Some other ideas of what individual ISP's or Enterprises may build
into their token-generator:


-- sleep x (pro: slows serial connections; con: easier to DoS your server)
	(could make this dependent on the incidence of the requesting IP
	looking for an "invalid user", or the count of requests from
	the same source IP within the last x number of requests, or the 
	last x timeframe, etc.   Could also make the response dependent on
	current server load so as to reduce incidence or impact of Denial
	of Service attempts, or redirect a suspect request to a 'tarpit'.)

-- No such user:
	Check the filename of the URL to see if it corresponds to a valid
	user.  If not, many possible responses:
	a. slow the token generation (accounting for current server load)
	b. add remote_addr to suspect SENDER list
	c. include a specific string in the token, then train
	your MTA to abort connections that give such a token....(leave the
	sender waiting for a response.)
	d. Redirect to a 'tarpit'. 

-- A token generator could do a DNSBL before creating a token. The generator
	could do any number of things if a DNSBL "hit" happens.  It could
	error and give a message saying "you're blocked", or it could do
	some of the things mentioned above to take up the spammer's time and
	resources and benefit the overall Internet community.
See Project HoneyPot http:BL http://www.projecthoneypot.org/faq.php#g


-- spam-assassin interface - encrypt and post the token generator 
	"secret sauce" so that spam-assassin (or other external programs)
	 can do token verification
	syntax: <TOKENVERIFY>---PGP encrypted package---</TOKENVERIFY>
	spam-assassin will need to have a private key to undo this package.
	Package should contain a time-to-live (TTL) to check back for new
	verification rule, and syntax for describing the verification
	checks (i.e., what in the token does the user wish to check).
	Example: http://www.x-asvp.org/X_ASVP_ORG/CHAIR.HTM
	(the PGP message within <TOKENVERIFY> contains the following
	---snip---
	TTL = 86400
	ASVP-WEB contains abc43
	---end snip---
	Note: 86400 seconds is 24 hours
	Note: This could easily test for substr(ASVP-WEB,1,2) eq 'CC' or
	any other code your token generator inserts into <ASVP-WEB>