, it is a bad idea ethically. You are giving some virtually unknown company complete control over who gets to send you email and who doesn’t. Would you trust an internet company that collects email addresses *not* to sell them, or not to take bids for back-door access to your email?
    BTW, most spam originates in the US. If not through our ISPs then through the companies that comission, directly or indirectly, the spam in the first place. Spam is simply one of the symptoms of over zealous marketing.

  • Greg Buchholz

    Another tool used to combat spam? Disposable email addresses. I personally like spamgourmet.com. It takes about 4 seconds to register and then you can start creating email addresses like…

    someword.x.user@spamgourmet.com

    where someword is anything you want it to be, x is the number of messages you want forwarded to your private address, and user is the username you signed up with. And it’s free.

  • Greg Buchholz

    [OT] Does the lessig blog properly implement the blockquote tag? I tried to use it in my post from above, but the formatting seems to get screwed up after the closing tag. I see the same thing in Mozilla 1.3, Netscape 4.7, and IE6. In my cursory glance at the page source I noticed that the h1 tag (<h1>Lessig Blog<br>) at the beginning doesn’t seem to get closed. I guess I’ll find out if webmaster@lessig.org is setup for challenge/response :)

  • http://eric.eisenhart.name/ Eric Eisenhart

    Nathan D.:
    Most listservs will treat a challenge/response response to list email as a bounce and simply remove your address from the list after a certain number of failed attempts. Most mailing list software will probably handle things this way by default, even. And, of course, most (human) mailing list managers can’t be bothered to deal with this kind of thing.

    As somebody who does deal with managing a few mailing lists, I can tell you that anybody who regularly sent a challenge back to every posting member would quickly find themselves removed from the list. Possibly with a note that such had happened if I was feeling extra generous that day.

    In other words: if you use a challenge/response system, it’s very important to whitelist mailing lists, etc.

    Personally, after having been on the sending side of a challenge/response system and ending up having to reauthenticate myself for the third time to respond to email somebody sent me as part of an ongoing discussion, there’s just no way I’d inflict that kind of thing on anybody else. I only have so much time in the day, if I’m going to get spammed and forced through hoops to communicate with somebody, I probably won’t bother anymore.

  • Greg Buchholz

    I have seen the spam of the future. And it looks like exactly like a challange from Maillblocks.com. Here is the response I received after mailing Mr. Lessig…


    Hi,

    You just sent an email to my lessig@pobox.com account, which is now being managed by my Mailblocks spam-free email service. Because this is the first time you have sent to this email account, please confirm yourself so you’ll be recognized when you send to me in the future.

    It’s simple. To prove your message comes from a human and not a computer, go to:
    “>http://app4.mailblocks.com/confirm2.aspx?ck=Bmxlc3NpZwAac2xlZXBpbmdzcXVpcnJlbEB5YWhvby5jb20d00ia&a=1

    This is the email message you have sent that is in my Pending folder waiting for your quick authentication:

    Subject: lessig blog and blockquote tags
    Sent: Aug 18, 4:18 PM

    If you have not confirmed within two weeks, your message will automatically be deleted.

    So what’s there to prevent the spammers from sending out messages exactly like this, except for replacing the hyperlink with one that points to their penis-enlargment potions?

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    Are postage stamps against “openness and freedom”?

    Is responding to a challenge more of a burden than postage?

    If you choose not to correspond with someone on the basis of their usage
    of a challenge/response system, that’s your prerogative. In a sense, that’s
    collateral damage. I think it’s superior to every other collateral damage
    I’ve heard of since the people hurt by it are selecting themselves. (Your
    message isn’t important enough to take a minute to confirm? Fine. Your
    message is too important to be blocked by a RBL or content filter? Tough.)
    That being the case, I like losing mail that way a lot more than
    losing it the way I used to (where the victims don’t even know it happened).

  • Matthew Saroff

    I think that this problem may eventually be resolved by something more significant than challenge response if there is no legislative source the IDP (Internet Death Penalty).

