Clint writes:
One problem with attaching the "secret" string
to an email address is how that is done at the
sender's side. I can see email clients automating
the process, which is fine, until a virus comes
along and starts popping off random emails.
Viruses are a separate problem from spam.
Plus, how would CC: and vast To: lists hide
the secret string?
They wouldn't, but that wouldn't be necessary, either.
The whole idea is to provide some sort of authentication for messages that
is easy to obtain for human beings, but hard to obtain in an automated way
for spammers. Spammers obtain e-mail addresses from Web sites, USENET,
discussion forums, and the like. Secret strings would not be posted to any
of these, so no automated harvesting of the strings would be possible. Just
leaving the string in an e-mail addresses to a number of recipients would
not be a problem, because spammers would not be intercepting such e-mails
(or any e-mails, for that matter). As long as the string is not posted in a
place where spammers can harvest it, they won't get it. And hiring human
beings to locate strings for individual addresses rapidly becomes too
expensive to contemplate.
As I've said, the White House uses it, and I don't think they get too many
letters from unauthorized parties with the secret string/number, even though
conceivably anyone in the delivery chain along the way could see the number.
The mere fact that it is not publicly posted is security enough.