January 10, 2007

Sendio — no effective response to the niche-forever challenge

Sendio is something of an exception to the appliance vendors I’ve been chatting with. There’s nothing particularly unique about their hardware or software architecture, and ease of deployment isn’t a big deal for them either. Indeed, it’s a little unclear to me that they really need to be an appliance vendor at all – but what the heck, they’re in the anti-spam market, and appliances are popular there.

So let’s go straight to their anti-spam technology, which is challenge/response. The basic idea is that e-mail senders, when they first message you, need to reply to a challenge e-mail for your mail to get through. After that, they’re whitelisted. What’s more, senders can be whitelisted by hand without ever going through a challenge/response cycle.

Sendio boasts almost 150 customer enterprises, concentrated in such security-sensitive markets such as financial services, healthcare, and legal services. (One advantage of being security-sensitive may be that your correspondents are open-minded to enduring the challenge/response hassle.) As per a glowing review in Government Computer News – which incidentally takes a swipe at Barracuda – spammers so far do not bother doing anything to defeat the system.

Thus, the only current conceptual problem the company admits to is that of “good” bulk e-mail – which can only be received if you manually whitelist it. They claim reasonably that the number of bulk e-mailers that need to be allowed at any particular enterprise isn’t really all that high, although that seems to be more likely true at enterprises that, for example, have very disciplined centralized purchasing practices (so that the number of vendors sending automated e-commerce-related e-mails is small).

But while things look great now, I have severe doubts as to whether challenge/response authentication is the future of anti-spam technology, for two long-discussed reasons. Let’s just suppose challenge/response technology became widespread. Then:

  1. Spammers would have a strong incentive to defeat it. And it wouldn’t be hard on any level for them to train their zombie PCs to answer challenges.
  2. If a legitimate e-mail address were forged as the sender of many spam messages, it would create a huge flood of challenges directed at the address. And that would make a lot of users angry, possibly causing a backlash which would lead to the effective outlawing of challenge/response.

Sendio’s 150 customers may well get some more happy cohorts. But I suspect challenge/response is inherently doomed to remain a niche technology.

Comments

5 Responses to “Sendio — no effective response to the niche-forever challenge”

  1. Richi Jennings on January 10th, 2007 5:59 pm

    C/R is essentially unintentionally-abusive.

    Practically all spam has forged senders. Some of those forged addresses belong to real people. Ergo, challenges go to real people.

    See my howl of rage when my domain got used to forge millions of spam messages over a 48 hour period. Some of the backscatter came from Sendio users.

    Most C/R vendors are in public denial (while simultaneously trying to band-aid the problem in the background). Sendio has a particularly left-of-field drawer statement on the issue, which basically runs: “No spammer uses a real email addresses as a forged sender.” This is, of course, bullcrud.

  2. Richi Jennings on January 10th, 2007 6:01 pm

    Oh, and another thing.

    As I said, practically all spam has forged senders. Some of those forged addresses belong to spamtraps. Ergo, challenges cause your IP address to end up on blacklists and reputation service databases.

    So by using C/R, your outbound email won’t get through.

  3. Curt Monash on January 10th, 2007 8:00 pm

    Thanks, Richi. That latter point is particularly telling, I think.

    The others can perhaps be brushed off by the philosophy “Who cares who else gets hurt as long as I’m OK?” Ironically, that’s a spammer’s mentality, but it’s not uncommon in many other places as well.

    But your last comment shows the disadvantages of challenge/response to challenge response users THEMSELVES.

    CAM

  4. Joe Heinzen on April 11th, 2008 9:57 am

    I think you’re missing the point… SAV is the last resort…

    Only after doing very thorough checks on the sender (SMTP protocol authentication, SPF,
    Silver Lists, DNS, etc), enterprise policy (# receipients, size, corp white list, etc)
    and finally checking to see if the sender is known (contact files) it will send a SAV
    message. On the average only 3 out of 1,000 messages.

    Sendio has been a blessing for us… absolutely no spam and no lost emails.
    Our customers have not complained about SAV even once.

  5. Curt Monash on April 15th, 2008 8:47 am

    Joe,

    If it’s 3/1000 messages, why do you even care? :)

    Thanks!

    CAM

Leave a Reply




Feed including blog about enterprise technology strategy and public policy Subscribe to the Monash Research feed via RSS or email:

Login

Search our blogs and white papers

Monash Research blogs

User consulting

Building a short list? Refining your strategic plan? We can help.

Vendor advisory

We tell vendors what's happening -- and, more important, what they should do about it.

Monash Research highlights

Learn about white papers, webcasts, and blog highlights, by RSS or email.