If FairUCE can't verify sender identity, then it goes into challenge-response mode, sending a challenge email to the sender,
Let me rephrase that more accurately: "...spamming everyone who has been so unfortunate as to have their address forged into a mail message..." Challenges thus issued are unsolicited: the challenged party had aboslutely nothing to do with the inbound mail message. If such a system is used in production, then challenges will, inevitably, be sent in bulk. I trust it's clear that these challenges are email. "unsolicited bulk email", or UBE, is the canonical and only correct definition of [SMTP] spam. So not only does FairUCE ignore a fundamental principle of competent anti-spam defense (e.g. "do not generate still more junk mail traffic at a time when we are drowning in junk mail traffic") it does so by generating outbound spam. How very nice. See, BTW, for some background info: http://www.techzoom.net/paper-mailbomb.asp which discusses similar issues. (Thanks to Bruce Gingery for pointing this out.) Beyond that, as Lycos Europe has already belatedly figured out, attempts to strike back at spammers which presume (as FairUCE naively does) that spammers themselves will not rapidly deploy effective countermeasures are doomed to fail and, in all probability, doomed to abuse innocent third parties. This is why responsible anti-spam techniques do not even *attempt* to fight abuse with abuse. I suggest further discussion be moved to Spam-L (a) before NANOG is overrun with it again and (b) because the most anti-spam experts and other interested parties may primarily be found there, not here -- and extensive discussion of this particular issue is already in progress anyway. ---Rsk