My many years of experience show good results when using Cyren AntiSpam, MessageSniffer, and RSpamd together.

Important: this information is based on our key figures and may vary from system to system:

MessageSniffer detects approximately 4.8% spam in all incoming messages checked by us.

Cyren Premium detects as follows:

Confirmed: approx. 3.5% of all messages checked

Suspicious: approx. 0.4% of all messages checked

Majority: approx. 22.3% of all messages checked

In my opinion, MessageSniffer is a good addition to Cyren Premium and is well complemented by rspamd. We have received excellent feedback from our customers. Rspamd is incredibly powerful and offers a wide range of settings, but it is also easy to make mistakes, which would increase the number of false positives.

To have any hope of winning the war on spam, you need to commit to a process of continuous improvement, and you need to decide which capabilities you are buying and which you are creating yourself.    I have no idea how to write a content filter that can look at a paragraph of text and conclude, "This is an advanced payment scam!".    So I buy a product that provides that skill set.  I also have to plan how I will configure exceptions when the content filter blocks something I want.

I concluded that authentication was very important to me.   My users should never be offered a message that had a fraudulent From address.   That requirement does not prevent all forms of deception, but enforcing that rule (with quarantine) focused my attention on a subset of messages that had a high percentage of unwanted material.   I had to build it myself because I could not find a vendor who was serious about that objective.

I do my spam filtering on an incoming gateway system.   There are many benefits from killing the spam before it gets the chance to overload your mail store system.   I do all of my spam filtering after the SMTP session is closed, and I do not send non-delivery reports.   Unwanted messages get discarded, and possibly unwanted messages get quarantined.   I will not give out free advice to let spammers know that they need to change tactics to penetrate my defenses.

I could not find one box to do everything, so I have several:   one box does the stuff that I built, the second box is the commercial spam filter, and a third box configures my highly customized external sender warning.  The first and third boxes collect message metadata so that I can analyze both raw traffic and filtered traffic.

I recently built my own implementation of sender authentication.   Like my other tools, it runs after the SMTP session to find and discard messages with zero valid recipients.   That tools immediately shed 58% of my incoming traffic while simplifying all other analyses because the downstream volume is so much smaller.  Then I tweaked my algorithm to ensure that these messages got discarded quickly with minimum effort wasted.  

About reputation:   You have these categories:

- Known bad guys

- Impersonators of good guys

- Known good guys

- Unknown reputation

So I have been trying to theorize about reputation, and here is where I landed:

- I build my list of bad guys by using RBLs and by blocking bad guys as I find them in my mail stream.

- I prevent impersonation, and block the identifier responsible for the interpretation

- A good guy is anyone who is properly identified, and either

given an allow rule in my local policy database, OR

is in a corporate database of vendors, clients, employee, etc OR

has sent me a message in the past and nobody complained and nothing bad happened.

Hopefully this help you build a shopping list so that you can make your buy/build decision.

I don't currently use an inbound gateway.

I manage about 1,500 mailboxes for about 300 domains and maintain everything on a single server.

In these contexts, SM should handle everything itself (although I'm evaluating Spam Titan Gateway).

I have activated:

Greylisting, RBL, Cyren Antispam, and Message Sniffer.

Let's say that customer feedback suggests identification is quite good, and there are no worrying false positive/negative rates.

I don't agree with deleting a message without the customer's knowledge (unless it contains a virus).

I prefer using the Junk folder with automatic deletion after 60 days.

RDSpam is complicated to implement and maintain.

What I also really like are RBL lists.

I use the following and have had good success rates with them:

- 0Spam

- Abusix combined (paid)

- Abusix whitelist (paid)

- Backscatter

- Brracuda

- Blocklist Germany

- BondedSender

- CBL

- HostKarma blacklist

- IADB

- MailSpike

- MailSpike Whitelist

- NordSpam

- SEM Black

- Senderscore

- SpamCop

- Spamhaus ZEN

- Surriel

- Truncate

- UCEProtect Level 1

- UCEProtect Level 2

- UCEProtect Level 3

- YourServerBL

I recommend running your own Linux-based DNS recursor, which is much better for RBL and URIBL because name resolution goes directly through your IP addresses and is resolved much faster.

Thanks everyone this was very helpful. I know it has been a game of whack a mole, figure out one solution spammers get around it. A lot of good ideas to research.

My latest issue someone must have made someone mad, they put their email on some kind of mass mailing. The biggest issue I have is when I check the headers everything comes back clean on MXToolbox. For the night I told him I would disable his email, then enable it in the morning.

Suggest you study the Raw Content of unwanted messages to begin understanding how to profile them.

I don't understand your new problem exactly.   There are two possibilities:

- Fake mailing lists send messages to your users from @groups.outlook.com or @googlegroups.com.    The spammers create these groups, add "subscribers" to the list, then use the list as its deployment tool for spam.    My defense has been to create filters to quarantine these messages by default, and allow specific groups that to which my users have actually subscribed.    Google groups is tricky because it sends from an address of the form +@googlegroups.com"><groupname>+<randomstring>@googlegroups.com.   So the allow rule has to ignore the random string.   I have also seen GoogleGroups that do not use @GoogleGroups.com as the SMTP Mail From address, so I detect Google Groups based on the LIST-ID header.

- Someone else is sending spam to others while impersonating your user, and the solution is to publish a DMARC policy.  A problem occurs with DMARC bcause most mailing lists make changes to the message during forwarding.  SPF alignment is lost because of the SMTP Mail From address is rewritten to the list bounce address, and DKIM verification is lost because of the changes.   As a result, mailing list messages look like DMARC violations.   Organizations that mindlessly apply the published DMARC policy will block both mailing list messages and malicious impersonation when the policy is "reject", and allow both mailing list messages and malicious impersonation when the policy is "none".   Unfortunately, the "mindlessly" adjective applies to the vast majority of organizations that enforce DMARC at all.

Given all of this, I recommend using a policy of "quarantine" if you have spammers impersonating your organization, and a policy of "none" if your users participate in a lot of mailing lists and you don't need to block spammers from impersonating your domain.