Saturday, September 22, 2007

Auto-Responders and Challenge/Response

I wanted to address a comment that was made to a previous post regarding spammers using auto-responders to defeat the challenge/response method of spam control.

Theoretically, it does seem that spammers could simply set up an auto response for any emails addressed to them so that they could get around systems like challenge/response. However, the reality of it is that most spammers (close to 100%) do not use addresses to which a response can be sent. Therefore, challenges are never delivered to them. They intentionally use invalid return email addresses so that they do not incur the costs associated with the huge number of bounces (emails that cannot be delivered) they often generate. Using a valid return address to process all the bounces just to look for challenge messages to which they would then respond would incur great processing expense and , in turn, defeat their economies of scale. Furthermore, it would also make spammers easier to block, track down and report.

Bottom line, trying to thwart challenge/response systems in this manner would defeat the cost-effectiveness of the bulk-mailing process. Simple economics allow challenge/response systems to provide effective SPAM prevention.

Now, if spammers do decide to use auto-responders, challenge/response systems could fairly easily modify their, currently very simple, methods to make it more difficult for spammers to use such a method. The level of difficulty could increase as much as is necessary for the sender to prove their humanity and legitimacy.

The idea is to keep the challenge/response systems as simple as possible to avoid inconveniencing legitimate senders, while at the same time difficult enough to thwart an automated response system. At the present time, most challenge/response systems offer the ability to confirm by simply replying to an email or clicking on a URL. There is no evidence to suggest that a more challenging procedure is even close to necessary at this time.

Better yet, if spammers do resort to auto-responders, we've all won a huge battle for the internet community by raising the bar and forcing them to leave breadcrumb trails leading right back to their lairs. So, as the focus on legislation continues, and spamming becomes an increasingly illegal activity, who will take these great risks for such little reward?

Finally, I would like to thank the person that asked the auto-responder question and prompted this reply. Please keep the questions coming. I look forward to any and all opinions regarding the prevention of SPAM.

No comments: