use Perl

• Deny connections from a large number of netblocks - these are egregious spammers like verizon, charter, comcast, china etc. Where possible I have whitelisted ISPs' legitimate outgoing mail hosts (eg AOL list all theirs here). The idea is that spambots are too stupid to fall back to using my secondary MX, whereas the one or two legitimate mails coming from there will be coming from proper mail servers and so will do so.
• Once someone has connected, drop them with extreme prejudice if they claim to be me in their HELO.
• A load of procmail rules to kill winfestations and the like.

Those three are mainly there so that the amount of mail going through the fourth step is minimised.

• Spamassassin - this is a great big fat pig and eats more CPU and memory than I like, so it is only used if mail gets through the first three filters *and* isn't sent to any of my mailing lists.

Unfortunately, there's a flaw. *Some* spammers *do* fall back to secondary MXes so can get around the first filter. Then other spammers go straight to the secondary MXes and don't bother with the primary. And finally, spamassassin isn't perfect. There's not a lot I can do about the latter, but I can help it. So as of a few days ago, there's another little filter just before mail gets to spamassassin. It looks for messages that have been delivered by my secondary MX, then looks at the host that the secondary received the message from. If that host is in my blacklist, it adds a header like:

X-Dodgy-Received: blacklisted netblock (218.82.225.65 is in 218.64.0.0/11)

the presence of which means a positive spamassassin score. The number of spams getting through to my inbox is now noticeably lower. Source code available on request.