Deciphering Email Confirmation Requests

by Leo A. Notenboom

I emailed a colleague and within minutes got this email in response that said something like "please visit this link and to confirm your identity in order for your mail to be delivered". What's that all about? Is it safe? Could it be spam, or phishing, or something else bad?

Welcome to spam wars. This episode could be entitled "Revenge of the spammed".

What you're probably seeing is something called challenge/response. In the last couple of years it's become a popular way for some folks to control the amount of spam they get.

A lot of people love it. But a lot of people, people like you and me who aren't spammers, absolutely hate it.

Here's how it works: when you sign up for a challenge/response (c/r) service, all of your incoming email is filtered by the service. If the email is from someone that the service recognizes is a legitimate, real person or valid sender, you get the email. But if the email is from someone the service has never heard of before, things get interesting.

When email is received from a sender that the c/r service has never heard of before:

The c/r service quarantines the email. You do not get it right away.

The service then sends that confirmation mail you mentioned back to the sender. That's called the "challenge".

When the sender follows the instructions, which usually involves clicking a link, and filling in one of those "match the picture" forms, they are validated as a "legitimate" sender. That's the "response".

Once validated, the original email they sent to you is delivered.
Once validated they are validated for good. They are assumed to be legitimate, and their email to you is delivered without additional delay.

Now if the sender never fills out that form, never responds to the validation request, then their mail is never delivered, and you never see it.

The theory is that spammers will not respond to the challenge, and their mail will never be delivered. People who are legitimate will complete the challenge, get validated, and have their email delivered as expected.

There are so many problems with this technique, it's hard to know where to begin.

Who's paying? - many people are vehemently opposed to challenge/response, because it shifts the burden of spam prevention on to the legitimate senders of email that isn't spam. The innocent pay the price, as it were. In fact I know several folks who simply will not respond to a challenge response system, ever.

Not all senders are people - say you purchase something at an on-line store. That store sends you an email confirmation. The c/r system quarantines that confirmation, sending a challenge back to the sender. MOST online merchants (and other online services) are simply not able to respond to the challenge. So the legitimate email will never be delivered.

Not all senders are who they say they are - you've seen lots of issues with email spoofing ... sending email as if it came from one person, who had nothing to do with it. If that spoofed sender has been validated by the c/r system, spam that appears to be coming from their address will get through.

Challenges look like phishing attempts - how many times have we heard "don't click on links in email you aren't sure of" ? The fact is that most challenges look a lot like many of the phishing attempts we see these days. If someone doesn't quickly and easily understand what it is they're looking at, they should (rightly, in my opinion) delete it and move on. That could mean that their legitimate email to you may not get through.

Now in many cases, one of the positions that most c/r service providers take is that you, the customer and email recipient, can proactively "whitelist" email addresses. That is, you can tell the service that email coming from addresses you provide does not need to be verified. Some will even automatically whitelist addresses that you send email to. Both very nice features.

But the practical reality is that c/r service users are not taking the time to whitelist all the email addresses that they should. And many cannot predict all the senders from whom they will get legitimate email.

Challenge/response is a nice idea ... but in my opinion, and that of many, many others, it fails the test of practicality. In the real world, it has too many flaws, and has the potential to prevent too much legitimate email from being delivered.

Spam is definitely a problem. Challenge/response is a very flawed solution.

Leo A. Notenboom is a software engineer and entrepreneur who worked for Microsoft for many years, either developing some of the company's best known software or managing other engineers who did. When he left he started his own software engineering company and consulting firm, Pudget Sound Software. In addition to the services offered through, Leo runs the the popular Ask Leo! technical support site ( Leo can be reached at

Free small business newsletter
Get great business ideas and advice like this sent to you in email twice a week.
Subscribe to the free Business Know-How newsletter. 
Enter your primary email address below


Follow Us and Share