I think people are missing an important point in this discussion about bouncing spam. Really, "bouncing spam" can be used to mean two different things:
1. Generate a bounce message to the envelope sender of the message, and 2. During the SMTP session, refuse to accept mail from the client, by returning a 500-series SMTP error code. Option 1 is almost always a terrible idea, unless perhaps the sender has published an SPF record and the result of an SPF check at the server is pass (but definitely not anything else, including neutral or none). Anyway, option 1 is strictly inferior to option 2, as it will always require more resources at the mail server. Option 2 is actually in my opinion a good idea, because in the case of false positives, it lets the sender know that the mail might not be read. In the case of actual spam, assuming you refuse the mail at the outermost mail relay at your organization, very often the mail is coming from a spambot that will never generate the bounce message. In other cases, the client may be an open mail relay, but such machines are very often blacklisted anyway, so I don't view causing them to send bounces as a terrible thing. Others may disagree on that point, but at any rate you are not risking getting your own server blacklisted--only the open mail relay is in danger of being blacklisted (which it should be anyway). I've been quite interested in this issue of bouncing/refusing spam messages, and so built an SMTP server that makes it easy for individual users to refuse spam at the SMTP level. (See www.mailavenger.org for details.) Recently, I have set up my account to reject with a 554 SMTP error code anything that spamassassin flags as spam, using the default threshold of 5.0, which is more aggressive than other people have been suggesting here. However, I also keep a copy of the messages I bounce, both so as to monitor how this is working out, and to build a corpus with which to train the Bayesian filter. At least anecdotally, this seems to be working well for me. When I spot check spams, I don't think I'm causing a lot of innocent people to get bounce messages. Note that I'm definitely sensitive to the issue of bad bounce messages, as I used to receive a huge number of bounces for forged messages--even though I publish strict SPF records. These were mostly bounced viruses, not spam, which meant that spamassassin didn't do a great job of weeding them out. However, I found a relatively simple solution. I now send all my mail from temporary envelope sender addresses that expire after 21 days, and I refuse messages from the empty envelope sender to my "real" (header From:) email addresses. So far so good, though I do realize there is the danger of a false positive, some some people still send mail from the empty envelope sender. David
