Challenge/response (c/r) is an increasingly popular technique for spam control. This methodology is a subset of the whitelisting scheme for preventing delivery of unsolicited commercial email. It has actually been around for a number of years doing things like protecting mailing lists from subscribing forged addresses, but in 2000 it really started to come into its own for use in UCE prevention.

Most users are familiar with spam blacklisting. This usually involves matching a pattern or some type of origination identifier, such as a mail server or block of text from a known piece of spam. Upon a successful match, the mail is discarded, or a connection is rejected. The problem with this approach is that spammers' intrusion techniques are evolving as fast or faster than prevention techniques are, so the battle is a never ending game of one-upsmanship.

Conversely, whitelisting allows a user to establish an "address book", or whitelist of known and trusted senders to allow access to his inbox, c/r takes this one step further. By adding a step that allows senders of unknown (and therefore untrusted) origin to validate themselves as a legitimate message source, one can have their whitelist, and expandability too.

The way this works is: mail from currently unknown senders are held in a pending queue until they respond to a one-time confirmation request (AKA "challenge"). Once they respond to the confirmation, their original message is deemed legitimate and is delivered to the user's inbox. All currently available c/r programs have an option to then add their address to your whitelist so they won't have to confirm future messages.

The actual challenge message can be very simple, or more complex. In the current spammers' economy, a simple challenge saying "just click reply" or "just click on this URL" is sufficient. Why? Because of the way spam operates today, all spammers use a one-way communication channel to reach their victims. Doing otherwise is prohibitively expensive for them, they have no means of responding to all the bounces, complaints, or internet service provider threats, much less challenges. As of this writeup, spammers universally use forged return paths. This means that they don't get the flood of bounced messages they generate, they don't get your out-of-office replies, and they won't get your c/r challenge either.

This is how it works today, but people are already moving more and more onto whitelist-centric systems - so you can count on this dynamic changing as a majority of Internet users apply these systems to protect their mailboxes. Once spammers find their economies of scale ruined by this new method, they will modify their strategy to the (significantly more expensive) tactic of trying to defeat the simplest whitelisting systems. Some initial ways of doing this include harvesting mailing lists as a whole (counting on the users having each other or the list whitelisted), or actually trying to collect and respond to the simple "reply to me for delivery" challenges. This is probably more costly and difficult than you imagine. Eventually, this can be surmounted by users by deploying c/r systems that validate human users. Ways of doing this include typing scrambled letters that have been embedded in an image (try to sign up for a yahoo account to see what I mean), or any task that is easy for a human but difficult or impossible for a machine.

There are a couple commercial c/r managed mail services available, such as ChoiceMail from DigiPortal, MailFrontier's Matador, as well as a piece of Winblows softawre called SpamArrest. Also, USA internet service provider Earthlink has offered up "SpamBlocker" to its customers, which aside from being a proprietary mess, is a terrible nuisance for sender and recipient alike that I cannot in good conscience recommend. None of these, however, even hold a candle to the system known as the Tagged Message Delivery Agent (TMDA). This program acts as a delivery agent on your mail server and has far too many features to enumerate here. It is, however, far more flexible and feature-rich than any alternative.