Thursday 16 November 2006

PC World's Steve Bass Repents?

Last week, I wrote about how PC World's Steve Bass was promoting those evil, evil challenge/response spam bouncing products. I pointed out in my blog post and also in private email to Steve that these things can get their users blacklisted, because misdirected challenges are as bad as the spam itself.

Today, Steve has a new post up, calling me a "Polite ... self-proclaimed spam expert." Errr, well, those who know me may not agree with the first bit. And I'm not sure the second bit is quite my choice of words, but my clients seem to think so. Never mind. Onwards...

Fortunately, Steve has first-hand experience of the problem:

I get a half-dozen or so of these misguided challenge/response e-mails every day

Unfortunately, Steve links to a Wikipedia explanation of something with a similar name but which is nothing to do with spam. Presumably he meant to link to Challenge-response spam filtering. Oopsy.

In fact, reading his explanation of C/R, I'm not sure he actually understands the problem. See if you agree:

You can set some programs to bounce messages back to spammers and make them think your address is no longer working. Quite often a message from a challenge/response system will get treated as spam and bounced back with the rest of the junk e-mail. And quite often these messages float around the Net when someone using challenge/response also has a computer virus.
...
The spamming part comes into play when the person sending the e-mail receives a reply from the challenge/response program, challenging the sender to prove he or she isn't a spambot.

Well I'd have put it a bit differently. How about this:

Q:You can set some programs to reply to spammers; great idea, right?
A: No, because the replies hardly ever go to spammers -- spammers forge the message's sender. So they don't work.

Q: But it's only spam and we don't care about those messages, so it's OK... right?
A: No, because the forged senders are often real email addresses, with real people at the end of them. So you're causing unwanted email to be sent to them.

In other words, Challenge/Response makes you a spammer.

Update: Steve posted more on this topic. Steve's right on when he says:

Challenge/response ... doesn't work. I'll give you an example. A PC World reader sends me an e-mail and I take a couple of minutes to respond. Then I get an e-mail challenging me, asking me to take an extra step -- click here, go to a Web site, or maybe stand in the corner and whistle a show tune.

Nope, not me, Pal. I've already been a good Netizen and responded to the reader's e-mail; and I'm not about to spend more time on this. If the person sending me the e-mail had a spark or two, they'd have added me to their whitelist before sending me a message. So I watched how I responded to getting a challenge e-mail, figured everyone else would do the same thing, and decided not to bother with it.

And if you're looking for the debate between me and Jeff Hendrickson, it's right here.