How Invisible Inbox avoids the pitfalls of Challenge/Response (C/R)
Other Challenge/Response based systems suffer from a wide range of problems that are solved with Invisible Inbox. When done properly, challenge/response offers solid, reliable protection from SPAM. Check competitive systems, and be sure they do everything Invisible Inbox does to protect you and that they do it at a reasonable price!

What is Challenge/Response?

Challenge/Response or C/R is a technology where you can prove the validity of an email by confirming the authenticity of the sender. This is done by sending an email back to the person trying to email you for confirmation that the return address given is accurate.


Everyone who regularly emails me needs to deal with C/R

The Problem:
As soon as you install a C/R system, all your regular email partners will need to deal with a challenge message.

Invisible Inbox Solution:
 Invisible Inbox allows you to import your Address Book into the approved senders list so that none of your friends will need to deal with a challenge email when they email you.


Everyone I  email needs to deal with C/R if they reply

The Problem:
Everyone who replies to an email that you send needs to deal with C/R.

Invisible Inbox Solution:
Add a keyword to your email signature and add that key to the "Auto Approve" list. Then when they respond, your signature will work as the key to allow their email to be delivered without C/R.


No way to access email until it's approved

The Problem:
While email is waiting to be approved via C/R, it is held outside your email program, usually in a centralized repository and cannot be accessed. You don't know if an important email is waiting and you have no way to approve the emails manually.

Invisible Inbox Solution:
 Invisible Inbox holds all of your pending email on your computer in a folder on your hard drive where you can access it any time. Just click any email to read it. The program also has a preview panel where you can review and approve (add to "Approved" list) or reject (add to "Spammer" list) any email prior to the receipt of a response from the sender.


Newsletters and mailing lists can't deal with C/R

The Problem:
While individuals have no problem with C/R, it simply doesn't fit when it comes to mailing lists and newsletters.

Invisible Inbox Solution:
 You can manually add any email account or domain to the "Approved" list using expressions (*@someacct.com, *.mx??.* or %MAJORDOMO%) for a very powerful way to pre-qualify any account to be delivered without C/R. If you are familiar with the standard contents of the newsletter or mailing list message you can also add a key that consistently exists in the email to the "Auto Approved" list. You could also wait until the first message arrives and manually approve the message. Any of these methods will approve all future newsletters or mailing list messages from that source which means once the messages are flowing, you can remove the rule to be sure SPAMMERS cannot take advantage of the hole.


Spoofed Response Messages

The Problem:
A SPAMMER sends a fake response without ever receiving a challenge just to get approved and open the flood gates, allowing them to send all the messages they want without being blocked.

Invisible Inbox Solution:
When we send a challenge email, it includes a special ID number generated at the time the challenge is sent. Unless the response includes that ID, it isn't accepted. As the ID is nine digits long, it would require the SPAMMER to send ONE BILLION fake response emails just to open one email address to allow delivery. Not something that is going to happen!


First time trusted mailers need to deal with C/R

The Problem:
All new emailers will need to be approved through the C/R system before their email can be delivered.

Invisible Inbox Solution:
 You can specify as many different "Keys" which when included in an email automatically cause the sender to be approved. Just tell your friends to include one of your keys and their email account will be marked approved immediately upon arrival of their first email. They only need the key one time, after that they are approved and all email will flow in without challenge.

You can change your keys as often as you like and have as many different keys as you like to assure that SPAMMERS never get hold of any key that might let them in.


Legitimate customers need to deal with C/R

The Problem:
Customers with sales or support questions are put off by the need to respond to a challenge email before their questions can be answered.

Invisible Inbox Solution:
 Just put the names of each of your products or services in the "Auto Approve" list and emails from customers will be delivered to you without C/R. In fact, the customers account will be remembered and future email from that customer will be delivered even if they do not mention your product or service. You can add as many keywords as needed to assure that customers never deal with C/R.


C/R - C/R deadlock

The Problem:
 User A sends user B a valid email. User A sends a challenge to use B. User B then sends a challenge to user A who then in turn sends another challenge to user B and the cycle continues forever. This is commonly seen with "vacation" auto-responder systems.

