You've Got Mail!

I’m sure getting a lot of junk mail lately. In the war between spammers and spam filters, the spammers are winning. I remember Paul Graham speaking five or six years ago at the AI lab about his ideas for Bayesian spam filters. I don’t think there was a single person in the room who didn’t think, “But why don’t the spammers just send their message in an image?” Well, pretty much all mail clients and many institutional filter’s have implemented Paul’s ideas anyway. It worked for a good while, but now of course the bad guys are sending pictures. I feel that I’m missing something important in not understanding why it has taken them so long.

I also don’t understand why mail works the way it does. Why doesn’t my email client generate a new un-guessable unique return address for me each time I send out an email? Something like When you receive the message from me, your email client should enter the address as a new address for me in your address book. You could send me mail using any of the stored addresses, or you could pass that address to someone else.

You should never have to see that gobbledygook. On OSX now, for example, mail and address book each display addresses as a lozenge with the person’s name. I can drag the lozenge around and even into the text of another mail, and the right thing happens.

But then suppose the unique address finds its way into the hands of a spammer. If I mark something as spam, my client should just revoke the address that it came in on. My client (local or ISP-based) would not display any mail received on a revoked address – regardless of whether it was sent by you, a third friend, or a bad guy. It should also bounce the message to the sender and (the first time) to the person I originally sent the address, so that their clients could remove the bad address from their address book. (It knows the person I originally sent the message to because it’s in my ‘Sent’ folder.)

Am I missing something? Is this really so hard?

About Stearns

Howard Stearns works at High Fidelity, Inc., creating the metaverse. Mr. Stearns has a quarter century experience in systems engineering, applications consulting, and management of advanced software technologies. He was the technical lead of University of Wisconsin's Croquet project, an ambitious project convened by computing pioneer Alan Kay to transform collaboration through 3D graphics and real-time, persistent shared spaces. The CAD integration products Mr. Stearns created for expert system pioneer ICAD set the market standard through IPO and acquisition by Oracle. The embedded systems he wrote helped transform the industrial diamond market. In the early 2000s, Mr. Stearns was named Technology Strategist for Curl, the only startup founded by WWW pioneer Tim Berners-Lee. An expert on programming languages and operating systems, Mr. Stearns created the Eclipse commercial Common Lisp programming implementation. Mr. Stearns has two degrees from M.I.T., and has directed family businesses in early childhood education and publishing.


  1. Howard,

    some thoughts:

    1. I don’t get much spam from addresses I already know (if at all); the normal case for me – since I don’t automatically flag mails coming from unknown persons as spam – is getting spam from addresses not known before: thereafter one has to decide if it is a person contacting you seriously or spam. I don’t see how your approach does tackle this issue.

    2. You need some sender identification beside the sender mail address: otherwise you couldn’t identify persons you already know.

    3. What should be your official email address for people contacting you the first time?
    Best regards,

  2. Thanks for the questions, but I don’t think I’m understanding them properly.

    You can choose to give out any adress you like, as often as you want, to as many people as you want. This does not impede the efficacy of the secure address mechanism. It’s separate.

    But the value of the secure address mechanism is that each time I give out an address:
    – it is unique to the circumstance in which I gave it out, and only given out explicitly by me to someone I know. Hence traceable.
    – revocable, so that I don’t have to wade through stuff that came in on an address that was revoked.

    So no one can send me secure mail if they didn’t (directly or indirectly) recieve the address from someone I deliberately gave the address to. They can still send me unsecure mail, which I might or might not notice.

    The one-to-many mapping of names to addresses (and vice versa) is handled by my address book. It is not bundled with the address (e.g., in a header). For example, on my Mac, whenever I recieve mail that someone has sent from just, it displays as “Joe Smith” if the address is in my address book. There is no need for Joe to enter his address as “Joe Smith”<>.

  3. I’m elaborating some more, hopefully my points become more clear.

    1. “Why doesn’t my email client generate a new un-guessable unique return address for me each time I send out an email? Something like When you receive the message from me, your email client should enter the address as a new address for me in your address book.”
    This works for the other person, if you have replied to a mail of it, but not if you have started a new thread! In the first case there is a relation via the Sent folder together with some message id, in the second case this is missing (after the suggested mechanism your sender address is new to the other person).

    2. If some person you don’t know has gotten a private email address from a person you know, sends a mail to you (using the suggested mechanism itself), it has to include some identification of itself (e.g. its signature), because its sender address is not in your address book. My point here is, that some mechanism automatically assigning identifications of senders after your address book together with message id and Send folder (identifying the sender, since only a decent person has gotten this decent email address from you) would fail in this case.

    3. For me the main origin of spam mails are public – e.g. published at some web side – email addresses, published for people for contacting you the first time. After my experience these often will be misused by spammers.
    Publishing one of your private unique mail addresses there would lead to a revocation of it after misusing it by some spammer, followed by replacing it by a new one. All people once contacting you by the misused one (therefrom having it in their address book) would have to change it to the current one, if they are trying to send you a mail after revocation of the first, and then they had to send the mail again. To change it to the current one, they had to look onto the web side again.
    I’m in doubt, that this would be an improvement for this use case (which I think is the main spam use case); but I also think, this is not the use case you have had in mind for the suggested mechanism.

  4. re 1: You may well recieve junk from sent to a valid secure address for you. But only once. That is, you may have generated an address that you gave to me, and I let it slip to a bad guy. The bad guy sends you junk, and since it came on a generated address, you look at it. If you decide it is junk, the bad guy can never bother you again with that address. He has to find some other way to reach you. Yes?

    You do bring up another point, though. I was wrong about not having my name appear with my newly generated address in the header I sent. It may be wise for you not to enter the new address as an alternative address for me if you do not approve of the letter. For example, if you reject the letter as junk than it may be that someone has forged my cleartext name. But either way, it makes no difference to me, the sender.

    re 2: yes again. (I can’t remember now if Carl Ellison has a paper on this?)

    re 3: right again. There is no email address that is both public and secure. My speculation/suggestion is best thought of as a secure unlisted number. (You may get a crank call on it, but only once per stolen number.) You may still have an additional public number, but that one is no different than what happens without this mechanism.

Comments are closed