    It’s easy to obscure email origins, but there has to be something like a web address somewhere, and when ISPs stop allowing connections from spam friendly entities, a lot of this will end, particularly since the Chinese will throw these people in Jail (or unfortunately put a bullet in their head), as most Chinese IP addresses seem to be connected to spam.

  • James Day

    Kyle,

    The challenges mostly go to innocent victims who are placed in the from addresses by the spammers. Those are entirely innocent victims who didn’t even try to send an email to the person using the challenge-response system. Anyone using a pure challenge-response system is saying that they have a problem and they are going to pass it on to innocent random strangers instead of dealing with it themselves.

  • Nick

    “That being the case, I like losing mail that way a lot more than
    losing it the way I used to”

    That’s right. This way you only lose mail from the innocent and the principled.

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    “This way you only lose mail from the innocent and the principled.”

    So, before: “lose mail from innocents.” After: “lose mail only from
    innocents with principles.” I still call that an improvement, in that the
    innocents getting blocked are fewer (and again, self-selecting, free to
    change their mind).

    “The challenges mostly go to innocent victims who are placed in the from
    addresses by the spammers.”

    That is unfortunate (and I admit, I hadn’t thought of it), but it’s no
    different than:

    • Automatic vacation messages to the innocent.
    • Automatic bounce messages to the innocent (I get about 250 of these a
      day).
    • Automatic list subscription confirmation messages to the innocent.
    • Automatic list moderation notices to the innocent (“Your message is
      being held pending moderator approval”).

    That last sounds the most like the challenges we’re talking about.
    Should mailing lists stop doing that because of the innocents affected?
    (Incidentally, TMDA is designed not to try to confirm messages
    like the above.)

    My point is that given you have to deal with bogus automatic responses
    generated by spammers already, this is not such a larger problem. The
    responses generated by TMDA are made to look automatic to existing
    software. In these terms, a TMDA user is no more a burden to the network
    than a user who abandoned an address.

  • Nick

    Kyle,

    I appreciate your points, and if this system works for you as it works for Professor Lessig, well more power to you.

    For me it’s a principle. I refuse to accept the ‘guilty until proven innocent’ routine without a fight. That is the antithesis of the Internet with its openness. To hide behind a gated community and call that good is to give up. I don’t want to give up. I would rather find ways to stop spammers, not make everyone else have to change their behavior.

    Your metaphor about postage stamps doesn’t work in my mind because it is a payment method, not an identification method. Challenge/response systems are the security guard telling me I cannot get in because I am guilty — now prove otherwise and you may come in. Well, when faced with an agent demanding to see my papers, I would rather just keep on walking elsewhere and keep my freedom.

    YMMV, and I respect that.

  • http://insipid.com Dave

    Kyle:

    What about the blind or visually impaired or those who simply fat finger the answer to the challenge? This system fails in that regard.

    A blind person can affix a stamp to an envelope, but text-to-speech programs are not able to read the digits in the challenge image.

    Are you in favor of discriminating against blind or visually impaired individuals?

    dphull@insipid.com

  • Greg Buchholz

    Although I tend fall in the challenge/response is offensive camp, I’ve got some ideas on how to make it less so. First a challenge should be issued only when the message is flagged by your mail filter as looking too spammy. That alone should eliminate 90+% of the problem. Second, any suspect message should be immediately delievered your local junk mail folder, and not held on some intermediate server. Then when the challenge is successful, the message gets upgraded to your regular inbox. This way if it’s a light spam day, you could still peruse the junk folder and have a chance of seeing legitimate mail, even if the sender didn’t respond. Third, we need a new mail heading to indicate whether the sender would even consider responding to a challenge. Something like “X-I-don’t-respond-to-challenges: true”. The challenge/response system should NEVER send mail to these people. This takes care of the mailing-list problem and the conscientious objectors. Fourth, the challenge/response bot should ideally be hosted on your own domain. This is to alievate any concerns that the challenge/response operator is harvesting the sender’s address for future spamming purposes. And fifth, the system should try to comply with as many ‘Net norms as possible, like honoring the reply-to field (which Mailblocks doesn’t). There’s no sense in being any more rude than you have to be. While not curing the problem, these steps would go a long way to making it more palatable.

