One of my favourite things about the new Ironport platform we have implemented to combat spam on our networks is how it uses a reputation based system to determine how to handle incoming mail. Right at the point of connection, before any of the SMTP commands are sent, our Ironport boxes look up the Sender Base Reputation Score (SBRS) of that IP address, and if it's really bad, the connection is simply dropped. This on it's own is pretty great, but there's more. All the time our Ironport boxes are gathering information about the hosts who are sending email through them, and reporting back to the master SenderBase database. This isn't just true for our Ironport platform, the vast majority of other Ironport users (over 100,000 organisations) also report their statistics back to the senderbase database too. Because of this updating from everyone all the time, spam outbreaks from new hosts can be caught really quickly, and we will start blocking them almost immediately. As the host is blocked at the connection level, this takes very little resources on the box, especially compared to the full-on scanning that would be done if the message was not blocked. As I'm writing this, our email systems are blocking over 97% of all messages as a result of their bad reputation, which is over 75 million messages! Imagine how much more spam we'd all have in our mailboxes without this. It really is a sorry reflection of email today that less than 1% of email that has hit the platform so far today have been considered "clean". Finally, another great thing about senderbase is it's transparency. Anyone can look up their IP on the site, www.senderbase.org, and look at the current top hitters for spam, virus and just normal email traffic. They even have a map on there that shows you where all the mail is coming from.