Challenge / Response - How It Works

Challenge/Response is a system that requires the sender of an email to verify that he/she has actually sent the email. This confirmation must be provided manually by visiting a web page and entering a code.

Figure. Challenge / Response chart.

The Challenge /Response system is a critical component of the full IceWarp Antispam solution. The purple components above are the full IceWarp Antispam data diagram.

In the most typical situation, messages arrive at the Challenge/Response system after they have already passed all "whitelisting" possibilities as described in the Black & White listing techniques and are already marked as a spam.

  • When an email is received by the server, it is not delivered to the recipient, but stored in a temporary folder. If more messages are sent from the same sender then all messages are stored in the same folder. Such messages are marked as "pending message(s)". If the pending message is not authorized within the specified number of days - it is automatically deleted.
  • The IceWarp Server will generate the request for confirmation, which will be delivered to the email sender. It uses the sender from the SMTP protocol, which can be different from the Mail From: displayed in the message.
  • The sender (if they exist) will receive the request for confirmation and must confirm it. The confirmation requires visiting a special web site and entering some characters into a text field. It prevents usage of automated confirmation systems.
  • The IceWarp Server will receive the confirmation from the sender and will deliver the email(s) to the recipient. The sender is also entered into the "approved senders list" so confirmation will not be requested the next time.

Note: Emails with blank Mail From (it looks like MAIL FROM: <> in SMTP session) are bypassed by the Challenge Response engine. To handle such messages you should use Content Filters or Black & White Lists.

Screenshot Examples

Figure. Example 1.

Request for Confirmation Sent by Mail Server to Sender

 

Figure. Example 2.

URL of the Page with Sender Confirmation Request

Figure. Example 3.

If Sender Enters the Code Properly they Are Automatically Authorized

Depending on the setup of the Challenge Response system, the sender can be authorized for just one recipient, or for all recipients on the server.

For information on "robotic" messages, refer to the Domains and Accounts - Management - User Accounts - User - Mail section.