    I’m also interested in what happens when your challenge/response system challenges my challenge/response system. Is there a standard way to break out of that infinite loop? (RFC????)

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    Dave: The system I use (TMDA) uses ordinary email for its challenges, not a challenge image. It doesn’t require any functionality outside normal email use. There’s been talk of having challenges that require some intelligence to answer, but at the moment it’s not necessary.

    Nick: I can understand an objection to challenge/response if you think of it as an assertion of guilt. I think of it as an assertion of automation. I’m not trying to verify that you’re legally allowed to talk to me; I’m trying to verify that you’re a human. In this regard, challenge/response is the same as mangling your email address when you publish it so that it won’t be found by spammers’ harvesting robots. When you read “my address is kyle@painted.toehold.com (apply paint thinner to email me)”, do you think I’m asserting your guilt? Or is this just a reasonable acknowledgement that on the public internet, you never know who’s on the other end of the line? Is it ethical to block email from people who are too dim to decipher these tiny intelligence tests?

    As to the failing of the postage stamp analogy, I’ll agree it isn’t perfect. My point at the time was to refute the claim that requiring the extra effort to confirm a message is an unfair burden. We accept larger burdens in other media all the time. You correctly point out that a challenge/response system forbids anonymous emailing. If that goes against your principles, I respect that.

    There’s been some legislation to the effect that spammers must provide a valid email address in their mails. I find it interesting that this code has written that law into the network (or, at least, my little part of it) far more effectively than any legislator.

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    Greg:

    Most of what you describe is possible with TMDA if not default. The differences between what you describe and what I run right now are:

    • I don’t filter before challenging, but TMDA is run from procmail, so it would be easy to introduce some other filter before it.
    • Suspect messages are held in a pending area that TMDA controls. It’s viewable in various ways, and you have the option of delivering legitimate mail you find.
    • There’s no header (AFAIK) for people to “opt out”, but it already looks for signs of a mailing list (and does not respond). I could support an “opt out” header locally with a config change (but it wouldn’t be standard).

    As for emailing someone else using the same system, I’ve done it. It works this way:

    • When I send to someone not on my white list, reply-to is set to an address which will pass through TMDA until an expiration date.
    • The other system responds to that dated address.
    • I receive the challenge and reply to it.
    • Bonus: the (not whitelisted) user I emailed replies to the dated address without facing a challenge.
  • Alan

    Bayes, POPFile, and multiple “Buckets”

    One important thing to consider if you’re using POPFile is to set up more than just two “buckets” (for spam & legitimate mail). I have separate buckets set up for personal mail, mailing lists, software development, purchases I’ve made, news, ads from sites where I’ve bought things, etc.

    The reason for the multiple categories is that those different types of mail tend to have more in common with each other – mailing list messages and digests tend to have some features that are similar and distinguish them from personal mail, and the same applies for most of the other categories. By letting POPFile sort like that I get some spam leaking through and almost no mail being wrongly classified as spam, though I do occasionally get items classified into the wrong bucket.

  • John Anderson

    I get about 60-80 SPAM Emails per day, almost all at one of my three EMail addresses.

    But these are web-based – I wouldn’t put up with someone punching crap straight to my system. And guess what? Two of the three do a pretty good job of filtering (circa 98%) – and put those EMails into a special folder. Which I can simply delete, or can review. And I can add my own filters.

    And I can get my EMailed newsletters – Fred Langa, Chris Pirillo and his crew, Woody’s WINDOWS Watch – which would not get past your “humans-only” filter.

    And I get notices of bills paid from my ISP, Telco, etc. – again, lost to your method.

