Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.
How does this software avoid some of the problems associated with CR systems?
For example, what stops this software sending challenges to the forged FROM headers if a spammer sends x thousand emails with forged addresses in the FROM header?
Randolf C. Richardson
As far as I know, this software relies on possibly-forged sender information. This is the nature of the Challenge-Response ideology -- to fight abuse with abuse, by forwarding spam to forged senders.
Many different techniques have been proposed over the years, such as whitelists, but these solutions are logically problematic for a variety of reasons, and tend to be impractical to implement due to the high requirements for third-party cooperation (which is mostly non-existent at best).
It's generally a lot easier to just use DNSBLs (a.k.a., RBLs, blocklists, blacklists, etc.) both in blocking mode (for the major offenders) and tagged mode, combined with a good content filter such as SpamAssassin so that users can filter based on the spam score.
I hope that helps.