Receiver Initiated Authentication: The Holy Grail Of Spam Filtering?
This is something I picked up on Slashdot a while back that sounded interesting. The short version of receiver initiated authentication is: when a receiver receives an email from an unauthenticated domain, it is bounced back to the sender with instructions to simply resend the bounce message. If that occurs, the domain and server used to send the message will be authenticated, assuming that both messages came from the same server.
This seems like a sound idea for an important reason: you can easily validate that both the sender and recipient can exchange information with one another. It's a bit like the three-way handshake in a TCP connection, which does much the same thing for exactly the same reason.
This would go a long way towards helping the spam problem, but it won't eliminate it entirely. Spam places that send email from their own domains could easily set up stuff to pass these tests. You'd still have to do some additional filtering, such as maintain a blacklist of prohibited domains. Additional filtering based on message content might also be desirable.
One can use OpenID to authentictethe sender (http://www.mocaedu.com/mt/archives/000285.html). It will not eliminate spam, but will be easy to enforce a whitelist and also we can maintain a more granular blacklist.
I wonder how you’d force OpenID authentication without breaking the existing SMTP protocol. Interesting thought.