In my experience almost all my spam replies, which are automatically generated and transmitted by my extensive list of Eudora filters, and include a note advising that the sender that his message was automatically deleted by spam filters and was never seen by a human, just result in a delivery failure email from the ISP contained in the false reply address, or the router if the ISP name was fake too.
But for a business address there's no escaping the requirement to notify the sender, because otherwise a false positive filter hit can leave a customer or vendor with the impression that he was rudely ignored by a human, and to a legitimate customer or vendor, that's absolutely unforgivable. So in those rare cases when a spam filter deletes a message with a legitimate reply address, the sender is advised that he needs to resend his message, this time with a code to allow it to bypass the bulk of the filters. The code is often changed of course.
The requirement to reply is an inescapable reality. Some email addresses, whether business or personal, simply can't be changed. In my case, Help@MyCompany.com (we'll call it) is on the panels of all our physical products, which often last for decades. The address is in circulation in spam hell, as was eventually inevitable. But I dare not allow any false positive filter hit to leave someone wondering what happened to their email - a response of some kind is always mandatory. So it simply doesn't matter that 99+% of the filter advisory replies just create a delivery failure message - I can't take a chance that a legitimate sender would be completely ignored. And fortunately, the delivery failure messages are very easy to automatically filter into oblivion.
But I do archive every single one of my outgoing messages, because if one of my emails bounces, it's unlikely that I'd see the failure notification (unless I sent the message to someone who's in my address book, but that's only a fraction of them). If I expect a response but don't receive one, then I resend, and then watch the delivery failure messages for a while.
But it could be better. I'd like to see a lot more discussion and experimentation with reply address ping test spam killing strategies. For example, I'd like to be able to set up Eudora to perform a reply address ping test, and if the test fails automatically delete the email. I can wait for the outcome of a ping test before reading most messages - they usually aren't highly time critical, and most of my regular contacts are passed by the filters before spam testing begins anyway. And the best part is that a reply address ping test would obliterate almost all spam as it's now configured. And I can't think of any case in which legitimate customers, vendors, or personal contacts use a fake return address. But should the need become apparent, I could post information on an ever changing filter pass code for the sender who's actually personally reviewing my company's web site, such as Help.CurrentMonth@MyCompany.com.
Spammers would no doubt be tempted to respond by using a working stolen email address in their reply address, but there's a serious down side to that - there's a much higher chance they'd be successfully identified and successfully prosecuted. (What! I don't have a 'free speech' right to ID theft and fraud?!?) They could create their own working reply address and ignore messages to it, but if the address is serviced by a legitimate ISP, it would almost instantly go over quota with replies from systems like mine, and quota busting traffic raises a fast and prominent red flag with the ISP, so their account would likely be very promptly deleted. And in the meantime it would fail ping tests, which would consider an over quota response a ping test failure. If they use a black market ISP or own their own ISP, the reply address would ID them and their ISP. They or their ISP would then be quickly added to every filter in the Universe. They'd also be an easy target for large numbers of very frustrated Internet users, some of whom have access to excellent attorneys. And while nobody should cross the legal line of course, the reality is that some spam hating users have the expertise to email some nasty pathogens. And cyber assaults might not be the limit of some people's retaliation, especially if they've been financially hurt by a spammer's fraud. The point being that most spammers do not want to be identified. So a real return address is the most desperate of options for them.
It seems to me that the bottom line is that a good ping test infrastructure might put spam on the run in a big way. So does anyone provide a return address ping testing product, or is anyone working on one? If not, why not?