I'll tell you my experience.
I don't have a big server
30,000 incoming messages per day on average
15% identified as medium and high spam
message sniffer + cyren antispam
I randomly monitor high spam and almost never see false positives
I don't see that many false negatives either
regarding the antivirus cyren zero our intervenes very little.
clamav update it with secureinfo adding the following db
Customers are satisfied, no one complains about excessive spam.
At the moment I don't need to increase the filtering.
Greylisting is a bit aggressive because it slows down deliveries, but I think it does its job. On some domains I disable it at the request of the customer.
An approach has always left me in doubt and I've always promised myself to go deeper but then I've never done it
Greylist Weight Threshold
Greylisting relies on the ip/sender pair telling the sending server I'm busy. And this happens before the smtp session allows the actual sending of the message.
But the spam score is calculated by analyzing the whole message and this happens after the message is received and after the smtp session is closed. So, I don't understand.