This term is being used in a somewhat different way than is traditional in the growing anti-
spam efforts of
ISP's and
software developers.
Rather than providing an
automated method to
validate a
client, this form of challenge-response forces a
non-automated validation, by design.
The basic mechanism is as follows:
- All of a person's e-mail is received by an intermediate system, either a separate server or an application running on their computer
- The intermediate server/application holds the e-mail temporarily, instead of presenting it immediately to the user
- A challenge e-mail is sent back to the source e-mail address, in a form such as a link to a web page containing an anti-OCR graphic of a set of characters, which the sender must type in
- Once the challenge has been properly answered, the sender's mail is delivered and the sender is whitelisted for future mail
The basic
assumption underpinning the effectiveness of challenge-response against
spam is that it adds the necessity of a
spammer investing human time into every e-mail sent, making
mass-mailing impractical. It also directly eliminates spam which has a
spoofed or false "from" address, a common spammer tactic.