Home RSS [oo]<

Musings of a Madman

Why the title? It all started with a chance meeting, and the opportunity to help a stranger and a response that left me feeling the need to write about it.

Full index

The flaw in Pascal's wager
Sat, 28-Sep-2024, 23:10
The Tories are a spent force
Fri, 05-Jul-2024, 14:49
Could I have done better?
Wed, 26-Jul-2023, 20:03
Leaflet alone
Fri, 02-Jun-2023, 17:13
Rijhwani's Conjecture
Thu, 01-Jun-2023, 11:39
Our stretched and disappearing NHS
Wed, 07-Dec-2022, 00:00
#FacebookIsCorrupt
Mon, 18-Apr-2022, 14:39
Soul mates
Sun, 28-Nov-2021, 14:37
Vaccination and choice
Sun, 31-Oct-2021, 23:32
Castigating Starmer?
Sat, 25-Sep-2021, 13:12

Article: 20050511 (Wed, 11-May-2005, 13:09)

Challenging stupidity

An increasing number of respected establishments are starting to adopt a strategy of challenge/response filtering on incoming e-mail from unknown sources as an attempt to stem the tide of incoming spam. It is at best a foolish choice, at worst downright selfish.

Challenge/response works simply enough. The basic principle is to deny delivery of messages from all senders but those already known as legitimate senders. On receiving an e-mail from a previously unknown source the recipient's mail system replies with an auto-generated challenge, whilst setting the message aside in a safe repository which will expire and be deleted after a pre-determined time has elapsed. The sender, on receipt of the challenge, responds accordingly, either by returning an e-mail to a coded subject or address embedded in the challenge, or more commonly by connecting to a web page and performing a simple task to confirm their legitimacy. On the correct response, the recipient's mail system logs the sender for future reference, and delivers the previously side-lined message to the inbox. On the face of it, it is technically both simple and elegant, at least in the implementation. Morally, however, it is an inherently impolite and inconsiderate reaction to an inundated inbox. It is certainly not a solution. Quite aside from the quesiton of forcing senders to jump through hoops to get their message through, all it serves to do is offload the recipient's inconvenience onto innocent third parties, effectively spamming them with unsolicited challenges.

The principle assumption behind challenge/response filtering is that spam, being bulk-generated by machines using forged senders, will result in challenges going unseen and unacknowledged, and that only legitimate senders should ever see a challenge and respond appropriately, enabling the exchange of messages in future. This assumption is only half correct, however. True, spammers tend to use false and forged senders but they also tend to use the same lists that they send to as their source of sender addresses. Not only will the spammers not have to deal with the deluge of challenges, the same poor Joe suffering from his own spam problem will. It is akin to living in a secure gated community where you only let in what you trust, the garbage being thrown back over the wall with no regard for where it lands, what damage it does, or who it inconveniences. That's just somebody else's problem.

Although I'm sure they have never thought of it in such raw terms, proponents of challenge/response techniques are effectively saying that their time and convenience are more valuable than anyone else's on the planet. Fine if you are of the "I'm alright, Jack" brigade.

Had challenge/response been engineered into the e-mail protocols at their inception, it would work perfectly, as every mail host would implement it, all recipients would be protected by the same filters, and the base assumption that only legitimate originators would ever see a challenge would be true. But then, had the issue of spam been foreseen, sender authentication would have been a base part of the protocol, and spam protection would not be a requirement. Either way, challenge response is not something that can be retro-fitted, for the simple reason that it can never be assumed that all recipients will ever be afforded the protection either through technical inability or simple lack of will or resource. All that the increasing up-take of challenge/response strategies does is to heap the burden of an increasing spam problem on the shoulders of the unprotected.

The policy here is to confirm every challenge I receive (with a short message of protest wherever possible), so as not to be inundated with further bogus challenges at a future date, and as far as possible demonstrate its immoral foundation. I encourage everyone else to do the same.

Get a Clue

If you want to defeat spam, attack the spammers, by tracing them at source and reporting them to their upstream providers. Bombarding the innocent by-standers they impersonate simply lets the spammers off scot-free, creates additional traffic and and serves no useful purpose. Instead of wasting resources on treating the symptom, it is the root cause - the spammers themselves - that need addressing.