March 26, 2007Wall Street Journal Columnist Has it Wrong
Walt Mossberg has been The Wall Street Journal technology columnist for a long time now. Back in the day when I used to attend lots of high-end computer/technology conferences, our paths crossed regularly. I like Walt. He's a smart guy.
But I take strong issue with a spam-fighting recommendation he makes in the March 22, 2007 installment of his "Mossberg's Mailbox." A reader inquires about the best antispam system out there because filters haven't been doing the job. Walt rightly states that antispam filtering has a "tough time coping" with spammers' rapidly changing tactics.
Where Walt goes astray, however, is in recommending challenge-response (C-R) as the way to thwart spam. I talk about C-R in Spam Wars, and I sent Walt a copy of the book when it came out. He probably didn't read it (so much for our Mutual Admiration Society, I guess).
While it's true that C-R keeps unsolicited email from non-white-listed senders out of your inbox, there are too many problems with it to recommend it as a solution. I'll focus here on two deal breakers.
- Number One. If a human sender not on your whitelist tries to send you an email message, he or she receives a message in return asking the sender to perform one more step (clicking an encoded link, solving a puzzle or CAPTCHA cipher, etc.) to get the message through the blockade. But if you sign up for a newsletter, place an e-commerce order with a new-to-you web site, or perform any other action that will generate email messages headed your way, those messages are typically not sent by humans. They're computer-generated messages that won't receive the challenge, nor have any brains to solve the puzzle. The confirmation for your airline ticket or e-commerce order won't arrive—nor will order changes, shipping confirmations, flight schedule change notifications, or any other potentially vital missive. It is extremely rare for a site that sends automated confirmation email to advise its customers ahead of time about the sender's address of such email (so that the customer can whitelist the address before messages are sent).
- Number Two. A C-R message is known in the anti-spam field as backscatter. Backscatter is sent to whatever address the receiving server believes is the From: address of the message (which may not always be in the From: field of the header—but that's a longer story for another time). As you have probably witnessed in your own inbox, a lot of spam and most virus-type email messages have forged From: addresses. Very often the forged addresses are valid addresses (harvested from the millions of infected PCs around the world). Let's say that the forged From: address happens to be what is known as a spam trap address—email addresses intentionally set up to be harvested from web pages, as proof that whoever sends email to that address is an illegal (in the U.S.) spammer. Any email received at that address is reported as spam, and the IP address of the sender is added to the world's blocklists (a.k.a. blacklists) used by all major anti-spam services. If your C-R system receives a message with a spam trap address in the From: field, your C-R system sends its challenge to the spam trap address, very likely landing your email server's IP address on a blocklist. The result is that an incoming email server using a service that relies on the blocklist (and blocklists are a major source of spam rejection data) will block email messages that you, personally, send. You will be labeled a spammer (and perhaps reported to your ISP as such) until your IP address falls off the blocklist (when your backscatter to the spam trap address stops for a few days). Moreover, if someone really wants to punk you, they could send many email messages to you, forge the From: address to read the address of any well-known antispammer, and your email may be hosed for awhile.
In the end, while C-R does keep most spam out of your inbox, it is way too dangerous in both preventing critical ham from reaching you, while also exposing you to being blocked. Don't go there, Walt.Posted on March 26, 2007 at 05:40 PM