You may want to restrict outside addresses from sending to those accounts...well, at least the notspam one. It's occurred to me, after getting a bunch of spam to web-scraped email addresses, that if I published the spam@ address in hidden text on our website the filter might become self-training. ;)
Be sure to filter out bounces before you train. If a spammer puts it on his recipient list, it's effectively on his senders-to-forge list as well, and if harvesters can scrape it, so can viruses.
We get a *lot* of bounces sent to our spamtraps. We just use procmail to discard them as they arrive. Actually, we reject some of the more common ones using MIMEDefang's filter_recipient feature. Mail sent from <> to a few addresses that we never use for outgoing mail is rejected with an "Invalid bounce" explanation. (Don't do this with postmaster or abuse, or you'll probably end up listed on RFC-ignorant.)
It's up to you to decide whether to let it train on actual viruses or not.
-- Kelson Vibber SpeedGate Communications <www.speed.net>