    And shipment tracking – also lost to you.

    So while I don’t like SPAM, and I appreciate filtering, I do not think throwing out the entire contents of baby’s bath is such a great approach.

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    Newsletters are mailing lists. I’m on a half a dozen or so. I get notices from web sites too. With TMDA, when I sign up for these, I can use keyword addresses which pass through without confirmation. If one of them is ever discovered by a spammer, I can dump it. Alternately I can whitelist the web site’s domain.

    TMDA is also configured so that when I send a message to one of these lists, it appears to come from the address that I used to subscribe to the list. For more info, see TMDA FAQ entry 4.8. How do I use TMDA with mailing lists?

    (The truth is, I filter mailing list mail with procmail before it ever reaches TMDA, because I’ve rarely received any spam through a mailing list.)

  • Nick

    Kyle,

    I appreciate your respectful tone in explaining your use of TMDA. I will admit that it is better than most systems I’ve heard about, and I will give this some thought.

  • James Day

    The vacation emails are short term. Challenge-response isn’t. Bounce messages for spam are also a bad idea. They’ve been used too often to attack anti-spam people with joe jobs, a vulnerability which pure challenge-response retains. Better to send only real bounces, before every anti-spam system gets configured to delete them on sight as bogus, destroying the utility of the real bounces.

    Filtering first is the way to go but you don’t need TMDA for that. I’m one of the people who develops plugins for the SpamPal anti-spam tool so I’ll use it as an example:

    First, you set up a conservative set of blacklists and filtering rules. Those you set to discard the email, based on the tag inserted in the header, which tells you the reason the email was identified as spam. These will almost certainly be real spam, so you’re just hurting innocents by responding in any way.

    Now you can set up a more aggressive set of filters which you don’t trust as much and expect to give more false positives. Things like blocking China and Korea. You set those to auto-reply with a bounce message giving the subject line password of the week.

    Anything using that week’s passphrase on the subject line gets a free pass through the system. If it starts to be abused, you change it. It’ll probably last months.

    All done with mail rules and an excellent spam-detection system to prevent most challenges from being sent.

    Humans can get an extra bonus: the passphrase isn’t something an email address harvesting program will see, so it can be placed on a web page and humans can use it if they like.

    Attacks on spam fighters aren’t a trivial issue. SpamPal 1.50 was released last week,. In response, the support area was taken effectively off line by a distributed denial of service attack for a couple of days. I suppose it’s a compliment.:)

    Personally, I don’t need challenge-response. I’ve filters which are more than good enough with a negligible false positive rate, courtesy of whitelists and good word rules to protect legtiimate email and a moderately aggressive set of filters. I’m inclined to think that anyone using challenge-response just didn’t find a good enough spam-detection system first. If you want to take that as a challenge (or if anyone else does) I’ll be happy to give directions for setting up an aggressive but still afe spam identification setup. Just post over in the SpamPal support area and mention the Lessig blog so I know what you’re after.

  • Greg Buchholz

    James, the first person you might want to help out is Mr. Lessig himself. Helping to get him back on the straight-and-narrow path would probably make others stop and reevaluate whether the challenge/response system is the right choice. And of course helping him out would also give more time to do what he does best. Instead of wasting time thinking about whether or not the positives of challenge/response systems outweigh the negatives, he could be focusing on the larger issues of keeping the ‘Net free and open. It appears that whoever hosts lessig.org already SpamAssassin installed. I noticed that when I got the following headers in the bounce from webmaster@lessig.org

    Content-Type: text/plain; charset=us-ascii
    X-Spam-Checker-Version: SpamAssassin 2.60-cvs (1.196-2003-07-29-exp) on darwin.ctyme.com
    X-Spam-Report: * 1.0 HTML_MESSAGE BODY: HTML included in message
    * -8.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
    * [score: 0.0000]
    X-Spam-Status: No, hits=-7.0 required=5.0 tests=BAYES_00,HTML_MESSAGE
    autolearn=no
    version=2.60-cvs
    X-Spam-Level:

  • James Day

    I’d be happy to assist if asked… but it does take making the request. I have a feeling that the last thing he needs is more solicitations.:)

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    James:

    I really like the proposed anti-spam system you describe. However, I can’t help but notice that it’s a lot like a challenge-response system!

