More spam observations

I occasionally mean to make reporting on the email spam we are rejecting a more regular feature, but then I occasionally mean to do a lot of things that never happen. So, here is another installment of a category I have just dubbed “Spiced Ham.” (note: according to Hormel, it is mere speculation that SPAM is a portmanteau of/for “spiced ham”)
Very little spam actually gets through the defenses of We are able to achieve this relative impregnability primary through the use of the DNS Black list (I note in reviewing earlier spam observations that this is a reversal from the strategy of four years ago, which relied primarily on IP block banning. While we still ban many, many blocks of IPs, we have gone away from that as a primary defense because of the increasing usefulness of Zen and the very high levels of false-positives we were seeing). For instance, since Sunday, 49 of the 59 spam attempts we have blocked were by virtue of Zen. Of the rest, 3 were refused because the domain of the envelope From address did not exist, 1 because the domain of the envelope From address did not resolve (an interesting distinction), 1 because it originated from (this also would have been caught by Zen, but I preemptively block, and the rest were from countries I’ve banned (2 from India, and one each from Germany, India, Singapore, and Spain). We are able to get away with banning so many countries (65!) by virtue of two facts: first, we don’t get a lot of international traffic; second, (aside from Korea, China, and Bangladesh) banned countries get a soft (4XX) failure, instead of a hard one. This applies to all the other non-Zen blacklisting we do, too. Spammers almost never try again; legitimate senders almost always do. It really amounts to selective manual graylisting, because I choose to monitor what is being blocked in order to see if there are any false positives. I believe automated graylisting would probably work nearly as well, but I dislike the idea of delaying such a large proportion of the legitimate mail we get.
While a bunch of the search-engine traffic that hits the blog is because of my long-ago article Who is johnsmitsvt?, I have not seen spam attempts to that address in quite some time. This week, the only address that I am nearly certain has never existed on the system is elliott, which seems to have taken over as the new johnsmithsvt.
Updated to add: another thing I can recommend is creating an SPF record for your domain. It may be only a coincidence, but we have not experienced a back-scatter spam attack since we created one (with a default-discard (“~all”, not “?all”)).