Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.


Challenge Response Considered Harmful?

  • dan_beale

    How does this software avoid some of the problems associated with CR systems?

    For example, what stops this software sending challenges to the forged FROM headers if a spammer sends x thousand emails with forged addresses in the FROM header?

    • As far as I know, this software relies on possibly-forged sender information.  This is the nature of the Challenge-Response ideology -- to fight abuse with abuse, by forwarding spam to forged senders.

      Many different techniques have been proposed over the years, such as whitelists, but these solutions are logically problematic for a variety of reasons, and tend to be impractical to implement due to the high requirements for third-party cooperation (which is mostly non-existent at best).

      It's generally a lot easier to just use DNSBLs (a.k.a., RBLs, blocklists, blacklists, etc.) both in blocking mode (for the major offenders) and tagged mode, combined with a good content filter such as SpamAssassin so that users can filter based on the spam score.

      I hope that helps.