I have to wonder if we are making the problem of spam more difficult than it really is.
What if I just want to be able to give out my email address to friends, relatives, coworkers, and acquaintances, and get email back from them. What if I want to receive opt-in messages from a few mailing lists? -- not the kind that subscribers participate in, just the ones where content is sent to subscribers weekly, bi-weekly, or monthly? What if I just want shop at Amazon.com or ebay occasionally and receive notifications about my order status via email. If those are the conditions -- and they are for very many people -- why should I have to live with the spam nuisance? There is a very simple solution: to those individuals or organizations that I want to receive email from I give a password. That password is included in the email message sent to me, and my filter checks for that password. No password -- no entry. It's that simple, really. I probably need only three or four passwords. And I may need to change one from time to time, if it is ever compromised.
What needs to happen? E-tailers like Amazon.com need to allow customers to enter their password when they enter their email address, and they need to allow their customers to change their password. Mailing list providers need a similar facility. Address books need to store a password. Email client applications need to send the password automatically if it's in the address book. But before any of this can happen, we need to define the standard for how passwords are used. Perhaps the easiest way to use passwords is to embed them in the email address, so that john.doe@someplace.net with the password geewiz71 becomes john.doe+geewiz71@someplace.net. That solves the address book problem -- no extra field is needed.
Come on. How difficult can this particular spam problem be?
The Age of Innocence on the Internet is over. If you want people to stay out of your mailbox, put a lock on it and give the key to those who are allowed in.
Hadmut Danisch: If a host doesn't receive messages by SMTP, it shouldn't deliver by SMTP. Mail delivery should go the same way back that incoming mail went in.
Hadmut is right. There is an asymmetry in the way email is received and the way it is sent. Our ISP receives mail for us and we pick it up via an authenticated protocol like POP3 or IMAP4. The asymmetry can be easily fixed. Every POP3 or IMAP4 account provider should provide SMTP. And SMTP should be authenticated. RFC 2476 describes a Message Submission Agent (MSA), which is the entry point of email into the transport system. The idea of an MSA is good: the MSA receives email from the Mail User Agent (MUA) via SMTP and can police it -- add missing header fields, correct any invalid format, etc. The MSA also uses a different port (TCP port 587) than SMTP (TCP port 25), which is good because it serves a different purpose, and ISPs that don't allow outbound SMTP on TCP port 25 from their providers should allow outbound messages to an MSA on TCP port 587. One has to wonder, if we need authentication to get our email, why don't we have authentication to send email?
Hadmut Danisch: Spam is essential for the Anti-Spam business. If there is no spam, then no Anti-Spam software can be sold, similar to the Anti-Virus business. There are extremely strong efforts to keep this market growing.