A few days ago I was startled to get an anti-spam challenge from an Earthlink user, to whom I had not written. Challenges are a WKBA (well known bad idea) which I thought had been stamped out, but apparently not.

The plan of challenges seems simple enough; they demand that the sender does something to prove he’s human that a spammer is unlikely to do. The simplest ones just ask you to respond to the challenge, the worse ones like this one have a variety of complicated hoops they expect you to jump through.

What this does, of course, is to outsource the management of your mailbox to people who probably do not share your interests.

In this case, I sent a message to a discussion list about church financial management, and the guy sending the challenges is a subscriber.

Needless to say, an anti-spam system that challenges messages from mailing lists to which the recipient has subscribed is pretty badly broken, but it’s worse than that.

On the rare occasions that I get challenges, my goal is to make the challenges go away, so I have two possible responses:

• If it’s in response to mail I didn’t send, i.e., they’re responding to spam that happens to have a forged From: address in one of my domains, I immediately confirm it. That way, when the guy gets more spam from the forged address, it’ll go straight to his inbox without bothering me. Since the vast majority of spam uses forged addresses, this handles the vast majority of the challenges.
• If it’s in response to mail I did send, I don’t confirm it, since I generally feel that if it’s not important enough for them to read my mail, it’s not important enough for me to send any more. In this particular case, I wrote to the manager of the mailing list and encouraged him to suspend the offending subscriber, since if he’s sending me challenges, he’s sending them to everyone else who posts to the list, too.

You may have noticed that neither of these is likely to be what the person sending the challenges hoped I would do. But you know, if you give random strangers control over what gets into your inbox, you get what you get. So don’t do that.

There are plenty of other reasons not to send challenges, notably that many mail systems treat them as “blowback” spam with consequent bad results when the system sending the challenges tries to send other mail, but I’d hope the fundamental foolishness of handing your inbox to strangers would be enough to make it stop.