May 07, 2003
Earthlink takes new route in spam fighting

Earthlink is preparing to roll out a new spam blocking service that requires mail senders to verify their identity for mail to be delivered.

Known as "challenge-response" technology, the system thwarts the ability of spammers to reach their intended audience with millions of automatically generated e-mails. When someone sends an e-mail to a challenge-response user, he or she gets an e-mail back asking to verify that the sender is a live person.

Once the sender does that by replicating a word or picture displayed on the screen, the original e-mail is allowed through. The system automatically recognizes future e-mails from the same sender, so the verification needs only to be performed once. Without the verification, the e-mail is not delivered.

I wrote about this kind of technology a little while ago, and thanks to this article I now remember the name of the software that I'd read about while in California. It's called Mailblocks, and this is the article I'd read about it. I should note that not everyone is as impressed as Ed Baig was, so caveat emptor and all that.

The WaPo article lists some concerns about this technology that I hadn't thought of:

"Challenge-response will indeed block the vast majority of spam," said John R. Levine, a computer consultant and co-author of "The Internet for Dummies." But he said a lot of people will never respond to a challenge, or will think the challenge e-mail itself is spam.

Levine said that already, spammers are disguising e-mails as challenges to get people to open the messages. And he worries that if large numbers of people begin to use the system, user address books will be a target of hackers seeking to obtain lists of approved addresses.

Some viruses launch attacks using computer address books, and if that happened, confidence in the challenge-response system would erode, Levine said.

"The consequences of spammers' response to challenge-response will be really ugly," Levine said.

David had an additional objection in the comments to my original post, about how this system adds an additional point of failure, that's worth considering. I suppose integrating it with Earthlink might get around that - it depends on how they implement it. I still think this is a promising avenue in the war against spam, and I look forward to seeing how Earthlink users like it.

Posted by Charles Kuffner on May 07, 2003 to Technology, science, and math | TrackBack

One of the objections I've seen to visually-based challenge-response technology ("enter the number in this picture") is that it's not accessible to visually impaired users. Some systems also have audio challenges ("type the letters/words in this audio file") but that's still not great from an accessibility standpoint.

Posted by: Ginger on May 7, 2003 1:16 PM

These guys
seem to feel pretty much the same way I do (collectively at least) about challenge-response systems. I am most interested to see that Earthlink are apparently suggesting that you get around the SCE (opposite of UCE) problem by having a second non-filtered e-mail address. That seems to be defeating the purpose of the whitelist in the first place.

Posted by: David on May 7, 2003 1:35 PM