A Spam-Fighter More Noxious Than Spam

Challenge-response filtering systems are likely to wipe out e-mails you want, too

Overwhelmed e-mail users are so disgusted by the volume and the nature of junk flowing into their in-boxes that they are ready to try just about anything that promises to ease the problem. As is often the case with desperation measures, there's a danger that some of the steps being taken will end up making matters worse.

The development that causes concern right now is the rapid growth of what are known as challenge-response systems. This approach, which bills itself as the only method capable of blocking 100% of spam, tries to verify that a message was sent by a human being -- rather than via a mass-mailing program -- before accepting the e-mail. It does this by requiring that senders personally confirm that they are actual people before their messages are accepted. Mailblocks promises to eliminate spam in its $9.95 a year Web-based mail service. MailFrontier Matador, a $29.95 add-on to Microsoft Outlook or Outlook Express, offers it as an option along with more conventional spam filtering. And in the biggest boost yet to challenge-response, EarthLink (ELNK ) has made it available without additional charge to its 5 million or so subscribers.

Here's how it works: When you receive an e-mail, the program checks the sender against a list of acceptable names (your address book is generally used as a starting point for compiling the list.) If the name is not found, a message asking the sender to solve a simple problem is sent back. The goal is to pose a challenge that is very easy for a human being but difficult or impossible for a computer. Typical challenges ask how many kittens are in a picture, or to read a number that is displayed in an odd, distorted typeface against a complex background. If a correct response is received, the mail program puts the message in your in-box. Otherwise, it throws it away or puts it in a special "suspect mail" folder. The concept is that Aunt Minnie will quickly respond with the correct solution and her mail will go through, while the mailbots trying to sell you drugs, larger appendages, and cheap mortgages will be stumped.

Challenge-response definitely stops spam. The problem is that it has unintended consequences. These can be serious, because most of us depend more on machine-generated mail than we realize. Consider this typical e-commerce scenario. You buy a plane ticket on ual.com, and United Air Lines sends you a confirmation and itinerary. Since confirmation@uasupport.com isn't in your approved list, your system sends back a challenge to which United cannot respond. Your confirmation gets buried among the spam. The same fate will befall all messages generated by mailing lists unless you have manually entered the address in your approved list. I regard certain lists as valuable sources of information, and I even like getting promotional mailings from companies I choose to do business with. Even conventional antispam filters pose problems for such lists, but with challenge-response, you are sure to toss out the baby with the bathwater unless you carefully scan all rejected messages and add those you want to your approved list.

Challenge-response has other problems as well. Some systems, including EarthLink's, require you to click on a link to a Web page to answer the challenge. If you are working on a device that can't access the Web or display graphics -- a BlackBerry, for example -- you cannot respond. In addition, an often overlooked consideration is the impact of the challenges, which generally involve graphics, on the visually impaired. EarthLink suggests that a visually impaired sender telephone and ask to be added to the recipient's permitted list. But that seems to put the burden in the wrong place. For federal agencies required to provide equal access by the Rehabilitation Act, and for the corporations voluntarily complying with those rules, visual challenges won't do.

Spam has become a serious threat to the usefulness of e-mail. So it's no surprise that spam-fighting products are hitting the market much faster than I can hope to evaluate them. Most use conventional filtering and work more or less well. Challenge-response systems are a special problem, though, and I fear that their widespread adoption could be almost as great a threat to e-mail as spam itself.


    Before it's here, it's on the Bloomberg Terminal.