Challenge-Response Anti-Spam

I just got emailed by someone I’d never heard of; I replied. However, their mailbox is “protected” by ChoiceMail, and so I got back a verification challenge. However, Thunderbird marked it as junk mail so I nearly missed it. Had I done so, after four days my carefully-written email would have been sent to the bit-bucket and neither side would ever have known.

My beef: these systems suck. But, if companies must offer them, why can’t they make them suck less by also offering an (authenticated) SMTP server which the customer could use? Then, when the communication was initiated by their customer, they could automatically add the recipient to the whitelist.

That would cut down the irritating “please authenticate yourself” email to the situations where the other party initiates contact – which, for an average random person, is probably about 50% of the time. And those 50% of cases are those where the other party is more motivated to jump through hoops – because they had a desire to start a conversation in the first place.

Even more smartly, if they find two ChoicePoint customers whitelisting each other, thereby establishing a simple trust network, then their whitelists could be merged. So if A writes to B, “email my mate C”, and all are ChoicePoint users, there’s no challenge email, because B is on A’s whitelist, and A and C’s whitelists are merged because they email each other.

13 thoughts on “Challenge-Response Anti-Spam

  1. Any automatic merger of whitelists will fail in the long run. If a spamming company has the service, it could whitelist some spamming addresses, and pretty quickly no one can tell where they came from. And believe me, they have incentives for doing that.

    I believe in a junk classification system that is more flexible than binary, though. Being friend of a friend would increase an e-mail’s trust points, so that it gets marked as “possibly real”. Giving the computer only two choices increases the damage when it chooses wrong.

  2. Tiago said: Any automatic merger of whitelists will fail in the long run. If a spamming company has the service, it could whitelist some spamming addresses, and pretty quickly no one can tell where they came from. And believe me, they have incentives for doing that.

    You think I didn’t think of that? :-) Read again about how I suggested it works. In order for the spamming company’s address to be on your personal whitelist, you need to have sent mail to that address. And why would you have done that?

  3. Trust rings can work – just look at http://www.getoutfoxed.com/

    You can trust 2 hops away, but not 3 hops – it prevents spammers from getting very far. Plus, once you realize that someone is a spammer you just kill them from your trust and the problem is solved.

  4. But how do you determine who a message if “from”? From headers are completely untrustable and SMTP envelope senders are not much better. It is not unusual for spam to come “from” someone you know.

  5. Stuart: If outgoing mail (from which this information is being calculated) is being sent via authenticated SMTP through the Challenge-Response company’s servers, then only the company’s users can log in and send it. The company can check that the From: header being used matches the account that has been used for the SMTP login, and not create a trust relationship if it doesn’t.

  6. I say compagnies should all implement domainkeys. This means an auth smtp server, a ptr entry in the compagny’s DNS. And then you are sure the sender can be trusted (except on mailing lists because they change the header portions of the emails) – from being from the said compagny. I’m wondering if mofo/moco does implement domainkeys on it’s servers.

    Then another auth solution is something like enigmail – but this is far too geeky.

  7. 1) joe@choicemail sends email to gerv@mozilla
    2) gerv@mozilla reply to joe@choicemail message goes through

    — this is what you are suggesting in your 2nd paragraph, right?

    3) Now, random spammer sends email forged as gerv@mozilla.org to joe@choicemail and the message goes right through!

  8. Stuart: How is that problem specific to the idea of combining whitelists? The fact that spammers can forge email from people on your whitelist is a problem with all CR systems; my suggested improvement doesn’t really change much.

    Gerv

  9. My reference was to your suggestion of automatic whitelisting based on outgoing email. I suppose you are right, though. If you are whitelisting based on outgoing mail from the user or web clicks from the recipient, either way, whitelisting is fundamentally broken (without spf, etc.).

    In any case, I agree, C/R sucks!

  10. I was a happy MailBlocks customer and they absolutely implemented auto-whitelisting. The majority of my friends & contacts never had to deal with self-authentication because I had written to them first. Alas, Mailblocks was bought & killed by AOL.