Do what I do: I have a rule that throws everything into the junk folder unless the sender is known to be legit. I take it a few steps further. To wit:
- The biggest offending countries (such as China and Taiwan) are blackholed at the border firewall and the system IP filtering software.
- Incoming e-mail domains in the 'from' address must exist. If the domain doesn't exist, the spammer cannot drop mail at my systems. The system won't let 'em get to the RCPT TO and DATA part of the SMTP exchange.
- Blacklists of known spamhausen are kept. One of the more recent that was blacklisted was a domain called "OptInRealBig.com" that got some press for suing an anti-spam outfit.
- After all that, the mail system is monitored by a "greylist" software which maintains both blacklists and whitelists. That way, known people can e-mail any ol' time...the bad guys are kicked out the door even if they get past the first three levels of anti-spam measures, and new people who send e-mail are given a challenge-response e-mail that they must reply to before the mail will be delivered (and if they don't reply, then they're auto-blacklisted in 14 days).
Pretty neat, eh? : )
After implementing all that, I've seen maybe two spams in the past three months.
My proposed step: The law should treat any attempt to circumvent or sabotage a spam filter for the purpose of gaining prohibited entry to someone else's e-mail inbox the same way it treats any attempt to circumvent or sabotage a password prompt for the purpose of gaining prohibited entry to someone else's computer account. (For those of you keeping score at home, the latter is a federal felony.)
Not all violators will be caught, but catching enough of them and putting their heads on pikes (though, alas, only figuratively) will raise the cost of spamming above the cost of using legitimate advertising channels.