*** Welcome to piglix ***

Challenge-response spam filtering


A challenge–response (or C/R) system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender of an incoming e-mail. It was originally architected by Stan Weatherby and was called Email Verification in 1997. In this reply, the sender is asked to perform some action to assure delivery of the original message, which would otherwise not be delivered. The action to be performed is typically one that

Challenge–response systems only need to send challenges to unknown senders. Senders that have previously performed the challenging action, or who have previously been sent e-mail(s) to, would be automatically whitelisted.

C/R systems attempt to provide challenges that can be fulfilled easily for legitimate senders and non-easily for spammers. Two characteristics that differ between legitimate senders and spammers are exploited in order to achieve this goal:

Listed below are examples of challenges that are or could be used to exploit these differences:

Nowadays C/R systems are not used widely enough to make spammers bother to (automatically) respond to challenges. Therefore, C/R systems generally just rely on a simple challenge that would be made more complicated if spammers ever build such automated responders.

C/R systems should ideally:

Problems with sending challenges to forged email addresses can be reduced if the challenges are only sent when:

Critics of C/R systems have raised several issues regarding their usefulness as an email defense. A number of these issues relate to all programs which auto-respond to E-mail, including mailing list managers, vacation programs and bounce messages from mail servers.

Spammers can use a fake, non-existent address as sender address (in the From: field) in the e-mail header, but can also use a forged, existing sender address (a valid, but an arbitrary person's address without this person's consent). The latter would become increasingly common if e.g. callback verification would become more popular to detect spam. C/R systems challenging a message with a forged sender address would send their challenge as a new message to the person whose address was forged. This would create e-mail backscatter, which would effectively shift the burden from the person who would have received the spam to the person whose address was forged. In addition, if the forged sender decided to validate the challenge, the C/R user would receive the spam anyway and the forged sender address would be whitelisted.


...
Wikipedia

...