MX Logic
Resources Support Contact MX Logic Login
Search
MX Logic Advantage Services Technology Partners News & Events About MX Logic

MX Logic » MX Logic IT Security Blog
26 July 2007

Frustrated

Let me start off by saying that people who make uninformed judgments about anti-spam technologies shouldn't write about them.

I am speaking more specifically about an article that caught my attention this morning. If you don't want to read the article, he is essentially waving the banner saying that spam email should be filtered using a method called "challenge-response." The way that this method works is like this:

Someone who hasn't previously emailed you sends you a message (typically a good start :) ). If they haven't emailed you previously, the challenge-response server sends an email back to the sender and usually requires some sort of action to verify that the sender was a person and not, for example, a bot. This is the "challenge." If the challenge is "responded to" then the message is delivered to the original recipient.

To those completely uneducated about spam filtering and email traffic this might sound like a good idea at a very high level. Let's briefly go into a couple of reasons why it is not:

-- It contributes to the spam problem.

Say for example a message sent from a bot is intended for your inbox. The challenge-response server will send a challenge back to a likely invalid original sending address. This message will then generate a bounce when it is intended to be delivered to the purported sender. Generating two messages to attempt to deliver one doesn't help the spam problem and clearly doesn't reduce email traffic.

-- It can prevent legitimate mail from being delivered.

I'll ignore the case for a moment where I personally (and I know of many others) who refuse to acknowledge these challenges based on principle alone. Let's take the example of when you sign up for a legitimate industry newsletter via some web site. As good senders do, they make an attempt to confirm your opt-in status by sending you an email with instructions to confirm your subscription. Oops! This confirmation is being sent by an automated system, not a person. So, when the confirmation email is received, the challenge is sent back to a mailbox that nobody reads. So, the challenge is never answered, your subscription is never confirmed, and you never get the newsletter that you tried to subscribe to.

There are some other flaws with the report as well with regards to scoring false negatives (missed spam messages) as being a worse offense than a false positive (legitimate messages identified as spam) which only further proves that the author doesn't understand anti-spam, but for the sake of brevity, I won't go into that right now.

Before any detractors state that I am only writing this because he made a negative comment about MX Logic, I'm not. I came to grips a long time ago with the fact that we cannot please all of the people all of the time. I also realize that Robert Westervelt (the author of the article linked to at the start of this entry) didn't write the report that he references in his story. However he did write about it as if it is a reputable publication, which makes him culpable.

If you are interested, there is another blog entry about the subject here which also goes into some more detail.

Obviously, there are many different ways to skin a cat, fight spam, whatever, but can we please stop promoting anti-spam methods that actually contribute to making the product worse? That's all I ask!

Posted by smasiello at 2:53 PM | Link | 0 comments
Comments

No comments found.

Post a Comment
Name:   Required
Email:   Required your email address will not be publicly displayed.

Anti-spam key

Type in the text that you see in the above image:

Your comment:

Sorry, no HTML allowed!

MSP Mentor

Privacy Policy
© MX Logic, Inc.
All Rights Reserved.

MX Logic
9781 S. Meridian Blvd. Suite 400 Englewood, CO 80112
Toll-Free: +1.877.MXLOGIC

  MX Logic provides Email Filter, Web Filter and Email Archiving services for use in network security.