Add a "last posted via email to thread x" record to the user. If it is less than y minutes ago, assume it is spam and bounce the mail back to the user. Downside: If the user is answering to a thread multiple times and sends it at the same time, then the last emails would bounce.
Most things that scrounge addresses from the address book
tend not to send lots of messages to the same address in a short period of time so this is sort of limited in it's usefulness.
Rather than a hash key for one time use I think it would be
better to expire the reply address and after some
period and if there was a reply you could
do tdma style validation of the sent message.
The way the things that allow emailed blog posts work is
to either use a secret email address (has the same problem we have now), require a keyword in the subject or message body which authenticates the user, or use cryptographically signed email (mail2blog does this).