Standing Up To Spam

It is being promoted as a surefire way to eliminate unsolicited e-mail: Force senders to prove they are human rather than one of those automated programs that inundate the Internet with spam.

Known as challenge-response, the technology obliges a sender to verify his or her authenticity before the person's electronic messages can be accepted.

The technique has consequences far beyond stymieing spam-spitting software robots, and some leading anti-spam activists fear it could backfire and render e-mail useless if widely adopted.

Atlanta-based EarthLink introduced challenge-response last week to its 5 million subscribers, which means legitimate senders of e-mail could now face many more hurdles to get their messages delivered.

While the technique is not entirely new, usage has been limited to the thousands. But EarthLink expects half its customers will turn on the free service by year's end, and other Internet providers are weighing a similar offering.

"It's sufficiently tempting that people will use it and will not realize all the bad things that will begin happening," said Steve Atkins, an anti-spam consultant in Redwood City, Calif. "Challenge-response is very, very unfriendly and rude to legitimate senders of e-mail."

It typically works like this: When a recipient gets e-mail from an unknown sender, software automatically returns a message — a challenge — requiring the sender to perform a task such as filling out a form. Presumably, spammers won't bother.

Supporters liken it to knocking on a door and asking permission to enter.

Recipients may pre-approve senders — the equivalent of giving them a set of keys so they will not have to knock every time. But if recipients forget, e-mail discussion lists and the people who run them could get bombarded with challenges. Some lists have thousands of subscribers.

Worse, some of those messages could get broadcast to all of a list's recipients, some of whom might send back additional challenges, creating an endless and annoying "mail loop."

"They can get pretty overwhelming is a nice polite way of putting it," said David Farber, a former Federal Communications Commission chief technologist who runs a 25,000-member list on technology.

EarthLink's normal spam filter blocks up to 80 percent of spam. But spam has increased sixfold over the past 18 months.

The company decided to offer its customers the challenge-response option because cranking up spam filtering would only cause more legitimate mailings to get tossed by mistake, said Jim Anderson, vice president of product development.

"It's as close to a silver bullet as you're going to get," Anderson said. "We're simply providing a tool for customers to retake control of the inbox from spammers."

But Eric Thomas, chief executive of L-Soft International Inc., a Swedish company that makes the popular Listserv mailing list software, warned: "The cure might be worse than the ailment."

America Online now blocks up to 80 percent of incoming e-mail traffic, or more than 2 billion messages a day. But company spokesman Nicholas Graham said AOL will not adopt challenge-response because having to send out 2 billion challenges a day would tax the system and create delays for subscribers.

"They don't want to hear `You got mail and you just have to wait a few minutes longer,"' Graham said. "They expect to get e-mail quickly and responses quickly."

Online receipts from Amazon.com and other e-commerce sites also create problems: Because they are automated, they will not respond to challenges.
Some spam experts question whether such techniques will even work. They believe spammers will figure out how to automate responses to challenges.

"Lots of people say this will solve everything, spam won't be a problem anymore," John Levine of the Coalition Against Unsolicited Commercial E-Mail. "Of course, they said the same things about a variety of previous techniques."

Featured in SciTech