We get overrun by Spam especially during the first week of every month, and then it usually tapers off throughout the month.
Although it isn't recommended to keep track the IPs of Denial of Service, Harvesters, and Spammers doing so for 90 days will give you a pretty good outlook of who is hitting your servers the hardest.
In our case we found that almost all of our Spam traffic came from 10 sources which have never had legitimate traffic in the past 13 months. Doing ARIN lookups of those providers and blocking all the IP Ranges those providers used stopped the majority of traffic dead in it's tracks.
- Psychz Networks
- Krypt Technologies
- B2 Net Solutions Inc.
- Eonix Corporation
- Email Ocean
- Host Sailor Ltd
- Worldstream
- Toqen LLC
- Interactive 3D B.V.
- Limestone Networks, Inc.
We also found that heavily weighing email from the IP Addresses of 10 specific countries to decrease that amount even further.
- The Netherlands (NL)
- Germany (DE)
- Chile (CL)
- Bulgaria (BG)
- Romania (RO)
- Russia (RU)
- India (IN)
- Ukraine (UA)
- Malaysia (MY)
- Turkey (TR)
Of course, every Mail Server is different and the sources of Spam are greatly varied, but once you identify the biggest offenders unique to your server and block them, it takes a huge enough chunk out that Spam Filters will catch the majority of the rest with only "Snow-Shoe" Spam getting past.