Mailing to a friend, I just had an encounter with his Challenge-Response mail system. I was curious enough to look at the marketing material for this particular commercial product, and noted that it claimed 100% accuracy for anti-spam. Well of course. That’s because C-R is not an anti-spam system, it is an anti-email system.

A C-R system requires the email sender to verify their legitimacy as a human being (rather than automated spammer) by using some Turing-like Test such as CAPTCHA (a common verification technique found on web sites, such as the GuestBook link above). It does this for all mail, regardless of content. It is something akin to email call-screening, but really has very little to do with anti-spam. It is a whitelist/blacklist system based entirely on sender address that builds up the respective filters via the screening process. Proponents argue that C-R is 100% accurate while other methods that constantly tweak content filters are not. To some extent, this is true. But is it truly worth it to never see a spam again?

Users love C-R because they no longer receive spam. But what else are they not getting? Senders – legitimate ones – tend to not like dealing with the business end of C-R systems because it has the appearance of being slightly rude: not only is it like saying “here’s my email address, maybe I will allow your message in”, but it automatically paints everyone as a spammer until proven otherwise. Not to mention that the CAPTCHA process, one-time or not, can be slightly irritating. More times than not, senders just walk away with a “why bother?” attitude.

There are other ways. My ISP provides SpamAssassin as part of their Exim front-end mailer. On the back-end, I use Thunderbird’s Bayesian filter. Between the two, I have about a 97% anti-spam accuracy and have not experienced a single false-positive in 3+ years. Sure, the occasional spam may get through, but I just use it as an opportunity to further train T’bird. At work, we use a Barracuda spam firewall in front of our Exchange server. The false-positive rate [dropping into the Quarantine area] is decidedly not zero, but when you look at the millions-per-day of spam that were successfully blocked, one has to admire the overall efficiency of the product.

I don’t mind the occasional spam that does get through these protections, because I know they are working in my favor the majority of the time. I am not so offended by the stray advert that I desire to “terminate with extreme prejudice”, and I will not risk alienating legit senders just so my delicate nature is never uglied up by the outside world.