I’ve long come to the conclusion that with spam volume exceeding 80% of input at many sites now – the far better way to deal with this is to do anti-spam at the SMTP phase rather than post-queue; if it scores above one threshold then tag the message (e.g. ad [Spam] to the subject and an X-Spam-Status: YES header) and deliver it to the user and if it exceeds another higher threshold then reject it outright.

This is far better as it uses SMTP like it was designed – the sending server has the burden of responsibility to deliver the message; if you reject the message at the SMTP level the sender has to generate a non-delivery receipt (NDR) to the sender informing them the message wasn’t delivered. If the message was from a ‘real’ user then they know it wasn’t delivered and can take action (the NDR will contain the rejection message that you sent – this could include a URL for whitelisting or a unfiltered address etc.), if the message was spam then the spammer won’t care and will move on. No backscatter is caused by this method, false-positives are no longer a big disaster and it avoids the issues referred to in your article.

My only wishes are that Exchange could be configured to automatically move messages to the Junk Folder in Outlook based on incoming headers without having to write custom event sinks. And that it doesn’t default to mangling incoming NDRs into it’s own format losing a lot of the relevant data in the process (e.g. like ‘Friendly HTTP error messages’ setting in IE).

I agree with your sentiments about aggregated whitelists – I’ve seen many users add ‘hotmail.com’ to them and then complain about the onslaught of spam that then follows. When aggregating lists now – I only accept full e-mail addresses (e.g. user@domain.com format); not sure if the Safelist Aggregation in Exchange can do that – but if it can; it’s definitely the way to go.