One idea of removing fake bounces easily: include the time or a signature
into a field that the bounce will mention. This could be the subject or your
address. (I don't know which headers the bounce agent is required to report)

Then if you get a bounce that would include this header if correct, but
doesn't, you know it's a fake.

This could be extended to all sorts of replies, with the exception that the
sender may have lost his mail program (and therefore the database which
contains your randomly generated header for the last reply) or for some other
reason (webmail etc) is replying manually.

The idea seems to have originated here: http://slashdot.org/comments.pl?sid=92743&cid=7974422

Of course, the logical extrapolation of this is to use digital signatures for
everything, eventually transitioning onto a trust metric to solve the "manual
reply" problem. The mail signing could even be turned to cryptography,
thwarting ECHELON as a nice side effect. Too bad if P = NP, though.

Logically this would require some sort of external tamperproof SecureID to
ensure that it's really you that's replying and not some virus or zombie.
That's kinda kludgy[1], but could be incorporated into the keyboard. The problem
is that the program (zombie) itself could pop up a fake "press the
authentication key to proceed" box just as you're sending a mail (hooks and
all) or simply just rewrite the mail on the fly.

So we need program cordoning similar to user privileges, but restricted to
programs. Then finally authenticity will be clear, and a digital signature will
be a proper signature, or close to it (can still be stolen by exploits).

[1] Not to mention dangerous for surveillance purposes. Say if most major
websites require your authentication, that would be bad. However, the SecureID
could be anonymous - but then the tamperproofing would have to be really good,
which is another arms race.