Realtime Blacklists were working very well — I had seen no false positives in weeks and 90% of spam rejected at the gate — but a customer complained that mail they actually wanted was being rejected as spam (this is what happens when some of your customers are marketing types). No false positives allowed. Disabled RBLs a week ago, then set up SpamAssassin via CGPSA (SpamAssassin as a CommuniGate Pro module). Tonight added Vipul’s Razor to the mix, which works by keeping track of what humans around the world consider to be spam. So the SA/VP combination is essentially a machine detection plus human detection method. Will need to let it run and tweak the tolerances a bit, but if all goes well, this should both stem the spam spigot in my own inbox and give customers the ability to do same.
Another difference between this methodology and the RBL technique is that I am no longer globally rejecting spam at the server level no matter how high its score — now that we have proper tagging, customers can configure the server to delete their own spam at the server level, or let it pass through tagged and delete it at the client level. Elegant.