    Make a few changes to the system I use now:

    1. Conservative filters at the front which drop what they find. (Say, SpamAssassin with the threshhold set high.)
    2. Let especially low scoring emails through without challenge.
    3. In the challenge email include an expring address that anyone can send to and reach me without challenge.

    This works just like your proposed system (give or take how many messages fall into the “challenge zone”) except:

    • I can’t post a password to a web page. Darn.
    • A challenged user is whitelisted forever and never faces a challenge again (instead of whenever I change passwords).
    • A challenged user who wants to email me from a different account still can (using the expring address instead of a password), and for as long a time as I choose for the expiration.
    • Users never get a six-month-old password that will change tomorrow.
    • Only challenges sent at the same second would have the same expiring address, so I can close off one that was abused and still leave the others open.

    Come to think of it, I can implement the password in the subject in this too without too much trouble. That takes care of the one drawback.

    How do we guard against a spammer forging an innocent’s address and flooding them with password-filled challenges from a middlin’ spammy email? I guess we can’t; the goal really was just to cut that down a little.

  • http://insipid.com Dave

    Kyle,

    I’m with Nick. TMDA sounds and reads better than anything I’ve read about any other challenge-response system.

    I also appreciate your respectful tone. We could all use more of it.

    dphull@insipid.com

  • James Day

    Kyle,

    It was supposed to sound like a challenge-response system. I wrote it as I did because I knew that you like them.:) What I described is practical for Windows users who don’t have TMDA available, since it only requires some mail rules and a spam identification and tagging tool.

    I wouldn’t recommend expiring a password the day after issuing it. Better to change it in advance and allow a week or more of overlap. If you do need to expire it, you’ll annoy the human by sending them a reply with a new password in it.

    There are many ways of doing it but it appears that we may have some agreement on the desired properties:

    1. Don’t bother to challenge for mail which is from an IP address or otherwise indicates that it’s almost certainly spam. That protects most innocents named in From addresses.

    2. Extensive whitelisting for people you know, as automatic as possible.

    3. A convenient way for humans to ensure that their first email gets through, with a magic word of some sort. Anything which can’t be harvested easily. I use quite a lot of magic words: product names and such. Mention one in the subject or body of an email to me and you get through the spam filter.

    4. If you get a significant false positive rate, challenge the middle ground to give them a chance of getting through.

    Is that an acurate summary? Any desirable features I’ve missed?

    There are some really nice features in the TMDA outgoing message featue set (expiring addresses and such). I’ll point the lead SpamPal developer to that and suggest adding some of them to the outging SMTP side of SpamPal. Thanks for mentioning this aspect of it.

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    James: I agree! I’ve been thinking about making the changes to my own setup to make it closer to what you described.

    Nick and Dave: Having talked up TMDA for a couple of days, I feel compelled to talk about the bad parts now.

    • It’s a server side thing like SpamAssassin, but there are features to make it useful to a client machine (a CGI to examine the pending queue, and a proxy SMTP server for outgoing mail).
    • It’s been under active development with frequent changes. That having been said, it’s always been very stable for me, and it’s nearing a 1.0 release (the author has done a last call for new features).
    • My experience configuring it was a bear, but a lot of that was probably due to me using an out of date Debian package while reading up to date documentation. Still, there seems to be a lot of details to pay attention to.
    • I’ve heard reports that some users find the challenges confusing (thinking they’re bounce messages). Knowing that, I rewrote the challenge text.
    • I sometimes worry that the challenges themselves are being filtered out as spam before reaching legitimate senders, but I have no proof one way or the other.

