Internet law expert Eric Goldman points out that winning anti-spam lawsuits is hard. SpamArrest just learned that the hard way, he explains. If you weren’t aware, SpamArrest (whose website proclaims “SPAM ARREST WORKS!”) is a vendor of a Challenge/Response-based anti-spam filtering system. The way that works is, if you’re using a C/R-based system, any time somebody sends you an email, the system sends the person back a “challenge” email that the sender must now respond to, usually by clicking on a link. By engaging in this “response,” the sender is proving that they’re not a robot. The theory being that by doing so, the sender must not be a spammer. It’s a flawed system, for multiple reasons. First, the internet is global, and it’s possible for bad guys to very cheaply hire people from a far away land to click these links all day long, every day. Even worse, legitimate senders aren’t going to take the time to bother to click through these links; they’re going to write it off as too time intensive. Do you really think Amazon is going to bother responding to challenge requests, to push through your shipping notification? For years, I’ve been telling senders to ignore C/R challenge emails, because it’s a self resolving problem, those people don’t want to receive emails, so let those people not get their emails. Even worse than that, those of us who actually care about the email ecosystem find C/R abhorrent because of its inherent backscatter problem. Spammers forge sending addresses. C/R systems send challenge emails back to those forged sending addresses. Thus, unrelated people often receive C/R challenge emails, when they didn’t even initiate the original message. It doesn’t solve the spam problem; it just exchanges spam mail for misdirected junk mail. I’m not a fan of SpamArrest, but I’m also not a fan of anything that makes it hard to use legal means to go after people sending unsolicited email. So my emotions are mixed on this one. Regardless, I wouldn’t be happy if I were one of the 600 SpamArrest users who received the alleged spam message in question. And with regard to the rest of their users, I worry that bad guys will now interpret the court’s ruling as making it acceptable to set up “C/R approval farms” and respond to every challenge message received. This would seriously undermine both SpamArrest’s business strategy and anti-spam strategy. And to the rest of the anti-spam community, allow me to echo something Eric says in his article: Anti-spammers don’t win in court just by showing up.
SpamArrest Loses in Court
S
It’s pretty amusing, in the linked Forbes article, to read a quote from Derek Newman about how great Spamarrest is. He was Virtumundo’s lawyer in Gordon v. Virtumundo, the case that made it CAN SPAM suits impossible in the 9th circuit.
You missed the biggest problem (IMHO) with challenge-response… that it shifts the burden of spam control from the recipient to all senders, including all legal senders – friends, relatives, etc. I NEVER click to make my mail go thru and guess what… it goes thru because the yutzes who use challenge respoonse can’t resiust looking in their quarantine folders… perhaps because they’d lose so much wanted email otherwise.
It shifts the burden of spam control away from the recipient. It doesn’t universally shift it back to the sender. Too many spammers forge sender info, so you end up shifting it off to an unrelated third party. That’s a shitty thing to do, that’s like having a toilet that works great, but it’s based on the principle of flinging shit on random passers by. It’s gauche in the extreme.
On the upside, C/R was already clearly dying. I’ve not received a C/R challenge in at least the last couple of years.
I have a somewhat different take on the case, that C/R was the least of their problems:
http://jl.ly/Email/spamarrest.html
I have been using spamarrest for over 6 years and I have no complaints. It has completely eliminated the hundreds of spam e-mails I used to receive daily. A new sender only has to do the C/R once to be added to my safe senders list. If I e-mail someone new, they are automatically added to my save senders list. If you are to lazy to click once, then I don’t need to hear from you…
I have just started using spamarrest and it is not convenient or smooth. However until someone can really help me with the abundance of spam I have no choice. You can monitor all incoming messages and authorize any you choose. The sender may have received a challenge response but I authorize things like Amazon and various newsletters so they won’t have to.
My problem with spamarrest is the amount of spam I get from people who use it asking me to make their spam filtering decisions for them. Of course, since they asked me if they need to see this mail, I always say yes (or I did until I blocked and deleted all mail from @spamarrest.com).
Spamarrest has been a significant source of spam in my mailbox from people like you. I think the less it’s used the better.
I enjoyed reading your opinion of C/R based services like those of SpamArrest. We are a mid sized company with a hundred email accounts spread over four departments. Some are actual user accounts, while others are either aliases or part of a group destined to a particular department. Before we moved to C/R based services a very large part of our IT department’s job was to weed though hundreds of daily emails. This forced them to also make decisions as to which email was valid and which email was bogus (SPAM). IT was a tremendous drain on our staff. When C/R based services were suggested (by me) it was met with reluctance by a few department heads. They mentioned the very basis of your post as being a PITA for the sender since it puts all the burden on them to qualify themselves. I cannot disagree, however you failed to mention that “known” senders from address books, frequent senders and other authorized senders can be inputted when setting up C/R based services so they automatically pass without intervention. Your opinion, although highly slanted against does not offer the full view of the way in which these systems fundamentally operated and as a result I feel you have flawed in your posting.
I don’t think you actually understand my major problem with C/R based systems. My problem is that I get a lot of challenges for mail that I never sent. There is a lot of spam (or there was, before I just blocked all mail from them) that I get that is in the form of “reply to this email so I know you’re a human.”
My addresses get forged into spam frequently, which results in a mailbox full of challenges for me. That’s what I don’t like – that users of C/R systems send me requests to filter their mail for them.