Challenge Response Spam Filter

The challenge-response spam-filter (RFC3834) troubles me lately. If you don’t know it, here is how it works if both parties have a challenge-response spam-filter:

  1. I write an email to [email protected]
  2. The address gets whitelisted on my machine
  3. The receiver doesn’t get my message
  4. I get a message from the receivers mail-server to which I should reply
  5. I reply to the automatic message
  6. The receivers mail-server whitelists my address and delivers my initial mail

So far so good. Three questions pop up:

  • What if the spammer uses my whitelisted email address to send his spam?
  • What if only one of the two has a challenge-response spam-filter?
  • What if spammers start to automatically reply to those messages?

Concerning the faked email address: there are several methods to tackle this problem. One is to use SPF (RFC4408) records for the domain (explicitly list allowed hosts), the other is to whitelist an email address together with the sending host. I’m not sure whether this fully solves the problem… .

The second question is a bit more fuzzy. If Alice has a challenge-response spam-filter and Bob doesn’t, then we have two scenarios: Alice sends Bob a mail, or Bob sends Alice a mail:

A → B:

  • Alice sends Bob the mail
  • Bob’s address gets whitelisted
  • All mails are delivered

Good, here it seems that we don’t have a problem.

B → A (as happened to me):

  • Bob sends Alice a mail
  • Alice’s mail-server sends Bob a verification message
  • Bob’s spam-filter filters the verification message because the company selling
    the spam-filter inserts advertising into the verification message
  • Bob never notices that the mail wasn’t delivered
  • Alice has to check her spam-folder to see whether someone didn’t receive the
    verification message (or ignored it)

I’m very sceptical whether the challenge-response spam-filter is worth the trouble, partly because my spam-filter (GMail) filtered the verification message of my buddy, and partly because it’s very easy to automate the verification process. The argument of my buddy (who employs the challenge-response spam-filter) was that spammers use fake email addresses to send their mail and usually don’t receive any replies (I think fake email addresses are used by malware, which sends it’s junk using my address book → remember: automatically whitelisted since I’m likely to have had a conversation with these receivers before).

Currently I’m quite happy with automatic spam classification, they filter about 90 percent of my spam messages. The remaining messages are easily deleted by hand. A spam filter doesn’t need to recognize 100 percent of the spam messages as long it filters enough to keep the “mark as spam” actions sparse. A spam-filter which generates false-positives is much more troubling because one has to skim through (usually) thousands of spam messages and make sure there is no false-positive. Especially if you are a company relying on communication with customers, I wouldn’t risk loosing a single one for the comfort of not having to delete a few messages a day.

Wife: I don’t like spam!
Man: Sshh, dear, don’t cause a fuss. I’ll have your spam. I love it. I’m having spam spam spam spam spam spam spam beaked beans spam spam spam and spam!
Vikings: Spam spam spam spam. Lovely spam! Wonderful spam!

Monty Python