Invisible Inbox Solution:
 Each email address can only be sent a single challenge message. This stops the deadlock before it can start. One of the parties will need to manually accept the challenge email if the two users use different C/R systems. But if both users use Invisible Inbox, then the C/R process is handled automatically. When a challenge is received, it is automatically responded to. So you will never need to respond to a challenge email from another user of Invisible Inbox. A great reason to get all your friends to standardize on using this one SPAM fighting solution.


Privacy Issues

The Problem:
A centralized C/R center scans the content of all the email sent to and from your account to collect personal information to be used in who knows what ways. The centralized system sees and monitors all your email.

Invisible Inbox Solution:
 Invisible Inbox is distributed. Your email is scanned only on your machine and any data about each sender is stored only on your machine. We do a single C/R check with you as you set up the program for the first time and again when you register to assure that you are who you say you are. We collect no data from you other than the data included in the challenge email. No passwords, not even your name, are sent in the challenge emails.

The initial challenge lets us assure that your end of the transaction is legitimate. This way we know that no SPAMMER is setting up fake accounts and that the program is not being used improperly.

Your computer then sends all challenges to those who email you, and thus only requires that your computer handles sending challenges and handling the responses from the other side of each conversation. We have no clue as to who emails you or who you email. Your privacy is secure with Invisible Inbox!


Potential integration into spam email harvest systems.

The Problem:
A SPAMMER gets back a challenge email proving that the email address is a live account and thus increasing the value of the address.

Invisible Inbox Solution:
 While the challenge email does prove the existence of a real account, it also effectively defines the account as inaccessible to unsolicited marketing emails. This drops the value of the account to zero for SPAMMERS but allows valid marketers, willing to be identified to respond to the challenge and then deliver marketing emails.

This assures that every marketing email received comes from a trusted source and that the normal unsubscribe process or manually listing the source as a SPAMMER will work to stop those messages from arriving. No one willing to be identified can be called a SPAMMER, even if they send unsolicited emails. If they do not use subject lines that accurately represent the content or they do not honor unsubscribe, then the fact that they are identified means that legal action can be taken against the sender.


C/R messages and users blacklisted or spam filtered

The Problem:
The challenge email causes problems and complaints and as such becomes blocked by popular spam filters or added to personal blacklists.

Invisible Inbox Solution:
We took special care in crafting our challenge message to make it clear, easy to read and made sure it did not include any of the common "tells" that mark an email as SPAM so that it is sure to travel through any SPAM filter with ease. Unlike centralized C/R systems, Invisible Inbox originates all challenges from your computer, and as such the only personal black lists that would block the challenge would be those that already had YOU listed as a SPAMMER. I don't think that will happen, do you?


Bounced Challenge Messages

The Problem:
A SPAMMER sends an email using a non-existent email address. A challenge email is sent to that address only to be bounced back to the sender as undeliverable.

Invisible Inbox Solution:
We check the validity of every email address before we send a challenge. We fist check the DNS MX record (Tells which mail server(s) handle that address) to make sure it's legitimate. We then do a full SMTP session check using both the VRFY (verify) command, and a true mail handshake (HELO, MAIL FROM, RCPT TO) which assures that there is a legal recipient for the message. (Basically, it checks that the email server knows the address before it tries to send a challenge email to that server)


Potential "Joe-job" denial of service.

The Problem:
Spammer spoofs a legitimate sending address (this is already commonplace). C/R systems then send out a challenge to this address. With only 1% penetration of C/R, the victim of the C/R SPAM attack is deluged with 100,000 challenge emails.

Invisible Inbox Solution:
 Invisible Inbox checks the source server of any new sender to confirm that the source of the email is the same as the email address listed as the sender. This means to spoof a user, the SPAMMER would not only need to spoof the address, but use the same SMTP server as the real user, making tracking of the spoofer much easier and far to dangerous for the SPAMMER to attempt.

Emails from the wrong server are treated just as a message where a challenge message is sent, but none is ever delivered. This way the user can manually approve the email or manually market it as SPAM, or they can just allow time to pass and the system will automatically mark the email as SPAM after a given period.