The anti-spam tools in SmarterMail are rudimentary and not nearly sufficient for the problems we face. I don't know how extensive their hosting services may be, but I have never perceived them as having the threat knowledge that comes from inspecting significant volumes of mail, so I don't expect them to understand what is needed to filter a diverse mix of mail. They are busy enough being my email management vendor, and I want them to stick to their knitting.
My filtering goal, and I hope yours, is to deliver all of the messages that may users legitimately want, and none of the messages that they do not want. Heuristics cannot do that; they can only tell me whether a message looks suspicious or looks acceptable. False positives and false negatives are expected, and that means that the result is not determinative because the result is ambiguous. Resolving that ambiguity requires more information, typically provided by your eyes. Once you have resolved the ambiguity, you create a local policy rule that indicates whether the vendor is acceptable or unacceptable. Disposition based on sender reputation is the only filtering rule that is 100% accurate because it is based on the interests of your organization as implemented in local policy.
This provides some immediate simplification of the filtering problem:
- Some senders are explicitly trusted because they have an allow or whitelisting rule in local policy.
- Some senders are implicitly trusted because they have sent us messages, the messages have not been flagged by software, caused recipient complaints, or destroyed our network.
- Unknown senders are therefore the source of essentially all risk.
So, if you want to improve your filtering accuracy, start by collecting data about known and unknown senders, then investigate yesterday's messages from unknown senders.
To your proposal: If you detect a message with a high risk score, you best action is to investigate it immediately, confirm or reject the risk assessment, determine the identifier responsible for the message, then block or allow that sender. Receiving 100 messages before taking action is unwise.
Reputation block lists like
spamhaus.org already track reputation by IP address, and are pretty effective. As a result, spammers have moved into infrastructure services to hide: hosting services like outlook.com, email service providers like sendgrid.net, and mailbox providers like gmail.com. I recommend activating the
spamhaus.org RBL, then assess how you will filter on other criteria. This includes developing rules for sending suspicious messages to quarantine, tools to review quarantine, and tools to authorize acceptable senders without accepting impersonation of those senders.