This term is being used in a somewhat different way than is traditional in the growing anti-spam efforts of ISP's and software developers.

Rather than providing an automated method to validate a client, this form of challenge-response forces a non-automated validation, by design.

The basic mechanism is as follows:
  • All of a person's e-mail is received by an intermediate system, either a separate server or an application running on their computer
  • The intermediate server/application holds the e-mail temporarily, instead of presenting it immediately to the user
  • A challenge e-mail is sent back to the source e-mail address, in a form such as a link to a web page containing an anti-OCR graphic of a set of characters, which the sender must type in
  • Once the challenge has been properly answered, the sender's mail is delivered and the sender is whitelisted for future mail
The basic assumption underpinning the effectiveness of challenge-response against spam is that it adds the necessity of a spammer investing human time into every e-mail sent, making mass-mailing impractical. It also directly eliminates spam which has a spoofed or false "from" address, a common spammer tactic.