Buy Today!
Book Cover
The Music Video
You've got to see it to believe it: Check out the "Mister Spam Man" video at YouTube.
Search Dispatches
Archives
May 2019
March 2019
August 2018
July 2018
June 2018
May 2018
April 2018
December 2017
November 2017
September 2017
August 2017
July 2017
February 2017
March 2016
January 2016
November 2015
May 2015
April 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
April 2013
February 2013
January 2013
December 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
Dispatches RSS Feed
Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« My Private Battle with Blog Spammers | Main | The Smell of Fresh Spammer in the Morning »

March 26, 2007

Wall Street Journal Columnist Has it Wrong

Walt Mossberg has been The Wall Street Journal technology columnist for a long time now. Back in the day when I used to attend lots of high-end computer/technology conferences, our paths crossed regularly. I like Walt. He's a smart guy.

But I take strong issue with a spam-fighting recommendation he makes in the March 22, 2007 installment of his "Mossberg's Mailbox." A reader inquires about the best antispam system out there because filters haven't been doing the job. Walt rightly states that antispam filtering has a "tough time coping" with spammers' rapidly changing tactics.

Where Walt goes astray, however, is in recommending challenge-response (C-R) as the way to thwart spam. I talk about C-R in Spam Wars, and I sent Walt a copy of the book when it came out. He probably didn't read it (so much for our Mutual Admiration Society, I guess).

While it's true that C-R keeps unsolicited email from non-white-listed senders out of your inbox, there are too many problems with it to recommend it as a solution. I'll focus here on two deal breakers.

  • Number One. If a human sender not on your whitelist tries to send you an email message, he or she receives a message in return asking the sender to perform one more step (clicking an encoded link, solving a puzzle or CAPTCHA cipher, etc.) to get the message through the blockade. But if you sign up for a newsletter, place an e-commerce order with a new-to-you web site, or perform any other action that will generate email messages headed your way, those messages are typically not sent by humans. They're computer-generated messages that won't receive the challenge, nor have any brains to solve the puzzle. The confirmation for your airline ticket or e-commerce order won't arrive—nor will order changes, shipping confirmations, flight schedule change notifications, or any other potentially vital missive. It is extremely rare for a site that sends automated confirmation email to advise its customers ahead of time about the sender's address of such email (so that the customer can whitelist the address before messages are sent).

  • Number Two. A C-R message is known in the anti-spam field as backscatter. Backscatter is sent to whatever address the receiving server believes is the From: address of the message (which may not always be in the From: field of the header—but that's a longer story for another time). As you have probably witnessed in your own inbox, a lot of spam and most virus-type email messages have forged From: addresses. Very often the forged addresses are valid addresses (harvested from the millions of infected PCs around the world). Let's say that the forged From: address happens to be what is known as a spam trap address—email addresses intentionally set up to be harvested from web pages, as proof that whoever sends email to that address is an illegal (in the U.S.) spammer. Any email received at that address is reported as spam, and the IP address of the sender is added to the world's blocklists (a.k.a. blacklists) used by all major anti-spam services. If your C-R system receives a message with a spam trap address in the From: field, your C-R system sends its challenge to the spam trap address, very likely landing your email server's IP address on a blocklist. The result is that an incoming email server using a service that relies on the blocklist (and blocklists are a major source of spam rejection data) will block email messages that you, personally, send. You will be labeled a spammer (and perhaps reported to your ISP as such) until your IP address falls off the blocklist (when your backscatter to the spam trap address stops for a few days). Moreover, if someone really wants to punk you, they could send many email messages to you, forge the From: address to read the address of any well-known antispammer, and your email may be hosed for awhile.

In the end, while C-R does keep most spam out of your inbox, it is way too dangerous in both preventing critical ham from reaching you, while also exposing you to being blocked. Don't go there, Walt.

Posted on March 26, 2007 at 05:40 PM