So we provide really, really good MX-proxy based spamfiltering services at work via exim , clamav , spamassassin and a slew of other open-source tools and DNSRBLs.

• Requires no training,
• Has no black holes for messages to fall into,
• Notifies the rare false positive when we don’t accept a message,
• Sends no “backscatter”,
• and is stupidly accurate.

One of the most basic tests is to confirm whether or not a recipient is valid before filtering email for them – after all, why scan email that’ll never get delivered? This test involves a mini-SMTP transaction from our spamfilters to the target server, asking “does this email address exist?”

Here’s where Exchange’s lameness comes in – it accepts email for all recipients, valid or not by default, bouncing them later on if they don’t exist. That makes it impossible to reject emails to invalid recipients at SMTP time from the spamfilters. And it means your stupid Exchange server is left vulnerable to backscatter should a spammer chooses to spoof sending from your domain.

No wonder Exchange message stores get piggishly large so quickly.

Fortunately, you can disable this by turning on “recipient filtering” in Exchange 2003. Please do. Why accept email you’re never going to deliver?