Overview of josh-anti-spam...
=================================

To succeed, any antispam plan must give immedeate benifits to the poeple
who use it without requiring anything new from the people who don't use
it. With my plan, the people who start using it immedeately stop getting
SPAM even if they are the only people who sign up. It is completely
backwards compatible with existing email systems and if you use my system
you can still get emails from people who don't. 

To implement my plan, all you have to do it put my amazing "antispam"
server between your SMTP server and the internet. All your inbound and
outbound mail traffic seamlessly flows though my server and I am able to
block any spams from ever getting through to you. This is very easy to
implement.

The concept is that ultimately there are only three kinds of email
conversations I want...

1) I start a dialog with you and then you respond to me.
2) You start a dialog with me and I respond to you.
3) I get a one-way email from someone to whom I willingly gave my email
address -- this includes an email list that tells me about Windows bugs,
email notifications from Amazon telling me my items shipped, etc.

There is one kind of email I don't want...

4) I get a one-way email from someone who I don't want email from.

So, the problem is identifying and letting through the first 3 kinds of
email and blocking the 4th.

My way of doing that is to establish a "key" that can uniquely associate
any incoming email to a conversation. Once I know which kind of
conversation an email is part of, I'll know if I want it or not. If the
email is part of one of the first 3, I want it, otherwise I don't.

So let's look what my server actually does in each case...

--- #1 - I start a dialog with you then you respond to me

a) I click "Send" in Outlook. My email client transmits an email with
"dave@zdnet.com" in the "to:" field, and "josh@josh.com" in the "from:"
and "replyto:" fields.

b) As that email passes through my antispam server, it sees that we do not
currently have a conversation going on, so it creates a new random key of,
say, "KHSNBFKCVH" for this new conversation.

c) The antispam server then changes the "replyto:" in my email from
"josh@josh.com" to "KHSNBFKCVH.josh@josh.com" and ships the email off to
you.

d) You open and read the email. When you want to reply to me, you hit
"reply". Your email program uses the "replyto:" field from my email as the
"to:" field in your reply (all email programs currently work this way, it
is part of the spec).

e) When you send your reply, your email program transmits an email with a
"to:" field of "KHSNBFKCVH.josh@josh.com".

f) When your reply email arrives at my antispam server, it sees the key in
the "to:" field and looks up the conversation. It sees that this is a
valid conversation, so it passes the email on through to me. In the
process it changes the "to:" field back to "josh@josh.com" so my SMTP
server can process it normally. It also sticks the key inside the "from:"
field so that when I open your email, I see that it is from
"dave@zdnet.com-KHSNBFKCVH".

g) For now on, you and I can freely send emails back and forth on this
same conversation. You can add my email address (KHSNBFKCVH.josh@josh.com)
to your address book and send me emails any time and my antispam server
will let them though.

--- #2 - You start a conversation with me out of the blue

a) You send an email to "josh@josh.com".

b) My anti-spam server sees that we do not currently have a valid
conversation going, so it temporarily blocks your email.

c) My anti-spam server does something to make sure you are not a spammer.
The simplest case would be to automatically send you an email saying
something like "Josh has never gotten an email from you before and wants
to make sure you are not a spammer. Please click on this link to release
your email so that josh gets it." This at least verifies that the return
email address is valid before passing through any email. At the other end
of the spectrum, the automatic email could say "Josh really hates spam. If
you want him to get your email, follow this link and have your credit card
or paypal account ready. There you will be asked to make a $1 deposit that
will release your email to josh. If josh reads your email and thinks it is
spam, your $1 will not be returned."

d) When you complete whatever action is required, my anti-spam server
assigns a key to this new conversation and passes you email on through,
similar to step (1-f) above.

--- #3 - I want to receive an email from a one-way sender.

a) I go to sign up for an account at Amazon and they ask me for my email
address so they can send me updates about my orders.

b) I point my web-browser to my anti-spam server and click on "Generate
new one way email address". The webpage gives me back the newly generated
address "KKUSBSOCUNS.josh@josh.com" and sets up a new conversation with
that key.

c) I cut and paste "KKUSBSOCUNS.josh@josh.com" onto the Amazon form and
click "Sign me up!".

d) Now, every time my anti-spam server sees an email come in for
"KKUSBSOCUNS.josh@josh.com", it knows that email is from Amazon and is ok
so it passes it though, similarly to step (1-f) above. 


Cool right? There is still one problem; what if someone who I have a real
conversation with leaks the address I gave them to a spammer? (A twist on
this is a spammer blows the $1 to get a valid conversation and then uses
it so send me a thousand spams)

No problem. Each email that ends up in my inbox has the associated
conversation key embedded in the "from:" field. If I ever see a spam come
in, I just hit "reply" and type "SPAM" in the subject line. When my
anti-spam server sees one of these special emails from me, it marks the
offending conversation as "spam-hijacked" and that conversation is now
dead,. I'll get no more spams through the compromised conversation. To
really reduce the impact of a compromised conversation, the anti-spam
server can even automatically suspend any conversation that has, say, 5
consecutive unreplied to emails on it. Once I reply back to the
conversation, the server will reactive that conversation an release any
held emails on it. 

This is just a general overview of system -- I have plenty of ideas on how
to make it very convenient and reduce the chance of a spammer getting a
hold of a valid conversation. 

Implementing the anti-spam server is not hard. I hope to have an
open-source black-box implementation soon. I am also talking to email
server vendors about incorporating this plan directly into their SMTP
server and thus eliminating the need for an additional server.

I think it is important to find technological solutions to spam before the
government tries to fix the problem with legislation. Hopefully this
will be one of them. 

-josh