Why does Peter Brockmann rate "challenge/response" spam filters so highly?

Your "hire Richi" list

Seems like a really strange place to be using AdSense....*scratches head*

I just happened on this blog, Googling to see if anyone else has trouble and/or was entered into the "challenge/response unsubscription loop from hell" while trying to unsub from IDG Connect...a newsletter I never subscribed to.

When I follow the newsltter's unsubscription instructions to the letter (oh wait...here they are:

If you do not wish to receive e-newsletters from IDG Connect, don't reply to this email. Please send a blank email to this special address to automatically remove yourself.

The link goes to:
leave-1572515-7316377.b666ed3b1bb48653e0d4a53234261edd@mailer.idgconnect.com

After doing exactly that, I receive from Lyris List Manager:

The following lines in your email message did not appear to be
Lyris ListManager commands and were skipped:

This email message is simply a notification of how Lyris ListManager understood
your email message. If you want to resend your commands, send them to lyris@mailer.idgconnect.com

Since one of the touted strength's of Lyris is it's ability to manage unsubscription requests, one would have to assume the fault lies in whoever configured it.

I gave my best shot using the IDG "contact us" form. We'll see what kind of form email I get back (that likely will have nothing to do with my request)!

So...I got annoyed, especially since I never signed up for this "IDG Connect" crap to begin with. I Googled. It landed me here...to a post discussing email, and spam. Color me amused. Annoyed, but amused.

It has been interesting to

It has been interesting to read these posts. It seems from what I have read that C/R on business emails could destroy your business by getting your email blacklisted.

I am a hosting reseller and the servers I rent have spam filters. I use Thunderbird with its junk mail filters and I still have to go through 100+ emails to get two or three that are not spam.

So I have one question. What does work?

Signed for enterto email.

Signed for enterto email. Easy signup, great interface. Don't know about spam protection yet, but their technology is promising. I used same technique for about 5 years – creating aliases manually on my server for online registrations. Now when I have 1000+ aliases, management become difficult. Enterto dose this transparently and esy to manage (signed to this forum with aliase generated by enterto)

(The following comments are

(The following comments are directed mostly to Peter Brockmann, whoever the hell he is.)

What is this, amateur hour?

Challenge/Response is just dandy if you don't care about spamming the poor schmos who are unwitting participants in a botnet blasting spam out to the masses. Of course C/R makes the user happier, after all, they never have a clue how many folks get mailbombed thanks to their challenges.

And all those emails they miss from folks who have better things to do than respond to an easily broken CAPTCHA challenge couldn't be all that important, eh? I mean, if you never see the false positive, then it didn't happen, right?

To make it worse, you and your fellow simians adhere to the misguided belief that there is a single "magic bullet" that will stop spam cold.

Filters help. Blocklists help. Even C/R has it's place.

However, there is no single solution to the problem.

ASMTP, port 25 filtering, SenderID, DomainKeys, RBLs, DNSBLs, C/R... every hurdle that you can drop in front of a spammer makes it that much harder to get spam to the end user's mailbox. What kind of "consultant" advocates a single solution to a security problem with multiple vectors? Did you get fries with those credentials?

I especially liked the month to month comparisons of spam volume as an indicator of performance. Have you *ever* worked in this industry? Why not try showing data over a span of years? Why not correlate those numbers to advances to or changes in spammer's techniques? (hey, how about that jump in spam complaints when spammers started really using botnets?) Your "Spam Index" is a meaningless stat that doesn't account for all of the variances in input into your system.

Don't get me wrong, you're entitled to your opinion, as misguided and wrong as it is, but please stop trying to present your credentials as an expert. You're a marketing weenie who has no idea what it's like in the trenches of the fight against spam.

Thank you for sparing me, and my company, from the tedium of evaluating any of your products or services. I'm reasonably certain that they would be as useful as tits on a boar.

C/R is a blessing. The only

C/R is a blessing. The only SPAM I get now is from Nigerians who are using a real return address.

SPAM is unsolicited commercial email. I don't consider sending a challenge SPAM. If challenges were really SPAM under any legal definition (CAN-SPAM Act, GA Law 16-9-101, etc) then any unexpected or unwanted email would qualify and I could technically sue anyone for sending me email if it were undesirable.

If you are contacting me about something personal an extra 5 seconds of your time isn't a big deal. If you are approaching me about a commercial venture, then an extra 5 seconds of your time is no big deal compared to the criminal background check, Office of Foreign Asset Control, and other checks you will have to go through in order to pass our legal department. If you won't put up with C/R, then you certainly won't put up with the other requirements, so why would I want to waste my time on you?

In the end C/R means almost ZERO unsolicited commercial email (SPAM)in my Inbox. Anti-Spam product vendors have no interest in curing the problem, just like anti-virus vendors. The business model is to hook you with an annual or monthly service fee with less than quality performance. Until hosted services or software becomes as reliable as a Honda or a Toyota, they can not compare to C/R.

(I'm beginning to think

(I'm beginning to think "Anonymous" is just another Brockmann handle, but I'll humour him anyway)

1) About "Triple Traffic"
I find it interesting that anyone would have trouble believing that "original + challenge + response = 3 transmissions".

2) About Wrongful Challenges
You say you're "doubtful" about challenges being sent to the wrong party. I don't believe you.

3) About C/R Challenges being spam
Unwanted and unsolicited mail is spam - period. This is not just a "legitimate" definition of spam, it's also the one that always works. Willingly and persistently sending such mail (or other traffic), regardless of its content, constitutes a blatant disregard for all other networks, and should constitute disconnection, IMO.

I'm just glad that there are waaay more people out there who won't touch C/R than there are zealots like yourselves who keep trying to push it. It's really quite amusing (or sad, can't decide) how the few of you try to make it look so many are jumping on it, and happy to do so.

For those who won't give up on it...
Enjoy your eventual Intranet!

Try Gmail: you can set it up

Try Gmail: you can set it up to fetch mail from your ISP via POP and filter the spam.

Alternatively, you could try a client-side spam filter plugin, but these involve downloading the spam, which you may find tedious.

Lack of choices. I have

Lack of choices.

I have the choice of using the tool that my ISP provides (C/R) or receiving hundreds of SPAM emails per day. I don't like either choice.

Yes, in some cases, one

Yes, in some cases, one person's spam is another person's delicious, spiced, mechanically-recovered pork product. However, it turns out that we "all" agree about the vast, vast majority of it.

Sensible service providers treat the spam button as a strong indication of spam characteristics for this user, but not for all users unless many users are clicking it on similar messages.

While people such as your mother use the button as a "learning delete" key, many others don't realize the usefulness of the button and simply use the Delete button on spam.

Canny senders sign up for "feedback loops" with SPs such as AOL. Then they can get notified when users click the spam button. They can also use the RFC2369 standard for a mail client to display an Unsubscribe button, which some SPs and clients are supporting.