There is something curious I've noticed... I'm wondering if I'm unique, and if there's an obvious way to improve my setup.
I was thumbing through my spam folder, and noticed that the bulk of my spam conformed to a very obvious pattern... On a time period from minutes to hours, I receive nine identical copies of a spam email from the same originating IP address all to an identical (often never published/used) recipient email address. The emails get a high spamassassin score (between 20 and 40) so I don't see them... but they do make up a substantial proportion of the volume of spam I'm processing. I'm interpreting this as a single prolific spamming operation under some sort of centralised control... based upon the extremely recognisable pattern... The high score often includes a handful of DNS block lists - but this isn't consistent... and I'm reluctant to completely block email on account of a DNS block list - since a single false positive would be a far worse consequence than processing and storing a few thousand spams each week. I wonder, would it be possible to reject an email identical (same originating IP; same addressee; same subject) to an email received in the last minute, say, that had a spamassassin score of over 30? If I could find a way to do that, I could reduce the volume of spam I have to process/store by a factor of about 8. Rejecting only emails with credentials identical to known recent highly scoring spam would make the risk of false positives minimal. Does anyone do this already?