    Having gotten that off my chest, I feel good repeating that TMDA made a huge difference to my email. I think it’s a great piece of software.

    Thanks for reading.

  • http://www.ii.com Nancy McGough

    If you want to do challenge-response filtering, I recommend that you try the following providers:

    mailsnare.net, which gives their users the option to use TMDA

    bluebottle.com

    This way you can avoid using mailblocks.com, which as you say “annoyingly has a pop-up to warn people away from any browser except Microsoft�s, and which even more annoyingly is enforcing patent protection against other challenge response systems.”

    Good luck,
    Nancy
    maintainer of a massive page about IMAP and IMAP Service Providers

  • http://smokey.rhs.com/web/blog/rhs.nsf Richard Schwartz

    The biggest problem with challenge response is this:

    Joe VIP logs into an airport Internet kiosk and sends you an
    email that says “We need to talk. It’s urgent, but I’m on the road today. I’m getting on a plane in 20 minutes. My cell number is 555-123-5555. Please give me a call at 9 PM your time.” Joe sends the message, but doesn’t hang out at the kiosk long enough to get the challenge message. He doesn’t find the challenge message until he logs in from his hotel room at the end of a long day flying. You never got his message. You’re not going to call him. You’re not in the office any more, so even if answers the challenge right away, you’re not going to get the message until tomorrow morning. Conversation doesn’t happen. Big deal doesn’t happen. Value of email as a tool for critical business communications goes down the tubes.

    -rich

  • http://www.toehold.com/~kyle/ Kyle Hasselbacher

    After the discussion here, I collected some of the stuff I’d been saying into a story posted to my favorite web site. If you’ve read to the end of this discussion and are still interested, there are more comments on that story from a different audience.

    I want to thank the folks here for a good discussion, which led me to write the above. It’s been fun.

  • James Day

    Kyle,

    Over in the other responses you showed some lack of knowledge of the significance of the difference between bounce emails and SMTP rejections, which result in “returned mail” notices to the sender. Both should turn up in the mailbox of a legitimate sender but the difference between the two is great.

    The bounce messages go to the from or reply-to address. Which is usually forged in spam, so the bounce goes to the wrong place and annoys an innocent.

    The 550 can’t deliver responses go to the sending mail server, which can’t be forged.

    So the 550s have a minimal chance of harassing innocents while the bounce messages will do so most of the time.

  • Randy

    For me it is simple:

    If I don’t know you, I don’t want your email. I’ve never received an email from a stranger that I couldn’t do without.

    People need to have more respect for themselves and their own email box. I’m not so lonely that I need emails from strangers. I don’t have time even to respond to all from those I know!

    Sending me an email is a privilege, and one that needs to be earned. If I don’t know you, don’t knock on my door, don’t call me on the phone, don’t send me an email. If I know you, than you will be welcomed with open arms.

    Lastly, for those choosing C&R services, I recommend using one that automatically authorizes addresses from outgoing mail. That way, when you email tech support for help, their reply won’t be challenged. Problem solved.

  • Kevin

    I write this over 3 years after the initial post. Spam has gotten worse again as spammers are now sending images with streaks, flecks and dots, similar to captchas,that humans can easily read, but spam filters with OCR cannot. A news report recently said 9 of every 10 emails is spam.

    It truly is time for a Challenge / Response system to be widely used. Most criticisms of this system generally fall into 3 categories.

    1. That unless the person using Challenge /Response automatically puts the email address into a white list as they send it, they and their recipients may never see the emails if both use the system. Well, make that an automatic feature, and in fact, I haven’t found 1 system that doesn’t do that.

    2. It’s a hassle for the sender to do the 1 time confirmation. Big deal! If you’re writing me an email, you intend for me to see it, right? So why won’t you take an extra 10 seconds, 1 time, to make sure I do?

    3. That spammers will figure out a workaround. Maybe they will, but since they generally use bogus addresses, this is not likely as they will never receive the challenge response. If they start using their real addresses, it’s easier to shut them down.