Home arrow Email arrow General arrow Fighting Spam with Challenge Response Systems
Fighting Spam with Challenge Response Systems Print
Tuesday, 05 July 2005
There are many effective ways to fight spam. One way that seems to be gaining ground with small businesses and professionals is challenge-response. In theory, these systems sound great, but if you don't set them up correctly, you may be losing prospects and customers. Think I'm kidding?

Challenge response systems have been around since 1997. Although I don't use them, I admit they have value. The concept is simple. When you send an email to a user of these systems, you get back a one-time request to type in a CAPTCHA or answer a qualifying question. If you answer correctly, you're added the recipient's whitelist or approved list. The purpose of the CAPTCHA is to verify a person responded and not an automated process. For the trivia buffs, CAPTCHA is an acronym for "completely automated public Turing test to tell computers and humans apart".

C/R systems can be effective, but I'm seeing more problems. To start, I'm getting too many repeat challenge requests. For some reason, friends or businesses that previously verified me are sending challenges again. No one has given me a definitive answer why this is happening. Most people don't mind going through this process once, but it becomes an aggravation on subsequent requests.

Another troubling issue is the increased challenge time. Some systems and users are not sending out the challenge emails in a timely fashion. I got a challenge this morning that was sent 16 hours after my initial email. If I had known I would encounter the challenge and time delay, I would've used the phone. For these systems to be effective, the challenge email has to go out within 5 minutes.

Timing and duplicates aside, I question whether including a boatload of legalese is helping. Yesterday, I sent a consultant an email telling him of new state email rules. In response to my email, the challenge email included this text:

SENDER AGREEMENT - By clicking the "VERIFY" button above, and in consideration for [Name of company], LLC forwarding your e-mail (and any e-mails you may send in the future) to the intended recipient (the "Recipient"), you agree to be bound by the following Sender Agreement:

You represent and warrant to [Name of company] and the Recipient that any e-mail you desire to send to the Recipient is not "unsolicited commercial e-mail" i.e., the e-mail does not primarily contain an advertisement or promotion of a commercial product, service or Web site; unless the Recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the Recipient's own initiative. Further, you represent and warrant that your transmission of any e-mail does not violate any local, state or federal law governing the transmission of unsolicited commercial e-mail, including, but not limited to, RCW 19.190.020 or the CAN-SPAM Act of 2003. You understand and acknowledge that it is fair and reasonable that you agree to abide by the restrictions set forth in this agreement. You acknowledge and agree that this agreement is central to [Name of company]'s decision to forward your e-mails to the Recipient. Accordingly, if you violate this agreement, [Name of company] and the Recipient shall be entitled to (1) temporary and/or permanent injunctive relief to restrain any further breaches or violations of this agreement; and (2) damages in the amount of two thousand dollars ($2,000.00) for each violation of this agreement. You acknowledge that such remedies are appropriate and reasonable in light of the costs and expenses [Name of company] incurs as a result of eradicating and filtering unsolicited commercial e-mail. You acknowledge that the $2000.00 remedy is a reasonable estimate of [Name of company]'s and the Recipient's actual damages. This agreement is governed by the laws of the State of Washington and the exclusive venue for any action related to this agreement shall be held in the state and federal courts located in Washington. You hereby waive any right to object to venue or jurisdiction based on inconvenient forum, lack of personal jurisdiction or for any other reason.

How many people know and understand the CAN SPAM Act of 2003 or RCW 19.190.020? I had to look it up. As a courtesy, you would think the vendor would provide hyperlinks so people could check the references. After all, the vendor provides links for me to become an affiliate and earn money.

While the above problems might be out of the user's control, there are plenty in their control. I'm less forgiving with businesses that fail to use these systems properly. This week, I ordered an update to an online report. When I ordered the report several months ago, I never got the confirmation email with the download URL. I clicked the email link provided in my receipt and sent an email to the publisher about the problem. I then received a challenge response email. Since I paid for the order, I complied and typed in the CAPTCHA. What do you suppose happened when I ordered the updated report this week? Again, a delivery problem except this time the company realized the mistake and provided an email link for customers to respond. It was the same email address as before. Sure enough, I received another challenge. I was astounded that a business wouldn't take the time to ensure customers were white listed. I think the company should've turned the system off for a day or two so as not to further inconvenience customers who had not received their product. They could also have set up an entirely new email address for this specific problem.

Challenge response system can be very effective for many people if properly used. While no spam solution is perfect, these systems can present an image you didn't request. Before business people commit to these systems, I think they should do some planning. Here are some questions you might consider:

  • How easy is it to whitelist addresses?

  • Can you import or add your address book to the whitelist?

  • Can you scan your "sent email" for email addresses to add to the whitelist?

  • Are people you send email to automatically whitelisted?

  • Is there a way to add domain names for companies?

  • Do you get any automated emails that won't be able to reply to a challenge such as newsletters, mailing lists, account statements, purchase confirmations, emergency email notices, etc?

  • How is your whitelist stored? Is it on your computer or a 3rd party?

  • Does the service work with your email program?

  • Is the whitelist backed up?

  • Can you export your whitelist?

  • Does the system offer a "warn" mode where email is queued, but challenge messages aren't sent?

  • Can you customize your challenge email or add your name and logo?

  • Does the challenge email show the sender's Subject line?

  • Does the challenge message require the user to go to the web?

  • Can the challenge message be read by text readers?

  • How does the challenge email look on a PDA or cell phone?

  • Does the system mail another challenge request if another email is received from the same sender during the day? (Example, I sent one email at 10:00AM and didn't respond to the challenge and then send another email at 2PM.)

  • How does the service handle spoofed email addresses from friends such as those created by email viruses?

  • Does the challenge email include any text you don't understand such as legal terms?

  • Would a challenge email deter your clients or prospects?

  • Will using this type of system shift traffic to phone or fax?

  • Is the challenge message available in languages your customers use?

  • Does your competitor use a similar system?

  • Would your customers or prospects tell you if they didn't like the system?

  • Can you manually release emails in the unverified queue?

  • How is email removed from the unverified queue (time, message count)?

  • Have you tested the system against one of your own email accounts?

  • Are you comfortable with the vendor's privacy and security policy?

  • Are vendor's support hours similar to yours?

I do not doubt the effectiveness of challenge response systems, as they are a good tool. But like any tool, they are best used for specific functions. If improperly used, they can negatively influence your business. Everyone has spam problems, but I don't appreciate it when companies make their solutions a problem for others. I'm less apt to deal with companies that put me through the challenge process twice. I doubt I'm alone in my opinion.

Related Article

Guide to Controlling Spam
Last Updated ( Tuesday, 05 July 2005 )
 
[ Back ]