James, are these botnet or "snowshoe" spam? When you get a chance, please provide some spamples (pastebin or elsewhere), as Kevin recommended. Please mung JUST the email addresses (e.g. change all email domains to "example.com", and change the victim account name to "victim"). If the victim accounts are NOT spamtraps/honeypots, don't worry about the other headers, since you _DO_ want spammers to "listwash" you. :)
There's a high probability that others are seeing the same campaign and can provide much better advice if we can "see" exactly what you are seeing. You ARE asking good questions, we just need more a bit more data. >Along the same lines, is there any test to determine the country >of origin of the IP address in the last hop before it connects >to our servers? http://wiki.apache.org/spamassassin/RelayCountryPlugin I've been using a homebrew equivalent for more than nine years, and it's VERY helpful. The downside is that it can also crank up your FP rate. I only recommend using it if you have a decent quarantine and retesting tool. For example, I score VERY aggressively on IP-to-Nation and on TLD-to-Nation tests, then retest (with a different balance of scores) typically about 1 to 48 hours after initial arrival, at which point more than 99% are on multiple reliable blocklists. I briefly hand check the rest. That takes much of the stress and uncertainty out of filtering. :) - "Chip"
