Challenge-Response Backscatter is a Bogus Argument

User Rating: / 2
PoorBest 

Many email security pundits like to rail against challenge-response technology arguing various issues. One of them is the backspatter argument which goes like this:

Since spammers use forged email addresses challenge-response users unwittingly send email to forged users who didn't send the original message unfairly penalizing them for the protection offered to the challenge-response user. All this extra email has been called 'backspatter'.

I think the ‘Backspatter’ argument is a red herring (smelly fish to distract people from the truth). Here’s the logic:

My research shows that people are getting 11.5 spams a day on average despite the best efforts of spam filters. And if they’re 95% successful at removing spam, that means that their email inbox is a target for 11.5/0.05 = 230 spam/user/day.

Another recent study just completed (not yet published) shows that C/R users represent 5.6% of business email users. Well behaved C/R systems send out only 2-6% challenges with about 1% going to legitimate first time senders.

The question is of the 2-6% how many are actually forged?

My address hasn’t been forged by a spammer in a long time, except to send a message to me from me.

If the forged address is count is low (likely) say 1% then the probability of getting a backscatter message is 0.0000224 or 1 in 44,643 email. At the rate of 230 spam a day, that would be about once every 194 days. Of course honeypot operators are likely to be more vulnerable than others.

So, although one can argue that challenge-response is unfair to forged address users, this math shows that it is trivially unfair to them and at the same time both correctly and completely unfair to spammers. I’d suggest that that is a very reasonable side-effect of the technology.