As spammers dream up new strategies for slithering into e-mail inboxes worldwide, their counterparts, anti-spam software developers, are always on the lookout for new ways to stop them cold. A bevy of companies think they may have a good answer in challenge-response technology.
The tactic is a simple one, requiring an e-mailer to verify his or her identity before being added to a “white list” that enables him or her to send e-mail unrestricted in the future, but the technology is not perfect yet. Some anti-spam advocates fret that the technique is too cumbersome or not entirely effective.
However, amid a surge of user desperation nearly as powerful as the flood of spam sweepingacross the Internet, the tactic’s growing popularity speaks for itself. Will challenge-response emerge as the next big spam killer?
Who Goes There?
The most common method of stopping unsolicited e-mail in its tracks is filtering, which lets individuals and IT administrators cull legitimate messages from the ever-growing sea of spam.
Challenge-response works differently. Rather than using a multitude of rules to determine what may or may not be spam, the software takes the approach of a club bouncer to keep undesirables out.
When e-mail arrives from an unknown sender, challenge-response software sends back a message asking the sender to identify himself. If the sender is legitimate, he then types a one-word response and is allowed through the barrier for good. With most challenge-response programs, a single verification in a given domain is enough to let a sender transmit messages to anyone within that domain.
For example, if a sender wants to e-mail “[email protected],” he will receive a challenge-response message the first time he attempts to send a note. After he verifies that he is a real person and not a spammer hawking Viagra orlow-cost loans, he will be able to send messages to anyone at “isp.com” in the future.
Since the first challenge-response applications emerged from the development process last year, there has been growing demand for them, according to Susan Bratton, vice president of sales and marketing at challenge-response software maker Mailblocks.
“When we started this company a year ago, there were 40 companies that did some kind of anti-spam software,” Bratton told the E-Commerce Times. “Now there are 170. Of those, there are nearly 40 that now provide some type of challenge-response offering.”
Brian Cartmell, CEO of software firm SpamArrest, said his company also has noticed a sales spike lately as more corporate customers begin to see value in challenge-response.
“When we began in 2001, there was resistance, but after some user education, we’re past that,” he told the E-Commerce Times. “This is the only way to win the spam war.”
The tactic may be getting even more attention in coming months. ISP giantEarthLink made a challenge-response system available to its customers at the end of May, indicating the technology is starting to hit the mainstream.
Perhaps because of the wide variety of anti-spam companies producing challenge-response software, there seems to be no clear leader. However, frontrunners appear to be SpamArrest, Mailblocks, Qurb, iPermitMail.com, MailFrontier.net and EarthLink.
Not everyone is enthused about the challenge-response technique. When EarthLink made the technology available, slight reverberations echoed across the Web, mainly from newsletter mailers.
For example, editors at TidBits, a Macintosh newsletter with 50,000 subscribers, told readers that no challenges would be answered. They wrote, “[I]f you’re using a challenge-response system and not receiving TidBits, you’ll need to figure that out on your own.”
Another list owner, Dave Farber of the University of Pennsylvania, who runs an “interesting people” list, warned subscribers that he was getting a flood of challenges from EarthLink and would declare the messages spam before long.
Bratton admitted that some newsletter difficulty still remains. List owners might have neither the time nor the inclination to answer challenge-responsee-mails personally, so subscribers may find their newsletters getting stopped at the door.
She suggested that list aficionados establish a separate e-mail alias that has no challenge-response enabled and can be used for newsletters and online ordering.
Despite shortcomings and complicating factors, Cartmell insists challenge-response technology could achieve mass adoption as the spam war progresses.
“The only other way to stop spam is with a filter, and although filtering has come a long way, it’s still not 100 percent effective,” he said. “Spammers learn how to tailor their messages to get past a filter. Basically, they slam a filter over and over until they figure a way to get around it. You can’t get around challenge-response.”
For her part, Bratton said, “There was a perception challenge at first, because people think that asking unknown senders to fill out a response would be onerous, but as the technology gets better, that perception is quickly diminishing.”
Even for those who neither love it nor hate the idea of challenge-response, the strategy bears watching. IDC analyst Jonathan Gaw told the E-Commerce Times that there is room in the marketplace for many different anti-spam strategies.
“Each person and company treats e-mail differently,” he said. “It all depends on your business and the role of e-mail for you.”