Wow.  This is a serious business problem (abuse of email) reduced to the same type of partial truths, misdirection, and self-serving spin that radical liberals and reactionary conservatives use to discuss politics.  Any time you see sarcasm in a debate, check the facts.

CR is used to manage white lists.  If I know you, if I do business with you, if I ever send you a message, you are already on my white list.  So, everybody I already communicate with NEVER gets a challenge.  Instead, everything you send me gets delivered without risk of being mislabeled as "spam" by a content filter, with no administrative overhead.

If you are someone I don't know, and you are interested in establishing a relationship with me via email, when you send me your first message I run through an integrity check process for BOTH of our benefit.  Within seconds, I test your message with a variety a techniques (are you are a legitimate sending server; does the message come from a valid domain; check for spoofing; etc.) and if everything looks good, I send out a CR message.  It asks you to confirm, ONE TIME, that you are a real person and not simply software, so that I can automatically add you to my white list and thereby guarantee your important messages won't get lost.  This is good for both of use.  (Oh, and no CAPTCHA required.  That is old tech.  Just hit Reply)

If you are a "spammer," 97%+ of the time your message fails the basic integrity checks, so your abuse message is simply dropped.  These checks are totally deterministic (pass/fail) and not probabilistic (statistical guessing), so there are no "false positives" or "false negatives."  For three messages in 1,000, a challenge request is sent out, with two possible results.  Since spammers use botnets and other compromised systems as sending servers, their sender addresses are always forged.  If the sender address doesn't actually exist, the challenge goes nowhere.  If the sender address was stolen, the legitimate owner (what Amir call the "innocent user") receives the challenge message.  This tells them that their address has been compromised, which you would think they would be interested to know about .  Since there is no response to the challenge, the original abuse message gets dropped.  No downside here at all.

Now, Amir labels the 3 challenge messages that are sent out against the 1000 incoming messages as "backscatter" and "effectively spam" but uses an illogical argument.  The Internet email protocol SMTP (like all IP protocols) in not really like dropping a letter with a stamp in the postbox on the corner: a one-step one-way transaction.  With email, the sending server and receiving server go through a whole back-and-forth request-acknowledgment IP dialog setting up the communications process.  Actual challenge messages have no measurable impact on overall Internet message volume.

But there certainly is a problem, which Amir points out.  However, if people with his mindset (CR is inherently bad; the earth is the center of the universe) start with a faulty premise, they typically reach a faulty conclusion.  The issue: if you design spamtraps, content filters and reputation services with the presumption that challenges are bad, those systems are poisoning what is actually a highly effective process.  A challenge message is not "unsolicited commercial email" so categorizing it as "spam" is a fundamental design flaw in those systems.  "Branding" the users of CR systems as spammers and therefore mishandling the legitimate email is a mistake by the reputation systems, and sure sounds like true persecution of "innocent users."  All of the "lost mail" that Amir refers to is caused by other ill-conceived systems, not the CR process.

So, if someone I don't know sends me an email (asking for the privilege of getting into my inbox), and then "can't be bothered responding" to a challenge that actually helps both of us, how should I view that potential relationship? Or, if I'm in Sales and I worry that a challenge message might somehow make a new prospect feel uncomfortable or confused (because they read the emotional hatemail that the concept seems to create), maybe I should simply have the challenge feature turned off for my address while allowing everyone else in my organization to be free from email abuse.

In practice, businesses who use CR systems seem to love them because they are amazingly effective with virtually no administration.  It is interesting that the most vocal critics of the concept are people with a vested interest in potentially competitive products like content filters and reputation services.  Amir's closing "absurdum" comment pretty well sums up the substitution of emotional argument for actual logic: "if everyone used CR, email would become unusable" due to an infinite "loop."  Reality is: in a brand new email relationship, (1)  if you send me a message, (2) your CR system automatically adds my address to your white list, (3) so when my challenge request comes back you get it, (4) and when you hit reply you are now in my white list, and (6) we will now forevermore be able to send messages back and forth with no risk of loss.  No infinite loops, just reliable business communications without email abuse.