**By submitting this essay you certify that you accept AnchorDesk's
official Terms and Conditions.  You can review our Terms and Conditions
here: http://www.zdnet.com/graphics/anchordesk/yourtalkbackterms.html.
Please also provide your daytime phone number and a short bio that
includes your occupation, state of residence, and any other information
pertinent to your essay.  Your submission should be between 500 and 1,000
words in length.  Please paste your submission, in plain text, below.**

My name is Joshua Levine. I work at a company called The Island ECN which
is an electronic stock market. I write programs. I live in New York. My
daytime telephone number is 212-231-5005. 

You can read about Island here...
http://www.island.com

You can see me here...
http://josh.com

This reply exceeds your request for 500-1000 words, but much of this could
be replaced with a graphic if you decide to publish it.

I think I know how to end spam. 

To succeed, any antispam plan must give immediate benefits to the people
who use it without requiring anything new from the people who don't use
it. With my plan, the people who start using it immedeately stop getting
spam even if they are the only people who sign up. It is backwards
compatible with existing email systems and if you use my system you can
still get emails from people who don't. 

To implement my plan, all you have to do it put my antispam server between
your SMTP server and the Internet. All of your inbound and outbound mail
traffic seamlessly flows though my server. My antispam filter
automatically embeds a cryptographic key in the existing "from:", "to:",
and "reply to:" field in every email that passes through it. It uses these
keys to match emails with email endpoints - allowing the server to
reliably determine if any incoming email is spam or not.

There are only three generic types of email conversations I want...

1) I start a dialog with you and then you respond to me.
2) You start a dialog with me and I respond to you.
3) I get a one-way email from someone to whom I willingly gave my email
address -- this includes an email list that tells me about Windows bugs,
email notifications from Amazon telling me my items shipped, etc.

There is one kind of email I don't want...

4) I get a one-way email from someone who I don't want email from.

Every email conversation fits into one of these generic classes. The
problem is identifying and letting through the first 3 kinds of email and
blocking the 4th.

So let's look what my antispam server actually does in each case...

--- #1 - I start a dialog with you and then you respond to me

a) I click "Send" in Outlook. My email client transmits an email with
"dave@zdnet.com" in the "to:" field, and "josh@josh.com" in the "from:"
and "replyto:" fields.

b) As that email passes through my antispam server, it sees that we do not
currently have a conversation going on, so it creates a new random key of,
say, "KHSNBFKCVH" for this new conversation.

c) The antispam server then changes the "replyto:" in my email from
"josh@josh.com" to "KHSNBFKCVH.josh@josh.com" and ships the email off to
you.

d) You open and read the email. When you want to reply to me, you hit
"reply". Your email program uses the "replyto:" field from my email as the
"to:" field in your reply (all email programs currently work this way, it
is part of the spec).

e) When you send your reply, your email program transmits an email with a
"to:" field of "KHSNBFKCVH.josh@josh.com".

f) When your reply email arrives at my antispam server, it sees the key in
the "to:" field and looks up the conversation. It sees that this is a
valid conversation, so it passes the email on through to me. In the
process it changes the "to:" field back to "josh@josh.com" so my SMTP
server can process it normally. It also sticks the key inside the "from:"
field so that when I open your email, I see that it is from
"dave@zdnet.com-KHSNBFKCVH".

g) For now on, you and I can freely send emails back and forth on this
same conversation. You can add my email address (KHSNBFKCVH.josh@josh.com)
to your address book and send me emails any time and my antispam server
will let them though.

--- #2 - You start a conversation with me out of the blue

a) You send an email to "josh@josh.com".

b) My antispam server sees that we do not currently have a valid
conversation going, so it temporarily blocks your email.

c) My antispam server does *something* to make sure you are not a spammer.
The simplest case would be to automatically send you an email saying
something like "Josh has never gotten an email from you before and wants
to make sure you are not a spammer. Please click on this _link_ to release
your email so that josh gets it." This would at least verifies that the
return email address is valid before passing through any email. At the
other end of the spectrum, the automatic email could say "Josh really
hates spam. If you want him to get your email, follow this link and have
your credit card or paypal account ready. There you will be asked to make
a $1 deposit that will release your email to josh. If josh reads your
email and thinks it is spam, your $1 will not be returned." Each user
could decide dynamically how much verification/protection he wants.

d) When you complete whatever action is required, my antispam server
assigns a key to this new conversation and passes your email on through,
similar to step (1-f) above.

--- #3 - I want to receive an email from a one-way sender.

a) I go to sign up for an account at Amazon and they ask me for my email
address so they can send me updates about my orders.

b) I point my web-browser to my antispam server and click on "Generate new
one way email address". The webpage gives me back the newly generated
address "KKUSBSOCUNS.josh@josh.com" and sets up a new conversation with
that key.

c) I cut and paste "KKUSBSOCUNS.josh@josh.com" onto the Amazon form and
click "Sign me up!".

d) Now, every time my antispam server sees an email come in for
"KKUSBSOCUNS.josh@josh.com", it knows that email is from Amazon and is ok
so it passes it though, similarly to step (1-f) above. 


Cool right? There is still one problem; what if someone with whom I have a
real conversation leaks the address I gave them to a spammer? (A twist on
this is a spammer blows the $1 to get a valid conversation and then uses
it so send me a thousand spams.)

No problem. If I ever see a spam come in, I just hit "reply" and type
"SPAM" in the subject line. When my antispam server sees one of these
special emails from me, it marks the offending conversation as
"spam-hijacked" and that conversation is now dead. I'll get no more spams
through the compromised conversation. The person who leaked my email
address will have to reverify themselves. 

To really reduce the impact of a compromised conversation, the anti-spam
server can even automatically suspend any conversation that has, say, 5
consecutive unreplied to emails on it. Once I reply back to the
conversation, the server will reactivate that conversation an release any
held emails on it. 

This is just a general overview of system -- I have plenty of ideas on how
to make it very convenient and reduce the chance of a spammer getting a
hold of a valid conversation.

Implementing the anti-spam server is not hard. I hope to have an
open-source black-box implementation soon. I am also talking to email
server vendors about incorporating this plan directly into their SMTP
server and thus eliminating the need for an additional server.

I think it is important to find technological solutions to spam before the
government gets tries to fix the problem with legislation. Hopefully this
will be one of them. 

-josh