I'm just shooting from the hip here, but I think it's:
Joe manages his whitelist through his mail provider's web UI. Many providers already use the address book as a whitelist; the only difference is they default to filtration instead of assuming spam.
Joe's friend's mail gets routed to the spam box. Joe's friend gets a bounce notification that says "To be added to Joe's whitelist, click here (and optionally solve a captcha/enter Joe's dog's name/submit a blood sample/deposit $0.25 worth of bitcoin into Joe's wallet)." Joe's friend clicks here, and Joe's mail provider adds Joe's friend to the whitelist and promotes the email to the inbox.
Joe's spammer gets the same message and disregards it. Their email stays in spam forever.
Joe's spam box gets bombarded with "hey, read this email and see if the sender is a friend" a bunch of times. He can trawl through them for actual friends if he wishes.
Joe manages his whitelist through his mail provider's web UI. Many providers already use the address book as a whitelist; the only difference is they default to filtration instead of assuming spam.
Joe's friend's mail gets routed to the spam box. Joe's friend gets a bounce notification that says "To be added to Joe's whitelist, click here (and optionally solve a captcha/enter Joe's dog's name/submit a blood sample/deposit $0.25 worth of bitcoin into Joe's wallet)." Joe's friend clicks here, and Joe's mail provider adds Joe's friend to the whitelist and promotes the email to the inbox.
Joe's spammer gets the same message and disregards it. Their email stays in spam forever.
Joe's spam box gets bombarded with "hey, read this email and see if the sender is a friend" a bunch of times. He can trawl through them for actual friends if he wishes.