Challenge-response systems could beat spam

Spam is increasing dramatically and the volume may well become unbearable in another year, or maybe two. What can be done about...

Spam is increasing dramatically and the volume may well become unbearable in another year, or maybe two. What can be done about it?

It would help if all the world's governments took a hostile attitude to spam, but there is no chance of that. The US may fine a few more spammers, but the flood of junk mail routed via China, Russia, South Korea and other places is not going to be stopped.

It would help if all the internet service providers enforced their terms of service, which are usually more hostile to spam than the average marketing-friendly government. But they will never do enough because that costs money. ISPs do block spammers' accounts, but spammers just set up lots of accounts knowing they will be blocked.

It would help if the Internet Engineering Task Force came up with an extension to Simple Mail Transport Protocol, which is so badly designed that it will accept any old rubbish from anyone. For example, a sender verification protocol might at least cut down the amount of spam with forged addresses. But I don't see the IETF doing anything useful this decade. Even if it did, it could take years to make an impact.

It would help if more users and more ISPs installed Bayesian (probability-based) spam filtering, canning more spam before it reaches mailboxes. This seems to work. But in the absence of other action, the spammers are just going to send lots more spam, and much more ingenious spam.

Since the chance of co-ordinated action is zero, there is only one alternative: a challenge-response mechanism. In other words, users will refuse to accept any mail unless its validity has been confirmed by a human being.

In principle, what you do is bounce mail back, asking the sender to confirm that they meant to send it. Spam e-mails that are sent in hundreds of millions are never confirmed, and most likely are never seen again.

Of course, individuals do not do the bouncing, validation and white-listing: it is done by companies that offer spam-blocking services. Some use HIPs (human interactive proofs). One common challenge is to copy a number from a small, distorted image: humans can do this easily, but computers usually cannot.

Challenge-response will needlessly increase the amount of traffic on the internet, because one piece of mail can make three trips in order to arrive. It will introduce delays, sometimes for days, making e-mail much less useful. It will make sending e-mail much more tedious than it needs to be, and more expensive. But it will improve my quality of life.

What's your view?

What is it going to do to your business? Tell us in an e-mail >> reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.

Jack Schofield is computer editor of the Guardian

Read more on IT strategy