Is challenge SPAM? -especially if misdirected

--VQ-- · Site Admin Joined: 06 Jan 2003 Posts: 590

Vanquish is the first to admit that the sending of a confirmation request (the challenge) is an imperfect mechanism to distintuish Spam from Ham...

It accurately separates humans from bulk mailers, but not all bulk mail is undesired by the recicpient.
It forces legitimate senders to jump a barrier, while email should be simple and instantaneous.
It can delay important mail from an address that is unrecognized, but welcome by the recipient.
Spammers can cause confirmation requests to be issued to the wrong person by spoofing their FROM address.

It is this last item that concerns us the most. It causes us to lose sleep at night, because it means that our own anti-spam mechanism can be used against innocent parties in a type of Denial of Service attack.

We recognize that spammers sometimes hide behind the legitimate address of real individuals who are unrelated to the message. In this case, the challenge-response mechanism used by many anti-spam companies causes feedback to the wrong party. We are keenly aware of this problem and we are working hard to replace the challenge-response mechanism with a much more effective technique which will avoid this problem all together.

We could attempt to "deny involvement" in the core transaction by pointing out these facts (but that would be evasive and not really fair)...

The Vanquish confirmation mail server is a conduit used to send messages at the instruction of a particular individual (our ISPs and retail clients). Messages are sent to the party identified in the FROM address of the original email, which is essentiailly the return address. Unfortunately, their is no uniform standard to determine if a FROM addresses is legitimately associated with a particular sender. It is a major benefit that you can write from one service and request that replies be sent to another service. In fact, there is no such thing as a FROM address. There is only the concept of where you want messages returned.

The best solution is not one that requires positive identification of senders. There are many reasons why a legitimate and desirable sender may need to transmit a message with anonymity. This capability is central to the rise of the internet as a geopolitical force and it will also play a role in the future economy and social structure of the world. The best solution is to place senders at risk of losing cash. The cash liability can be identified, and perhaps the guarantor - but not necessarily the person offering the risk. Then, if the message is deemed undesirable by the recipient, it can be instantly penalized against the funds on deposit (even if the funds are anonymous)... It takes only one click.

We do not yet have a mechanism to avoid challenges to 3rd parties that are instigated by spammers hiding behind a false address. If someone knocks at your door, it's only natural to call out "Who's there?" Sender confirmation is the analogous response of our users to an communication that arrives with a reply address.

If you have become flooded with messages that spoof your own address, Vanquish will explore the possibility of making an exception list of real individuals who want to avoid all challenges - and we will even offer to share the list with our competitors. But opt-out lists of this nature can lead to other problems. We are very sensitive to the fact that even this type of solution would be unfair to the needled party, because an opt-out solution should never be required. In fact, it would not be difficult for a hacker to prevent you from getting all challenges against your wishes.

[This message was edited by Moderator (Vanquish staff) on Sat January 31 2004 at 7:26.]