To have any hope of winning the war on spam, you need to commit to a process of continuous improvement, and you need to decide which capabilities you are buying and which you are creating yourself. I have no idea how to write a content filter that can look at a paragraph of text and conclude, "This is an advanced payment scam!". So I buy a product that provides that skill set. I also have to plan how I will configure exceptions when the content filter blocks something I want.
I concluded that authentication was very important to me. My users should never be offered a message that had a fraudulent From address. That requirement does not prevent all forms of deception, but enforcing that rule (with quarantine) focused my attention on a subset of messages that had a high percentage of unwanted material. I had to build it myself because I could not find a vendor who was serious about that objective.
I do my spam filtering on an incoming gateway system. There are many benefits from killing the spam before it gets the chance to overload your mail store system. I do all of my spam filtering after the SMTP session is closed, and I do not send non-delivery reports. Unwanted messages get discarded, and possibly unwanted messages get quarantined. I will not give out free advice to let spammers know that they need to change tactics to penetrate my defenses.
I could not find one box to do everything, so I have several: one box does the stuff that I built, the second box is the commercial spam filter, and a third box configures my highly customized external sender warning. The first and third boxes collect message metadata so that I can analyze both raw traffic and filtered traffic.
I recently built my own implementation of sender authentication. Like my other tools, it runs after the SMTP session to find and discard messages with zero valid recipients. That tools immediately shed 58% of my incoming traffic while simplifying all other analyses because the downstream volume is so much smaller. Then I tweaked my algorithm to ensure that these messages got discarded quickly with minimum effort wasted.
About reputation: You have these categories:
- Known bad guys
- Impersonators of good guys
- Known good guys
- Unknown reputation
So I have been trying to theorize about reputation, and here is where I landed:
- I build my list of bad guys by using RBLs and by blocking bad guys as I find them in my mail stream.
- I prevent impersonation, and block the identifier responsible for the interpretation
- A good guy is anyone who is properly identified, and either
given an allow rule in my local policy database, OR
is in a corporate database of vendors, clients, employee, etc OR
has sent me a message in the past and nobody complained and nothing bad happened.
Hopefully this help you build a shopping list so that you can make your buy/build decision.