It works by recognizing the user's "privately" addressed and "passlist" e-mail while SPAM and all others are held in a web page managed area (See figure). Later, when the user wants to deal with it, the holding area is checked to retrieve any legitimate e-mail and deal with the junk.
The "private" domain names are additional MX records that are shared only with trusted users (i.e., friends and family). These are setup by whoever administers the domain name server for the user. Although there could be as many private domains as trusted users, generally speaking, only one extra domain is needed (i.e., "nospam.advicom.net" or "surname.advicom.net"). If it is ever compromised, the DNS entry can be changed which invalidates it and a replacement entry put in its place (i.e., "secret_surname.advicom.net").
Not dependant upon DNS entries, the "passlist" exists to cover special cases of entries that show up in the holding area such as as mail-lists and USENET posting replies. To keep the "passlist" from growing forever, the entries age with each update although individual entries can be set to never expire.
The Web page controlled holding area lists the incoming mail so the most :
The DNS server can be configured to not dump the list of records.
There could be an MX record for a "tripwire" MTA. Once activated, the whole site could become "mute" or go into "slow" mode connections. This increases the risk of early detection and network reaction.
The DNS server with the extra MX records does not have to be in the same subnet as the domain. It is perfectly OK to have an MX record "notme.hotmail.com" that points to the MTA in the address space of "advicom.net." This makes harvesting private MX records difficult.
Make sure the web page update requires a solid authentication. For example, limit the source IP range to those in the domain of the ISP. Use secure encryption of passwords.
Do not hardcode the passlist filename but have it generated by some key and a one-way algorthm. This makes automated harvesting of the passlist impractical.
Try to get ISPs to not let users read each others directories.