The system I setup for my company uses as little "spam-scanning" as possible:
1) greet-pause (reject mode)
2) IP-blacklist (reject known bad sending IPs)
3) SPF (reject if indicated)
4) TLS (temp-fail if indicated)
5) greylist (temp-fail mode)
6) rcpt (reject user unknown)
7) max-rcpts-per-envelope (temp-fail overage)
8) max-connect-per-interval (temp-fail overage)
9) IP-whitelist (known good sending IPs skip directly to virus filter)
10) Domain-Spoofers (quarantine - sender can't trip this unless coming from wrong IP)
11) Spam Classifier (quarantine if score is too high)
12) Custom Content Filters (quarantine on hit)
13) Virus Filter (delete on hit)
Log analysis on a regular basis reveals IPs to white list and to black list. We validate these candidates against WhoIs, and other tools (Senderbase is good) before committing them to an actual list. We consolidate lists to network segments whenever possible.
The end results are: no false positives, no viruses, rare false negatives, small quarantine volume, no outbound bounces from us, very few content filters, and a volume block rate of over 95% of about 7 million emails per day. False positive mitigation is extremely simple (and recoverable). False negative mitigation is likewise extremely simple.
I have two major filtering layers (perimeter & inbox). If the recipient is not known, it's spam, and gets temp-failed. If the sender is not known, it is likely spam, and can only send 1 message per second, or get temp-failed (otherwise, I allow several messages per second). I allow only 2 recipients per envelope (temp-fail overage). Whatever makes it through my permieter filters gets to the second major layer (inbox). At this layer, if the sender is known, it stays in the inbox, otherwise, it goes into a "new-contacts" folder. This inbox layer, of course, is fully at the discretion of the individual owner. The inbox-owner can scan through this folder for legitimates or spam, report the spam to me (for specific blacklisting), or reply to (and/or add to their addressbook -- making them "known") the legitimates.
Spammers tend to use botnets, and botnets tend to go elsewhere when presented with a temp-fail. Legitimate MTAs keep trying automatically until the message is relayed, or times-out. Spammers tend to have lots of bad addresses; legitimates tend to have very few. Spammers tend to send to more than 2 recipients per envelope. For my environment, legitimates tend to send to only 1 or 2 recipients at a time, but even when they send to more, they keep going (yes, this causes me some extra work for the extra data portions that must be virus scanned) until they're done.
To "know the sender", I evaluate my outgoing mail logs for recipients my customers send to. This is NOT challenge-response. If I don't know you, and you're legitimate, your mail will come through on the first try -- it may just take a bit longer than if I know you already.
Of course, the perimeter layer also does various other filtering (heuristics, content, virus) that may result in the message being quarantined as spam.
Anti-Network Neutrality boils down to this for me: it is unethical (and may be illegal) to sell the same widget twice. Analogy: I am hired to provide data requested by my employer. It is unethical for me to charge the data sources to be included in the data results I give to my employer. If I did, and omitted data from sources who didn't pay my extortion, my employer would fire me, and possibly send me to jail. Data providers pay their ISPs for network access (to upload). Data consumers pay their ISPs for network access (to download). If an ISP is fortunate enough to have both a provider and a consumer as customers, they're doing a good job, and getting paid properly for it. Forcing all providers to effectively become your upload customers, in order to reach your already-paying download customers is called extortion. With one caveat, it matters not if there is only one ISP for a particular location, or several. The caveat is the monopolistic nature of having but a single choice -- you must pay the extortion, or get no service at all.
Slashdot Mirror
The system I setup for my company uses as little "spam-scanning" as possible:
1) greet-pause (reject mode)
2) IP-blacklist (reject known bad sending IPs)
3) SPF (reject if indicated)
4) TLS (temp-fail if indicated)
5) greylist (temp-fail mode)
6) rcpt (reject user unknown)
7) max-rcpts-per-envelope (temp-fail overage)
8) max-connect-per-interval (temp-fail overage)
9) IP-whitelist (known good sending IPs skip directly to virus filter)
10) Domain-Spoofers (quarantine - sender can't trip this unless coming from wrong IP)
11) Spam Classifier (quarantine if score is too high)
12) Custom Content Filters (quarantine on hit)
13) Virus Filter (delete on hit)
Log analysis on a regular basis reveals IPs to white list and to black list. We validate these candidates against WhoIs, and other tools (Senderbase is good) before committing them to an actual list. We consolidate lists to network segments whenever possible.
The end results are: no false positives, no viruses, rare false negatives, small quarantine volume, no outbound bounces from us, very few content filters, and a volume block rate of over 95% of about 7 million emails per day. False positive mitigation is extremely simple (and recoverable). False negative mitigation is likewise extremely simple.
I have two major filtering layers (perimeter & inbox). If the recipient is not known, it's spam, and gets temp-failed. If the sender is not known, it is likely spam, and can only send 1 message per second, or get temp-failed (otherwise, I allow several messages per second). I allow only 2 recipients per envelope (temp-fail overage). Whatever makes it through my permieter filters gets to the second major layer (inbox). At this layer, if the sender is known, it stays in the inbox, otherwise, it goes into a "new-contacts" folder. This inbox layer, of course, is fully at the discretion of the individual owner. The inbox-owner can scan through this folder for legitimates or spam, report the spam to me (for specific blacklisting), or reply to (and/or add to their addressbook -- making them "known") the legitimates.
Spammers tend to use botnets, and botnets tend to go elsewhere when presented with a temp-fail. Legitimate MTAs keep trying automatically until the message is relayed, or times-out. Spammers tend to have lots of bad addresses; legitimates tend to have very few. Spammers tend to send to more than 2 recipients per envelope. For my environment, legitimates tend to send to only 1 or 2 recipients at a time, but even when they send to more, they keep going (yes, this causes me some extra work for the extra data portions that must be virus scanned) until they're done.
To "know the sender", I evaluate my outgoing mail logs for recipients my customers send to. This is NOT challenge-response. If I don't know you, and you're legitimate, your mail will come through on the first try -- it may just take a bit longer than if I know you already.
Of course, the perimeter layer also does various other filtering (heuristics, content, virus) that may result in the message being quarantined as spam.
Anti-Network Neutrality boils down to this for me: it is unethical (and may be illegal) to sell the same widget twice. Analogy: I am hired to provide data requested by my employer. It is unethical for me to charge the data sources to be included in the data results I give to my employer. If I did, and omitted data from sources who didn't pay my extortion, my employer would fire me, and possibly send me to jail. Data providers pay their ISPs for network access (to upload). Data consumers pay their ISPs for network access (to download). If an ISP is fortunate enough to have both a provider and a consumer as customers, they're doing a good job, and getting paid properly for it. Forcing all providers to effectively become your upload customers, in order to reach your already-paying download customers is called extortion. With one caveat, it matters not if there is only one ISP for a particular location, or several. The caveat is the monopolistic nature of having but a single choice -- you must pay the extortion, or get no service at all.