tardigrade.net policy: If you send a challenge to any of my personal addresses, it will be treated as spam and discarded unread. If you send challenges to the majordomo address, to a list or listowner address, or to contributors of a mailing list that you subscribed to, there is a strong possibility that you will be banned from subscribing to that mailing list, or even be prevented from sending mail to tardigrade.net at all. You may never know what happened, because I won't be able to send you an explanation (read the first sentence of this policy again.) It's entirely your own responsibility to figure it out and deal with it. I currently entirely block mail from the following domains from tardigrade.net, which do nothing but provide challenge-response services: spamarrest.com, mailblocks.com, ipermitmail.com, mailsoap.com.
Challenge-response (CR) is the generic name for a spam blocking technique that requires a potential correspondent to reply to an email message or go to a web site and verify that they're 'human' before you accept mail from them. The intent is to stop spam, because it's assumed that spammers won't go to the trouble of verifying themselves. It works to some extent--it will stop some spam, though the spammers are already finding ways around it. But it has many fatal flaws. CR has two of the same anti-social characteristics that spam itself has: the potential to overload mail systems at someone else's expense, and to increase the difficulty of sorting out which mail is worth opening. Overloaded mail servers raises everyone's isp costs. Some of the other flaws have the potential to kill mailing lists, or even email, completely.
It requires a potential correspondent to reply to an email message or go to a website and verify that they're human before you accept mail from them. The intent is to stop spam, because spammers won't go to the trouble of verifying themselves. So far the scheme works, in a manner of speaking--it will stop some spam, though the spammers are already finding ways around it. But at what cost to yourself and others?
But, you say, you can periodically check the rejected mail to make sure you aren't missing anything good! Then why bother with it at all? Use regular spam filters and you're better off--same number of spam subject lines to scan for false rejections, and you'll never confuse or irritate any real people.
You may never know why, because the list server won't be able to send you a confirmation request. If you do manage to subscribe to a list somehow, it's downright rude to send such challenges to the people who post to the list, and nearly as bad to direct them to the listowner address. You've already explicitly agreed to accept list mail by subscribing at all. As a listowner, I won't allow any member to confuse and punish contributors with challenges to their humanity. Challenge-Response has come up on several lists for listowners recently, and the opinion has been unanimous against the technique.
Spammers have already started disguising their spam as challenge messages, and worms and viruses won't be far behind. So you'd be expecting your legitimate correspondents not only to prove that they're human, but to spend a lot of time trying to determine if your challenge is genuine. It's much easier and safer for your correspondents to direct all challenges to the trash.
SpamArrest, Mailblocks, and several other providers of challenge-response 'services' collect the addresses of their clients' correspondents, and use them for sending out their own spam. Just read the fine print of their privacy (sic) policies--if you can find them!
All incoming mail, including spam, generates challenges. This doubles the amount of mail that your server has to deal with, increasing the price you pay for service. Because spammers forge the mail headers, the challenges are sent to either innocent or non-existent users. If it's a non-existent user, the server that receives the challenge replies with an error message. The error message generates a new challenge which goes to the other mail server address, possibly triggering a new error message from a different account, which in turn generates a new challenge. This can set off a runaway loop between error messages and challenges. If challenge-response becomes common, it could potentially cause denial-of-service attacks across the entire network.
Dealing with incoming spam directly is a nuisance, but missing out on real mail can be the pits. Prospective employers aren't going to jump through hoops to send you a job offer. If your great-uncle gets confused about the process, he'll miss the invitation to a family reunion
Use responsible filtering instead. There is a new kind becoming available that is extremely effective. It's called Bayesian filtering, and you train it to recognize the kind of mail that you do and don't want to receive. There are many products in the pipeline, both free and commercial. Some are available now, such as Mozilla 1.3 for all platforms, and a SpamBayes add-in for Outlook. Many others should be ready soon, including filters built into Eudora 6 for both Mac and Windows.
Send mail to the Webmaster: webmaster@tardigrade.net.
http://www.tardigrade.net/challengeresponse.html Monday, 03-Jul-2006 18:57:46 PDT.