If you are a user of a challenge-response e-mail system like SpamArrest, please note that we will not reply to e-mail challenges for the following reasons:
- There is no way for us to distinguish between legitimate challenges and those caused by spammers attempting to deliver e-mail with addresses forged to look like they come from our domain.
- There is no way to tell whether any given challenge is actually legitimate. Some spammers have been sending out e-mail that looks like e-mail challenges in order to get people to click links, whether to validate their e-mail addresses or to install malware on their systems.
- Some of the supposedly legitimate challenge-response operations have previously used their challenges to harvest other peoples’ addresses for unsolicited commercial e-mail (aka spam). There is also a concern that they may be retaining data on past communications for various purposes.
- Challenge-response places all of the burden for spam on legitimate senders of e-mail. Essentially you are fobbing your spam problem off on other users rather than taking responsibility for it yourself. The burden belongs on the spammers, not on legitimate users of e-mail, and so challenge-response is an inappropriate way to attempt to screen incoming mail. We do provide DKIM signatures on all outbound mail, and we also publish a draconian SPF record. These steps should enable e-mail providers to screen out any e-mail with forged addresses corresponding to our domain. And since we do not send spam, there should be no reason to use challenge-response addresses with us.