The first question you likely have is, what exactly IS Challenge-Response (Or CR) spam filtering? Well, it's simple. CR was designed to be a program that would work to validate the sender of the email was a real person, and not a spammer, or an automated mailing program, both of which send spam. In theory what was to happen was that when a person received an email from someone else, the program would automatically send them a challenge email. To prove they were a person, the sender had to complete some challenge, whether it be clicking a link, typing a response, or some such thing. Sounds good, right? After all it would be an awful inconvenience to spammers to have to deal with this. Well, the end result was that CR failed. Badly.

Why did it fail? Let's break that question down into parts, and look at the various reasons this particular spam filtering method dose not work well at all.

1. CR puts the pressure on the SENDER to prove they are not sending spam, but rather valid email.

   Now, I'm certain you're thinking 'no big deal, it's only one time', right? Wrong. Just because you validate yourself once dose not mean you'll never have to do it again. For example, say you send an email to five people. All five use the CR system to sort their emails. You don't have to respond to the challenge once, but FIVE TIMES! Now likely even this doesn't seem to be an issue, but how many people do you email? Ten? Twenty? A Hundred? See, if every one of those people (Even the ones you only send email to once) use CR, then you'd get challenged for each one. Now dose it sound like fun?

2. CR programs can't always tell the difference between CR challenges, bounced messages, and normal mail

Now what exactly dose this mean? Simple. Most CR programs can't tell what messages are automatically generated as a result of a problem, and which have been sent from someone. How exactly is this a problem?

Let's say Bob sends Joe an email. Now both Bob and Joe use the CR system. Bob's email generates a CR response on Joe's system. Not a problem, right? Joe just has to click a link. Well it doesn't work like that. There's a very good change Joe's challenge mail will trigger a challenge mail from Bob's CR program. Now suddenly both Bob and Joe's CR program are busy challenging each other, waiting for an answer to approve them. Since neither Bob nor Joe know what is going on, both systems keep challenging the other waiting to get a positive response. It's like two baseball players throwing a ball to each other.

Now, this may not seem like a big deal, until you understand something about an email server. Mail travels on the internet, much like a car down a highway. So each time a challenge is sent from one system to another, those challenges are taking up space that could be used for something else. Now imagine if you end up with ten, or twenty of these CR systems challenging each other. Or a thousand. That's a LOT of wasted resources. And it keeps going until someone manages to break it. Potentially this could shut down a mail system IF it happens at a great enough rate.

Indeed, bounced or failed message delivery works in the same way, with one server sending an error message to the CR system, and the CR system continually challenging the mail system. Each challenge would trigger a new failure message.

3. Spammers are smarter then computers

   The CR system can easily be bypassed by hackers given time. And there are many ways for this to happen. For example, a hacker could *Insert link here* spoof *End link* a valid email domain, such as @microsoft.com or @sympatico.ca, both of which are unlikely to get challenged as they are emails a sender would expect. So that's already one hole in the system a spammer or hacker could exploit.

   But that's not the only one. Another is to use a tool to capture outgoing emails. Since these addresses are likely to be *insert link here* whitelisted *End link*, a spammer can then spoof those addresses, and get spam into your inbox that way. So now there are two holes that spammers can exploit to get spam to you, effectively negating the point of your CR system.
   

4. People don't want to deal with challenges

   If you've ever seen a challenge email, you know what this means. These emails frankly LOOK like spam. And with so many people doing their best to ignore spam, or reporting it, a CR system COULD get you into trouble. There are actually reports of people getting *Insert link here* blacklisted *End link* due to the fact that their challenge emails get reported as spam. Other receivers will block the address that the challenges come from, and finally others just trash them.

   End result? Everyone of those people will be unable to contact you. And if you're a seller, or a web site owner, this is a very big problem. You will not be able to receive sales, questions, comments, information, or anything else needed if you aren't receiving your emails. Indeed, even your friends or family could end up in this category if they just don't want to deal with the spam that your CR system generates. And you'll never know why.
   

5. You can't get onto any mailing lists without whitelisting the address

   Mailing lists are run by computer. They cannot respond to challenges because they don't UNDERSTAND challenges. Other mailing list owners automatically ban any CR users from their systems because of the fact that it's not fair to the other group members to have to validate their email addresses with you. And you'd never know this because again, your CR system would block these emails.
   

6. CR systems put an unfair burden on innocent parties

   I suppose you're wondering how this works. Have you ever looked at a spam message? Many of them NEVER use their real address. Instead they *Insert link* spoof *end link* an innocent third party's email address. When your CR program then sends out a challenge, it dose not end up going to the spammer, instead it ends up going to someone who doesn't even know you. And suddenly you've become a spammer yourself. After all, the innocent party in all this never tried to contact you, or wanted to contact you.

7. CR systems have a very poor accuracy rate

   This should be obvious by this point. After all, between valid senders who don't want to deal with your CR system, and your spammers spoofing email addresses, you're basically left with two choices when using this system:
   

   1. Check all your junk mail manually. But then why bother having the system in the first place?
      
   2. Loose a LOT of valid emails that get trashed, and be left wondering why no one contacts you.

Hopefully now you see the inherent problems with the CR system of spam checking. Although in theory it dose look good, there are far too many flaws in it to ever work in a real world situation. It is an inconvenience to everyone in the end, except the spammers. And isn't that who we all want to inconvenience?