Here’s an overly complicated idea. Everytime I sign up for a service, I give a randomly generated ID as my email address. I also register that randomly generated ID with my system and mark who is identified with it. The first time a message comes in to that address, the system takes note of the sender’s domain. Any mail to that address from that domain is authorized. Anything else is marked as SPAM. If this tends to be a problem, this SPAM classification can be removed and instead, the address can be removed as valid when SPAM is received. I have another address that I actually use for personal mail. This address is outfitted with your standard challenge response system and has a huge whitelist. This address is never used to sign up for services. I can proudly display it anywhere I’d like, as the challenge-response system will keep the SPAM out.
That’s it.
Any user that is allowed to send mail to prefixed or suffixed addresses can use it. And, unless spammers somehow get smart enough to respond to the Challenge Response, I don’t get any SPAM. If for some reason, one of the addresses that I’ve registered to use for getting mail from a service is used by a spammer, it must be because the address was GIVEN to them by the place I signed up at. Therefore, not only do I know WHO sold my address, but I can easily remove that ID and, therefore, stop the SPAM.
The only problem is that challenge response systems don’t work very well when the other end is a mobile device. It also doesn’t work very well for misconfigured email clients. Additionally, it could be perceived as unprofessional to send a challenge response to potential customers and/or existing clients. Also, it’s possible that the challenge response could be misunderstood or seen as spam by the recipient, and therefore ignored. And finally, if a spammer got a hold of my whitelist and my REAL email address, they could get SPAM through.
What do you think?