Sendio is something of an exception to the appliance vendors I’ve been chatting with. There’s nothing particularly unique about their hardware or software architecture, and ease of deployment isn’t a big deal for them either. Indeed, it’s a little unclear to me that they really need to be an appliance vendor at all – but what the heck, they’re in the anti-spam market, and appliances are popular there.
So let’s go straight to their anti-spam technology, which is challenge/response. The basic idea is that e-mail senders, when they first message you, need to reply to a challenge e-mail for your mail to get through. After that, they’re whitelisted. What’s more, senders can be whitelisted by hand without ever going through a challenge/response cycle.
Sendio boasts almost 150 customer enterprises, concentrated in such security-sensitive markets such as financial services, healthcare, and legal services. (One advantage of being security-sensitive may be that your correspondents are open-minded to enduring the challenge/response hassle.) As per a glowing review in Government Computer News – which incidentally takes a swipe at Barracuda – spammers so far do not bother doing anything to defeat the system.
Thus, the only current conceptual problem the company admits to is that of “good” bulk e-mail – which can only be received if you manually whitelist it. They claim reasonably that the number of bulk e-mailers that need to be allowed at any particular enterprise isn’t really all that high, although that seems to be more likely true at enterprises that, for example, have very disciplined centralized purchasing practices (so that the number of vendors sending automated e-commerce-related e-mails is small).
But while things look great now, I have severe doubts as to whether challenge/response authentication is the future of anti-spam technology, for two long-discussed reasons. Let’s just suppose challenge/response technology became widespread. Then:
- Spammers would have a strong incentive to defeat it. And it wouldn’t be hard on any level for them to train their zombie PCs to answer challenges.
- If a legitimate e-mail address were forged as the sender of many spam messages, it would create a huge flood of challenges directed at the address. And that would make a lot of users angry, possibly causing a backlash which would lead to the effective outlawing of challenge/response.
Sendio’s 150 customers may well get some more happy cohorts. But I suspect challenge/response is inherently doomed to remain a niche technology.