Mechanical Music Digest  Archives
You Are Not Logged In Login/Get New Account
Please Log In. Accounts are free!
Logged In users are granted additional features including a more current version of the Archives and a simplified process for submitting articles.
Home Archives Calendar Gallery Store Links Info
MMD > Archives > May 2003 > 2003.05.20 > 06Prev  Next


E-Mail Problems: Challenge-Response Verification
By Ray Finch

The system "ChoiceMail" that Claudine Jones spoke about in MMD 030519
is a class of software called a Challenge/Response (C/R) system.  It is
supposed to reduce spam.  If works basically like this:  I send you an
e-mail message.  The C/R system sends me an e-mail asking me to prove
that I am a human and not some automatic spam-bot.  This is the
Challenge.

This would be something that would be easy for a human to do but hard
for computer (spam-bot) to do, like responding to the e-mail with the
answer to a question or often (like ChoiceMail) you are directed to a
web page to put in a number or answer a question like "How many kittens
to you see in the picture".  Your answer is the response.  This will
reduce spam in that you are asking a human to do something that is
difficult for a spam-spreading computer to do.

On the surface this sounds like a good idea.  But there are problems,
not the least of which is inconveniencing someone who only wanted to
send you an e-mail.  One of the big problems is with mailing lists,
like MMD.  Most of the current C/R systems are not mailing list aware.
As such each time the mailing list sends out mail the C/R systems will
send back a challenge.

This is not big deal right now, but imagine if a lot of people started
using C/R systems.  A typical mailing list could get hundreds of
challenge e-mails a day, most of which would be from people wanted to
join but also from established members who installed a C/R system.

For an automated mailing list system, this is also a problem.  You send
e-mail to the list-bot.  The list-bot sends you a conformation back (do
you really want to join this mailing list?).  Normally a person replies
to the conformation and they are on the list.  But when a C/R system
gets involved it sends a challenge e-mail to the list-bot before you
even know that you got the conformation e-mail.  The list-bot doesn't
know what to do with the challenge and ignores it.  You never get to
conformation e-mail because the C/R system decided that it was spam.
The end result is that the person doesn't get subscribed to the list.

For a manually administered mailing e-mail list (like I think MMD is)
things get a lot worse as the administrator has to manually respond to
each of the challenge e-mails that come when the subscriber gets sent
out his first mailing list e-mail.  Like I said before, one or two
challenges are no big deal, but what happens when a lot of people start
using these systems?

Also, although these systems are similar in concept, what you have to
do in the actual Challenge/Response is different among different C/R
packages.   For a manually administered list the administrator will not
have the time to play games with the C/R systems all day.  Mailing
lists will be a lot harder to maintain if C/R systems get more popular.
If you do use a C/R system, be sure to "white list" your mailing lists
like MMD, then a challenge e-mail won't be sent at all.

Now think about this:  These Challenge/Response systems are supposed to
reduce spam, right?  Already more than 50% of the email on the net is spam
and not real e-mail.  If a lot of people start using C/R systems there
will be a challenge e-mail sent for almost all of the millions of spam
messages sent every day.  This will effectively double the amount of spam
related traffic on the net so you might end up with 33% real email and web
page traffic, 33% challenge emails responding to the spam, and 33% being
the normal volume of spam that is already on the net.

Worse yet, many of the spam-bots decide they your e-mail is valid and
ripe for even more spam if _any_ e-mail is sent in response to the spam
(such as a remove request).  If a C/R system responds to a spam message
with a challenge, that challenge "verifies" your e-mail address as
being valid and active.  As a result you may get less spam in your
inbox but you are causing more spam on the net.

This is not a rosy picture and will only make what we pay to our
Internet service providers go up, because they still have to buy enough
Internet bandwidth to handle all of that traffic: spam, challenges,
more spam, and all.

On a slightly different subject -- Claudine also spoke of an e-Bay
seller who got incensed by having to respond to a challenge from
ChoiceMail.  If you look at things from his point of view I can see
why he might have gotten upset.  I mean, both people were involved
in a transaction on E-bay, something that requires basic trust.  His
identity was already verified by the fact that she decided to do
business with him on E-bay, as such his e-mail has also been verified.
Then he gets a challenge e-mail wanting to verify that he is who he
says he is.  I might get incensed too!

And think about if you e-mail a resume to a potential employer.  He
looks over your resume and likes what he sees.  He sends you an e-mail
saying that he would like you to call him the next day to set up a time
for an interview, but instead of getting a call from you he gets e-mail
from a robot that wants him to verify his identity.  If I were the
employer I'd go to the next person on the list.  The same kind of thing
could happen if you do restoration work and one of your customers get a
challenge e-mail wanting to verify identity.  The customer may give up
and contact someone else.

Although I don't have all the answers, when you look at the larger
picture, Challenge/Response systems might very well cause more problems
than they fix.

Ray Finch
Albuquerque, New Mexico


(Message sent Wed 21 May 2003, 00:27:48 GMT, from time zone GMT-0600.)

Key Words in Subject:  Challenge-Response, E-Mail, Problems, Verification

Home    Archives    Calendar    Gallery    Store    Links    Info   


Enter text below to search the MMD Website with Google



CONTACT FORM: Click HERE to write to the editor, or to post a message about Mechanical Musical Instruments to the MMD

Unless otherwise noted, all opinions are those of the individual authors and may not represent those of the editors. Compilation copyright 1995-2024 by Jody Kravitz.

Please read our Republication Policy before copying information from or creating links to this web site.

Click HERE to contact the webmaster regarding problems with the website.

Please support publication of the MMD by donating online

Please Support Publication of the MMD with your Generous Donation

Pay via PayPal

No PayPal account required

                                     
Translate This Page